Bug 1218365 (CVE-2015-3905)

Summary: CVE-2015-3905 t1utils: buffer overflow flaw
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, jamatos, mprpic, redhat-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: t1utils 1.39 Doc Type: Bug Fix
Doc Text:
A buffer overflow flaw was found in the way t1utils processed, for example, certain PFB (Printer Font Binary) files. An attacker could use this flaw to potentially execute arbitrary code by tricking a user into processing a specially crafted PFB file with t1utils.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-11 21:04:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1218366, 1218367    
Bug Blocks: 1220681    

Description Martin Prpič 2015-05-04 17:58:30 UTC 
The 1.39 release of t1utils fixed a buffer overflow flaw:

https://github.com/kohler/t1utils/blob/master/NEWS

Additional details (including a reproducer):

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274
Comment 1 Martin Prpič 2015-05-04 17:59:03 UTC 
Created t1utils tracking bugs for this issue:

Affects: fedora-all [bug 1218366]
Affects: epel-all [bug 1218367]
Comment 2 Robert Scheck 2015-05-09 14:01:54 UTC 
Martin, this is not really epel-all, the "t1utils" package is part of RHEL 7,
thus I am unpushing my EPEL 7 update now. This flaw also needs to be fixed in
RHEL 7.
Comment 3 Robert Scheck 2015-05-09 14:02:26 UTC 
See also bug #1218367 comment #6 and #7
Comment 4 Fedora Update System 2015-05-11 19:02:30 UTC 
t1utils-1.39-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Martin Prpič 2015-05-12 08:02:44 UTC 
(In reply to Robert Scheck from comment #2)
> Martin, this is not really epel-all, the "t1utils" package is part of RHEL 7,
> thus I am unpushing my EPEL 7 update now. This flaw also needs to be fixed in
> RHEL 7.

Thanks, Robert. I amended the whiteboard. This package should also be removed from EPEL 7 then.
Comment 6 Robert Scheck 2015-05-12 18:21:50 UTC 
(In reply to Martin Prpic from comment #5)
> Thanks, Robert. I amended the whiteboard. This package should also be
> removed from EPEL 7 then.

Yes. Is t1utils part of all RHEL architectures that EPEL supports? Or just
the usual x86_64 thing? Otherwise I would have to import the RHEL srpm for
EPEL ppc64.
Comment 7 Stefan Cornelius 2015-05-13 06:36:18 UTC 
This may be more critical than expected. It's a global buffer overflow, which none of the usual buffer overflow stoppers seem to catch.

In t1disasm.c:

global variables:
>     76 static FILE *ofp;
>     77 static int lenIV = 4;
>     78 static char cs_start[10];
>     79 static int unknown = 0;

>    105 set_cs_start(char *line)
>    106 {
>    107   char *p, *q, *r;
>    108 
>    109   if ((p = strstr(line, "string currentfile"))) {
>    110     /* enforce presence of `readstring' -- 5/29/99 */
>    111     if (!strstr(line, "readstring"))
>    112       return;
>    113     /* locate the name of the charstring start command */
>    114     *p = '\0';					  /* damage line[] */
>    115     q = strrchr(line, '/');
>    116     if (q) {
>    117       r = cs_start;
>    118       ++q;
>    119       while (!isspace(*q) && *q != '{')
>    120 	*r++ = *q++;
>    121       *r = '\0';
>    122     }
>    123     *p = 's';					  /* repair line[] */
>    124   }
>    125 }

The interesting parts are line 119 and 120. The loop will continue to copy whatever is in line into the global cs_start until a space-ish or '{' character is encountered, without paying any attention to the buffer space available in cs_start. This allows for FILE* ofp to be overwritten. This might be enough to gain code execution, although I haven't confirmed that part.

For now I'm bumping this up to moderate.
Comment 9 Stefan Cornelius 2015-05-15 09:03:20 UTC 
Upstream patch:
https://github.com/kohler/t1utils/commit/6b9d1aafcb61a3663c883663eb19ccdbfcde8d33
Comment 10 Stefan Cornelius 2015-05-15 09:04:58 UTC 
Statement:

Red Hat Product Security has rated this issue as having moderate security impact, a future update may address this flaw in t1utils.
Comment 11 Fedora Update System 2015-05-17 06:39:08 UTC 
t1utils-1.39-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2015-05-17 06:39:19 UTC 
t1utils-1.39-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2015-05-21 05:12:03 UTC 
t1utils-1.39-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2015-05-21 05:12:56 UTC 
t1utils-1.39-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Product Security DevOps Team 2021-06-11 21:04:03 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-3905