Mandriva issued this advisory on January 21: http://lists.mandriva.com/security-announce/2011-01/msg00019.php Our package in Cauldron is also in need of an update.
Hi, thanks for reporting this bug. As there is no maintainer for this package I added the committers in CC. (Please set the status to 'assigned' if you are working on it)
CC: (none) => balcaen.john, fundawang
Working on it for mageia 1
Status: NEW => ASSIGNEDHardware: i586 => AllAssignee: bugsquad => balcaen.john
Dear QA, Could you please test t1lib package : src.rpm t1lib-5.1.2-9.1.mga1.src.rpm x86_64: lib64t1lib5-5.1.2-9.1.mga1.x86_64.rpm lib64t1lib-devel-5.1.2-9.1.mga1.x86_64.rpm lib64t1lib-static-devel-5.1.2-9.1.mga1.x86_64.rpm t1lib-config-5.1.2-9.1.mga1.x86_64.rpm t1lib-progs-5.1.2-9.1.mga1.x86_64.rpm i586: lib64t1lib5-5.1.2-9.1.mga1.i586.rpm lib64t1lib-devel-5.1.2-9.1.mga1.i586.rpm lib64t1lib-static-devel-5.1.2-9.1.mga1.i586.rpm t1lib-config-5.1.2-9.1.mga1.i586.rpm t1lib-progs-5.1.2-9.1.mga1.i586.rpm Advisory : Heap-based buffer overflow in the AFM font parser in the dvi-backend component in t1lib 5.1.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer. This package provides a fix for this issue.
Status: ASSIGNED => NEWAssignee: balcaen.john => qa-bugs
According to https://bugzilla.redhat.com/show_bug.cgi?id=666318 the exploit requires reading a .dvi file in evince with a malicious font installed, which doesn't seem to have been made publid. In trying to test evince with a .dvi file, I selected /usr/share/doc/iptraf/Documentation/manual.dvi from the iptraf package, but it doesn't display. Is that a badly formatted dvi file, or is support for dvi files a build time option that is disabled for the Mageia 1 version of evince? The evince program is working for pdf files. According to "urpmq --whatrequires libt1lib5", it isn't required by evince, but is by abiword. Creating a document with abiword, and then running abiword to read the document under strace does show that it's loading /usr/lib/libt1.so.5, so it seems to be working ok.
CC: (none) => davidwhodgins
I just pushed another version with an additional CVE fix following oden's work. src.rpm t1lib-5.1.2-9.2.mga1.src.rpm x86_64: lib64t1lib5-5.1.2-9.2.mga1.x86_64.rpm lib64t1lib-devel-5.1.2-9.2.mga1.x86_64.rpm lib64t1lib-static-devel-5.1.2-9.2.mga1.x86_64.rpm t1lib-config-5.1.2-9.2.mga1.x86_64.rpm t1lib-progs-5.1.2-9.1.mga1.x86_64.rpm i586: lib64t1lib5-5.1.2-9.2.mga1.i586.rpm lib64t1lib-devel-5.1.2-9.2.mga1.i586.rpm lib64t1lib-static-devel-5.1.2-9.2.mga1.i586.rpm t1lib-config-5.1.2-9.2.mga1.i586.rpm t1lib-progs-5.1.2-9.2.mga1.i586.rpm New Advisory : « Heap-based buffer overflow in the AFM font parser in the dvi-backend component in t1lib 5.1.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer (CVE-2010-2642). An invalid pointer in conjunction with a dereference operation allows remote attackers to execute arbitrary code via a specially crafted Type 1 font in a PDF document(CVE-2011-0764). This package containes fixes for both issues. »
Nice job catching the new CVE. I tested this on i586 with xpdf (looks like it's the only thing on my system that uses it). Created a doc in LibreOffice using Helvetica as the font (should be a URW Type 1 font), exported to PDF, and opened with xpdf. Looks fine.
x86_64 The following 5 packages are going to be installed: - lib64t1lib-devel-5.1.2-9.2.mga1.x86_64 - lib64t1lib-static-devel-5.1.2-9.2.mga1.x86_64 - lib64t1lib5-5.1.2-9.2.mga1.x86_64 - t1lib-config-5.1.2-9.2.mga1.x86_64 - t1lib-progs-5.1.2-9.2.mga1.x86_64 $ strace -o strace.out abiword $ grep t1 strace.out open("/usr/lib64/libt1.so.5", O_RDONLY) = 7 $ rpm -qif /usr/lib64/libt1.so.5 Name : lib64t1lib5 Relocations: (not relocatable) Version : 5.1.2 Vendor: Mageia.Org Release : 9.2.mga1 Build Date: Tue 03 Jan 2012 11:11:52 GMT Install Date: Mon 09 Jan 2012 10:34:42 GMT Build Host: jonund Group : System/Libraries Source RPM: t1lib-5.1.2-9.2.mga1.src.rpm Testing complete x86_64 Update validated Advisory ----------------- Heap-based buffer overflow in the AFM font parser in the dvi-backend component in t1lib 5.1.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer (CVE-2010-2642). An invalid pointer in conjunction with a dereference operation allows remote attackers to execute arbitrary code via a specially crafted Type 1 font in a PDF document(CVE-2011-0764). This package containes fixes for both issues. ----------------- Source RPM: t1lib-5.1.2-9.2.mga1.src.rpm Could sysadmin please push from core/updates_testing to core/updates Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
update pushed
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED