subject:"Bug#656278\: t1lib\: \[PATCH\] fixes for remaining CVEs"

Bug#656278: t1lib: [PATCH] fixes for remaining CVEs

2012-01-18 Thread Yves-Alexis Perez

On mer., 2012-01-18 at 07:47 -0600, Jamie Strandboge wrote:
> Well, Marc from my team developed the patch for 0764 based on the only
> PoC we were given, and we coordinated that fix (as you know). RedHat in
> bug https://bugzilla.redhat.com/show_bug.cgi?id=692909 (see comment #17)
> then fixed the remaining crashes. I was under the impression that they
> had more PoCs, they did more bounds checking in their patch, and they
> actively said all the issues were fixed by their patch. The patches seem
> sane, so I am applying them and will be pushing them out to our stable
> releases this week. 

What puzzled me is that, in the bug report (c23) they seem to say that
the patch (included in the DSA 2388) is enough for 0764 and 155{2,3,4}.

But in the end, the patch that got included was /not/ the patch they
talk about (I missed that). So indeed, I'll prepare a new upload for
Lenny and Squeeze with the final patch.

Regards,
-- 
Yves-Alexis

signature.asc
Description: This is a digitally signed message part

Bug#656278: t1lib: [PATCH] fixes for remaining CVEs

2012-01-17 Thread Yves-Alexis Perez

On mar., 2012-01-17 at 17:38 -0600, Jamie Strandboge wrote:
> Package: t1lib
> Version: 5.1.2-3.4
> Severity: grave
> Tags: patch security
> Justification: user security hole
> User: ubuntu-de...@lists.ubuntu.com
> Usertags: origin-ubuntu precise ubuntu-patch
> 
> Dear Maintainer,
> 
> In Ubuntu, the attached patch was applied to achieve the following:
> 
>   * SECURITY UPDATE: fix denial of service via oversized fonts
> - debian/patches/CVE-2011-1552_1553_1554.patch: add additional tests to
>   address remaining crashes
> - CVE-2011-1552
> - CVE-2011-1553
> - CVE-2011-1554
>   * SECURITY UPDATE: fix heap-based buffer overflow via AFM font parser
> - update debian/patches/series to apply CVE-2010-2642.patch which was
>   mistakenly not updated in 5.1.2-3.4
> - CVE-2010-2642
> - CVE-2011-0433
> 
> 
> Debian took the Ubuntu patch for CVE-2011-0764 (which is great). RedHat
> later fixed the remaining open CVEs with a patch landing in Fedora's
> http://koji.fedoraproject.org/koji/buildinfo?buildID=282529. I then
> verified all the patches in Debian against Fedora's patchset and came up
> with this patch against 5.1.2-3.4. While Debian included an equivalent
> patch for CVE-2010-2642 (which also fixes CVE-2011-0433), it was not
> added to the debian/patches/series file, so it wasn't applied during the
> build. The attached debdiff should bring unstable up to date on these
> issues.
> 

Damn, you're perfectly right, my fault.

I'm still a bit puzzled by the 155{2,3,4} patch. It seemed like the
patch for 0764 was fixing them too, but in the end it's not the case?

Regards,
-- 
Yves-Alexis


signature.asc
Description: This is a digitally signed message part

Bug#656278: t1lib: [PATCH] fixes for remaining CVEs

2012-01-17 Thread Jamie Strandboge

Package: t1lib
Version: 5.1.2-3.4
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch

Dear Maintainer,

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: fix denial of service via oversized fonts
- debian/patches/CVE-2011-1552_1553_1554.patch: add additional tests to
  address remaining crashes
- CVE-2011-1552
- CVE-2011-1553
- CVE-2011-1554
  * SECURITY UPDATE: fix heap-based buffer overflow via AFM font parser
- update debian/patches/series to apply CVE-2010-2642.patch which was
  mistakenly not updated in 5.1.2-3.4
- CVE-2010-2642
- CVE-2011-0433


Debian took the Ubuntu patch for CVE-2011-0764 (which is great). RedHat
later fixed the remaining open CVEs with a patch landing in Fedora's
http://koji.fedoraproject.org/koji/buildinfo?buildID=282529. I then
verified all the patches in Debian against Fedora's patchset and came up
with this patch against 5.1.2-3.4. While Debian included an equivalent
patch for CVE-2010-2642 (which also fixes CVE-2011-0433), it was not
added to the debian/patches/series file, so it wasn't applied during the
build. The attached debdiff should bring unstable up to date on these
issues.

Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers precise-updates
  APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 
'precise')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-8-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u t1lib-5.1.2/debian/changelog t1lib-5.1.2/debian/changelog
diff -u t1lib-5.1.2/debian/control t1lib-5.1.2/debian/control
--- t1lib-5.1.2/debian/control
+++ t1lib-5.1.2/debian/control
@@ -1,7 +1,8 @@
 Source: t1lib
 Section: libs
 Priority: optional
-Maintainer: Ruben Molina 
+Maintainer: Ubuntu Developers 
+XSBC-Original-Maintainer: Ruben Molina 
 Build-Depends: cdbs, debhelper (>= 7), autotools-dev, libice-dev, libsm-dev, libx11-dev, libxext-dev, libxaw7-dev, quilt
 Standards-Version: 3.8.0
 Homepage: ftp://sunsite.unc.edu/pub/Linux/libs/graphics/
diff -u t1lib-5.1.2/debian/patches/series t1lib-5.1.2/debian/patches/series
--- t1lib-5.1.2/debian/patches/series
+++ t1lib-5.1.2/debian/patches/series
@@ -6,0 +7,2 @@
+CVE-2011-1552_1553_1554.patch
+CVE-2010-2642.patch
only in patch2:
unchanged:
--- t1lib-5.1.2.orig/debian/patches/CVE-2011-1552_1553_1554.patch
+++ t1lib-5.1.2/debian/patches/CVE-2011-1552_1553_1554.patch
@@ -0,0 +1,133 @@
+Author: Jaroslav Škarvada 
+Description: Fix more crashes on oversized fonts
+Bug-Redhat: http://bugzilla.redhat.com/show_bug.cgi?id=692909
+Index: t1lib-5.1.2/lib/type1/lines.c
+===
+--- t1lib-5.1.2.orig/lib/type1/lines.c	2007-12-23 09:49:42.0 -0600
 t1lib-5.1.2/lib/type1/lines.c	2012-01-17 14:15:08.0 -0600
+@@ -67,6 +67,10 @@
+ None.
+ */
+  
++#define  BITS (sizeof(LONG)*8)
++#define  HIGHTEST(p)  (((p)>>(BITS-2)) != 0)  /* includes sign bit */
++#define  TOOBIG(xy)   ((xy < 0) ? HIGHTEST(-xy) : HIGHTEST(xy))
++
+ /*
+ :h2.StepLine() - Produces Run Ends for a Line After Checks
+  
+@@ -84,6 +88,9 @@
+IfTrace4((LineDebug > 0), ".StepLine: (%d,%d) to (%d,%d)\n",
+ x1, y1, x2, y2);
+  
++  if ( TOOBIG(x1) || TOOBIG(x2) || TOOBIG(y1) || TOOBIG(y2))
++  abort("Lines this big not supported", 49);
++
+dy = y2 - y1;
+  
+ /*
+Index: t1lib-5.1.2/lib/type1/objects.c
+===
+--- t1lib-5.1.2.orig/lib/type1/objects.c	2007-12-23 09:49:42.0 -0600
 t1lib-5.1.2/lib/type1/objects.c	2012-01-17 14:15:08.0 -0600
+@@ -1137,12 +1137,13 @@
+ "Context:  out of them", /* 46 */
+ "MatrixInvert:  can't", /* 47 */
+ "xiStub called", /* 48 */
+-"Illegal access type1 abort() message" /* 49 */
++"Lines this big not supported", /* 49 */
++"Illegal access type1 abort() message" /* 50 */
+   };
+ 
+-  /* no is valid from 1 to 48 */
+-  if ( (number<1)||(number>48))
+-number=49;
++  /* no is valid from 1 to 49 */
++  if ( (number<1)||(number>49))
++number=50;
+   return( err_msgs[number-1]);
+ 
+ }
+Index: t1lib-5.1.2/lib/type1/type1.c
+===
+--- t1lib-5.1.2.orig/lib/type1/type1.c	2012-01-17 14:13:28.0 -0600
 t1lib-5.1.2/lib/type1/type1.c	2012-01-17 14:19:54.0 -0600
+@@ -1012,6 +1012,7 @@
+   double nextdtana = 0.0;   /* tangent of post-delta against horizontal line */ 
+   double nextdtanb = 0.0;   /* tangent of post-delta against vertical line */ 
+   
++  if (ppoints == NULL || numppoints < 1) Error0v("FindStems: No previous point!\n");
+  
+   /* setup default hinted position *

Bug#656278: t1lib: [PATCH] fixes for remaining CVEs

Bug#656278: t1lib: [PATCH] fixes for remaining CVEs

Bug#656278: t1lib: [PATCH] fixes for remaining CVEs

3 matches

Site Navigation

Mail list logo

Footer information