Bug 1218365 (CVE-2015-3905)
Summary: | CVE-2015-3905 t1utils: buffer overflow flaw | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | carnil, jamatos, mprpic, redhat-bugzilla |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | t1utils 1.39 | Doc Type: | Bug Fix |
Doc Text: |
A buffer overflow flaw was found in the way t1utils processed, for example, certain PFB (Printer Font Binary) files. An attacker could use this flaw to potentially execute arbitrary code by tricking a user into processing a specially crafted PFB file with t1utils.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-06-11 21:04:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1218366, 1218367 | ||
Bug Blocks: | 1220681 |
Description
Martin Prpič
2015-05-04 17:58:30 UTC
Created t1utils tracking bugs for this issue: Affects: fedora-all [bug 1218366] Affects: epel-all [bug 1218367] Martin, this is not really epel-all, the "t1utils" package is part of RHEL 7, thus I am unpushing my EPEL 7 update now. This flaw also needs to be fixed in RHEL 7. See also bug #1218367 comment #6 and #7 t1utils-1.39-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. (In reply to Robert Scheck from comment #2) > Martin, this is not really epel-all, the "t1utils" package is part of RHEL 7, > thus I am unpushing my EPEL 7 update now. This flaw also needs to be fixed in > RHEL 7. Thanks, Robert. I amended the whiteboard. This package should also be removed from EPEL 7 then. (In reply to Martin Prpic from comment #5) > Thanks, Robert. I amended the whiteboard. This package should also be > removed from EPEL 7 then. Yes. Is t1utils part of all RHEL architectures that EPEL supports? Or just the usual x86_64 thing? Otherwise I would have to import the RHEL srpm for EPEL ppc64. This may be more critical than expected. It's a global buffer overflow, which none of the usual buffer overflow stoppers seem to catch. In t1disasm.c: global variables: > 76 static FILE *ofp; > 77 static int lenIV = 4; > 78 static char cs_start[10]; > 79 static int unknown = 0; > 105 set_cs_start(char *line) > 106 { > 107 char *p, *q, *r; > 108 > 109 if ((p = strstr(line, "string currentfile"))) { > 110 /* enforce presence of `readstring' -- 5/29/99 */ > 111 if (!strstr(line, "readstring")) > 112 return; > 113 /* locate the name of the charstring start command */ > 114 *p = '\0'; /* damage line[] */ > 115 q = strrchr(line, '/'); > 116 if (q) { > 117 r = cs_start; > 118 ++q; > 119 while (!isspace(*q) && *q != '{') > 120 *r++ = *q++; > 121 *r = '\0'; > 122 } > 123 *p = 's'; /* repair line[] */ > 124 } > 125 } The interesting parts are line 119 and 120. The loop will continue to copy whatever is in line into the global cs_start until a space-ish or '{' character is encountered, without paying any attention to the buffer space available in cs_start. This allows for FILE* ofp to be overwritten. This might be enough to gain code execution, although I haven't confirmed that part. For now I'm bumping this up to moderate. Statement: Red Hat Product Security has rated this issue as having moderate security impact, a future update may address this flaw in t1utils. t1utils-1.39-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. t1utils-1.39-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. t1utils-1.39-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. t1utils-1.39-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2015-3905 |