Bug 666318 (CVE-2010-2642)

Summary: CVE-2010-2642 t1lib: Heap based buffer overflow in DVI file AFM font parser
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jamatos, jlieskov, mkasik, pertusus, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 21:46:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 666323, 666324, 667573, 679008, 679010, 680005, 772899, 772900, 772901, 773177, 773178, 773180, 773183, 773184, 845624, 984476    
Bug Blocks: 734178    

Description Huzaifa S. Sidhpurwala 2010-12-30 05:34:05 UTC 
A heap based buffer overflow was found in the parser for AFM font files, 
which are used for rendering DVI files in GNOME evince document viewer.
Due to insufficient bounds checks when writing data to a memory buffer 
allocated on a heap, it may be possible to cause an arbitrary memory 
overwrite, leading to code execution.

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2642 to
this issue.

The vulnerability is present in the code that handles loading of fonts used by
DVI files.To exploit you need two files, a DVI file and the malicious font.
The vulnerability is triggered not only by opening the document in evince, but
also by browsing to a folder which contains the malicious files, where evince
thumbnailer will load the malicious file to generate a thumbnail for it.

Acknowledgements:

Red Hat would like to thank the Evince development team for reporting this issue. Upstream acknowledges Jon Larimer of IBM X-Force as the original reporter.
Comment 3 Huzaifa S. Sidhpurwala 2011-01-06 02:52:44 UTC 
Public via:
http://git.gnome.org/browse/evince/commit/?id=d4139205b010ed06310d14284e63114e88ec6de2

(afmparse.c change is relevant to this CVE)
Comment 4 Huzaifa S. Sidhpurwala 2011-01-06 03:01:43 UTC 
Created evince tracking bugs for this issue

Affects: fedora-all [bug 667573]
Comment 5 errata-xmlrpc 2011-01-06 18:28:26 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0009 https://rhn.redhat.com/errata/RHSA-2011-0009.html
Comment 8 Jan Lieskovsky 2011-02-21 09:36:12 UTC 
This issue affects the versions of the t1lib package, as shipped
with Fedora release of 13 and 14.

--

This issue affects the versions of the t1lib package, as present
within EPEL-5 repository.

Please schedule an update for both cases.
Comment 10 Jan Lieskovsky 2011-02-21 09:37:21 UTC 
Created t1lib tracking bugs for this issue

Affects: fedora-all [bug 679008]
Comment 11 Jan Lieskovsky 2011-02-21 09:38:19 UTC 
Created t1lib tracking bugs for this issue

Affects: epel-5 [bug 679010]
Comment 14 Huzaifa S. Sidhpurwala 2011-02-25 07:11:34 UTC 
Statement:

This issue did not affect the versions of evince as shipped with Red Hat Enterprise Linux 5.
Comment 16 Tomas Hoger 2011-03-04 16:09:08 UTC 
A gnome BZ bug for the off-by-one issue in the original patch:
  https://bugzilla.gnome.org/show_bug.cgi?id=643882
Comment 18 Huzaifa S. Sidhpurwala 2012-01-10 09:39:58 UTC 
Created t1lib tracking bugs for this issue

Affects: fedora-all [bug 772899]
Comment 21 Jindrich Novy 2012-01-12 12:01:07 UTC 
(In reply to comment #3)
> Public via:
> http://git.gnome.org/browse/evince/commit/?id=d4139205b010ed06310d14284e63114e88ec6de2

Trying to backport this patch in tetex:

- afmprarse.c
  - no such file in tetex
  - looked for "while (ch != EOF && ch != ' ' && ch != lineterm" - nothing 
    found in the whole code base
- dviread.c
  - no such file in tetex
  - looked for "arg = dugetn(dvi, opcode - DVI_XXX1 + 1);" - nothing 
    found in the whole code base
- pk.c
  - present in xdvi and dvipng - no applicable
  - looked for "if(cc < loc)" - nothing found
- tfmfile.c
  - nosuch file in tetex
  - looked for "if(fstat(fileno(in), &st) < 0)" - nothing 
    found in the whole code base

Trying to backport this patch in texlive:

- afmparse.c
  - file present in psaux code
  - looked for "while (ch != EOF && ch != ' ' && ch != lineterm" - nothing 
    found in the whole code base
- dviread.c
  - no such file in texlive
  - looked for "arg = dugetn(dvi, opcode - DVI_XXX1 + 1);" - nothing 
    found in the whole code base
- pk.c
  - present in dvipng xdvik
  - looked for "if(cc < loc)" - nothing found
-tfmfile.c
  - no such file texlive
  - looked for "if(fstat(fileno(in), &st) < 0)" - nothing 
    found in the whole code base

Are you sure it is anyhow related to tetex/texlive? Either it is not related to tetex/texlive or the files there are too old.
Comment 23 errata-xmlrpc 2012-01-24 21:17:23 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0062 https://rhn.redhat.com/errata/RHSA-2012-0062.html
Comment 24 Fedora Update System 2012-01-27 19:19:12 UTC 
t1lib-5.0.2-2 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2012-01-27 19:20:59 UTC 
t1lib-5.1.1-9.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2012-01-28 03:22:57 UTC 
t1lib-5.1.2-9.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 Fedora Update System 2012-01-28 03:28:03 UTC 
t1lib-5.1.2-9.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 28 errata-xmlrpc 2012-02-15 16:20:37 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0137 https://rhn.redhat.com/errata/RHSA-2012-0137.html
Comment 29 errata-xmlrpc 2012-08-23 14:58:11 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1201 https://rhn.redhat.com/errata/RHSA-2012-1201.html
Comment 30 Tomas Hoger 2012-11-23 13:30:26 UTC 
Apparently, the same issue was fixed in 2008 in the copy of this code as used in OpenOffice.org and LibreOffice.  This fix covers both token() and linetoken() functions (see bug 679732, comment 24), and without introducing the off-by-one problem (comment 16 above, or bug 878483):

http://cgit.freedesktop.org/libreoffice/core/commit/?id=8b60389d7c36

There does not seem to be any CVE assigned for the OpenOffice.org fix.