Bug#773391: unblock: t1utils/1.38-3

Niels Thykier Wed, 17 Dec 2014 13:45:45 -0800

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock


Please unblock package t1utils as it fixes a DoS (infinite loop) via a
crafted font package (#772774).  This indirectly affects Lintian as
well, because lintian uses t1disasm (from t1utils) to analyse some
font packages.

If you prefer, we can also defer this to post-Jessie given the bug is
not RC.  If so, let me know, so I can set the necessary tags and retitle
the bug accordingly.

unblock t1utils/1.38-3

The debdiff is below.  For reference, my original solution (mentioned
in the changelog) was to error out if the newly read "block_len" was
negative (due to an overflow).

Thanks,
~Niels


*** ../t1utils.debdiff
diff -Nru t1utils-1.38/debian/changelog t1utils-1.38/debian/changelog
--- t1utils-1.38/debian/changelog       2014-10-14 20:14:48.000000000 +0200
+++ t1utils-1.38/debian/changelog       2014-12-11 18:43:32.000000000 +0100
@@ -1,3 +1,19 @@
+t1utils (1.38-3) unstable; urgency=medium
+
+  * Replace the Debian patch for #772774 with upstreams
+    own version for the same issue.
+
+ -- Niels Thykier <[email protected]>  Thu, 11 Dec 2014 18:43:27 +0100
+
+t1utils (1.38-2) unstable; urgency=medium
+
+  * Apply patch to avoid infinite loop on some fonts files
+    in t1disasm.  Thanks to Jakub Wilk for reporting and the
+    "American fuzzy lop" tool for creating the crafted font
+    file.  (Closes: #772774)
+
+ -- Niels Thykier <[email protected]>  Thu, 11 Dec 2014 17:58:11 +0100
+
 t1utils (1.38-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru t1utils-1.38/debian/patches/commit-1b33735.patch 
t1utils-1.38/debian/patches/commit-1b33735.patch
--- t1utils-1.38/debian/patches/commit-1b33735.patch    1970-01-01 
01:00:00.000000000 +0100
+++ t1utils-1.38/debian/patches/commit-1b33735.patch    2014-12-11 
18:38:40.000000000 +0100
@@ -0,0 +1,71 @@
+From 1b3373527dd2c8928e9db7cbfd7cde4d70b85fe5 Mon Sep 17 00:00:00 2001
+From: Eddie Kohler <[email protected]>
+Date: Thu, 11 Dec 2014 12:33:11 -0500
+Subject: [PATCH] Fix infinite loop reported by Jakup Wilk via Niels Thykier.
+
+---
+ t1lib.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/t1lib.c b/t1lib.c
+index 6b49a19..f34fa0a 100644
+--- a/t1lib.c
++++ b/t1lib.c
+@@ -244,9 +244,9 @@ void
+ process_pfb(FILE *ifp, const char *ifp_filename, struct font_reader *fr)
+ {
+   int blocktyp = 0;
+-  int block_len = 0;
++  unsigned block_len = 0;
+   int c = 0;
+-  int filepos = 0;
++  unsigned filepos = 0;
+   int linepos = 0;
+   char line[LINESIZE];
+ 
+@@ -260,7 +260,7 @@ process_pfb(FILE *ifp, const char *ifp_filename, struct 
font_reader *fr)
+       if (c == EOF || blocktyp == EOF)
+         error("%s corrupted: no end-of-file marker", ifp_filename);
+       else
+-        error("%s corrupted: bad block marker at position %d",
++        error("%s corrupted: bad block marker at position %u",
+               ifp_filename, filepos);
+       blocktyp = PFB_DONE;
+       }
+@@ -270,9 +270,9 @@ process_pfb(FILE *ifp, const char *ifp_filename, struct 
font_reader *fr)
+       block_len = getc(ifp) & 0xFF;
+       block_len |= (getc(ifp) & 0xFF) << 8;
+       block_len |= (getc(ifp) & 0xFF) << 16;
+-      block_len |= (getc(ifp) & 0xFF) << 24;
++      block_len |= (unsigned) (getc(ifp) & 0xFF) << 24;
+       if (feof(ifp)) {
+-      error("%s corrupted: bad block length at position %d",
++      error("%s corrupted: bad block length at position %u",
+             ifp_filename, filepos);
+       blocktyp = PFB_DONE;
+       goto done;
+@@ -282,11 +282,11 @@ process_pfb(FILE *ifp, const char *ifp_filename, struct 
font_reader *fr)
+ 
+     /* read the block in its entirety, in LINESIZE chunks */
+     while (block_len > 0) {
+-      int rest = LINESIZE - 1 - linepos; /* leave space for '\0' */
+-      int n = (block_len > rest ? rest : block_len);
++      unsigned rest = LINESIZE - 1 - linepos; /* leave space for '\0' */
++      unsigned n = (block_len > rest ? rest : block_len);
+       int actual = fread(line + linepos, 1, n, ifp);
+-      if (actual != n) {
+-      error("%s corrupted: block short by %d bytes at position %d",
++      if (actual != (int) n) {
++      error("%s corrupted: block short by %u bytes at position %u",
+             ifp_filename, block_len - actual, filepos);
+       block_len = actual;
+       }
+@@ -311,7 +311,7 @@ process_pfb(FILE *ifp, const char *ifp_filename, struct 
font_reader *fr)
+  done:
+   c = getc(ifp);
+   if (c != EOF)
+-    error("%s corrupted: data after PFB end marker at position %d",
++    error("%s corrupted: data after PFB end marker at position %u",
+         ifp_filename, filepos - 2);
+   fr->output_end();
+ }
diff -Nru t1utils-1.38/debian/patches/series t1utils-1.38/debian/patches/series
--- t1utils-1.38/debian/patches/series  1970-01-01 01:00:00.000000000 +0100
+++ t1utils-1.38/debian/patches/series  2014-12-11 18:39:20.000000000 +0100
@@ -0,0 +1 @@
+commit-1b33735.patch


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: 
https://lists.debian.org/[email protected]

Bug#773391: unblock: t1utils/1.38-3

Reply via email to