Package: t1lib
Version: 5.1.2-3.4
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch
Dear Maintainer,
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: fix denial of service via oversized fonts
- debian/patches/CVE-2011-1552_1553_1554.patch: add additional tests to
address remaining crashes
- CVE-2011-1552
- CVE-2011-1553
- CVE-2011-1554
* SECURITY UPDATE: fix heap-based buffer overflow via AFM font parser
- update debian/patches/series to apply CVE-2010-2642.patch which was
mistakenly not updated in 5.1.2-3.4
- CVE-2010-2642
- CVE-2011-0433
Debian took the Ubuntu patch for CVE-2011-0764 (which is great). RedHat
later fixed the remaining open CVEs with a patch landing in Fedora's
http://koji.fedoraproject.org/koji/buildinfo?buildID=282529. I then
verified all the patches in Debian against Fedora's patchset and came up
with this patch against 5.1.2-3.4. While Debian included an equivalent
patch for CVE-2010-2642 (which also fixes CVE-2011-0433), it was not
added to the debian/patches/series file, so it wasn't applied during the
build. The attached debdiff should bring unstable up to date on these
issues.
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers precise-updates
APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500,
'precise')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-8-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u t1lib-5.1.2/debian/changelog t1lib-5.1.2/debian/changelog
diff -u t1lib-5.1.2/debian/control t1lib-5.1.2/debian/control
--- t1lib-5.1.2/debian/control
+++ t1lib-5.1.2/debian/control
@@ -1,7 +1,8 @@
Source: t1lib
Section: libs
Priority: optional
-Maintainer: Ruben Molina
+Maintainer: Ubuntu Developers
+XSBC-Original-Maintainer: Ruben Molina
Build-Depends: cdbs, debhelper (>= 7), autotools-dev, libice-dev, libsm-dev, libx11-dev, libxext-dev, libxaw7-dev, quilt
Standards-Version: 3.8.0
Homepage: ftp://sunsite.unc.edu/pub/Linux/libs/graphics/
diff -u t1lib-5.1.2/debian/patches/series t1lib-5.1.2/debian/patches/series
--- t1lib-5.1.2/debian/patches/series
+++ t1lib-5.1.2/debian/patches/series
@@ -6,0 +7,2 @@
+CVE-2011-1552_1553_1554.patch
+CVE-2010-2642.patch
only in patch2:
unchanged:
--- t1lib-5.1.2.orig/debian/patches/CVE-2011-1552_1553_1554.patch
+++ t1lib-5.1.2/debian/patches/CVE-2011-1552_1553_1554.patch
@@ -0,0 +1,133 @@
+Author: Jaroslav Škarvada
+Description: Fix more crashes on oversized fonts
+Bug-Redhat: http://bugzilla.redhat.com/show_bug.cgi?id=692909
+Index: t1lib-5.1.2/lib/type1/lines.c
+===
+--- t1lib-5.1.2.orig/lib/type1/lines.c 2007-12-23 09:49:42.0 -0600
t1lib-5.1.2/lib/type1/lines.c 2012-01-17 14:15:08.0 -0600
+@@ -67,6 +67,10 @@
+ None.
+ */
+
++#define BITS (sizeof(LONG)*8)
++#define HIGHTEST(p) (((p)>>(BITS-2)) != 0) /* includes sign bit */
++#define TOOBIG(xy) ((xy < 0) ? HIGHTEST(-xy) : HIGHTEST(xy))
++
+ /*
+ :h2.StepLine() - Produces Run Ends for a Line After Checks
+
+@@ -84,6 +88,9 @@
+IfTrace4((LineDebug > 0), ".StepLine: (%d,%d) to (%d,%d)\n",
+ x1, y1, x2, y2);
+
++ if ( TOOBIG(x1) || TOOBIG(x2) || TOOBIG(y1) || TOOBIG(y2))
++ abort("Lines this big not supported", 49);
++
+dy = y2 - y1;
+
+ /*
+Index: t1lib-5.1.2/lib/type1/objects.c
+===
+--- t1lib-5.1.2.orig/lib/type1/objects.c 2007-12-23 09:49:42.0 -0600
t1lib-5.1.2/lib/type1/objects.c 2012-01-17 14:15:08.0 -0600
+@@ -1137,12 +1137,13 @@
+ "Context: out of them", /* 46 */
+ "MatrixInvert: can't", /* 47 */
+ "xiStub called", /* 48 */
+-"Illegal access type1 abort() message" /* 49 */
++"Lines this big not supported", /* 49 */
++"Illegal access type1 abort() message" /* 50 */
+ };
+
+- /* no is valid from 1 to 48 */
+- if ( (number<1)||(number>48))
+-number=49;
++ /* no is valid from 1 to 49 */
++ if ( (number<1)||(number>49))
++number=50;
+ return( err_msgs[number-1]);
+
+ }
+Index: t1lib-5.1.2/lib/type1/type1.c
+===
+--- t1lib-5.1.2.orig/lib/type1/type1.c 2012-01-17 14:13:28.0 -0600
t1lib-5.1.2/lib/type1/type1.c 2012-01-17 14:19:54.0 -0600
+@@ -1012,6 +1012,7 @@
+ double nextdtana = 0.0; /* tangent of post-delta against horizontal line */
+ double nextdtanb = 0.0; /* tangent of post-delta against vertical line */
+
++ if (ppoints == NULL || numppoints < 1) Error0v("FindStems: No previous point!\n");
+
+ /* setup default hinted position *