Bug 692909 (CVE-2011-0764)

Summary: CVE-2011-0764 t1lib: Invalid pointer dereference via crafted Type 1 font
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jamatos, jskarvad, pertusus, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 21:48:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 679734, 772899, 772900, 772901, 773177, 773178, 773180, 773183, 773184, 845624, 984476    
Bug Blocks: 734178    
Attachments:
Description Flags
better patch
none
Combined patch
none
newer patch
none
Updated patch
none
Updated patch none

Description Jan Lieskovsky 2011-04-01 15:24:52 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0764 to
the following vulnerability:

t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other
products, uses an invalid pointer in conjunction with a dereference
operation, which allows remote attackers to execute arbitrary code via
a crafted Type 1 font in a PDF document, as demonstrated by
testz.2184122398.pdf.

References:
[1]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0764 
[2]  http://www.securityfocus.com/archive/1/archive/1/517205/100/0/threaded
[3]  http://www.toucan-system.com/advisories/tssa-2011-01.txt 
[4]  http://www.foolabs.com/xpdf/download.html
[5]  http://www.kb.cert.org/vuls/id/MAPG-8ECL8X
[6]  http://www.kb.cert.org/vuls/id/376500
[7]  http://www.securityfocus.com/bid/46941
[8]  http://securitytracker.com/id?1025266
[9]  http://secunia.com/advisories/43823
[10] http://www.vupen.com/english/advisories/2011/0728
[11] http://xforce.iss.net/xforce/xfdb/66208
Comment 6 Huzaifa S. Sidhpurwala 2012-01-03 06:36:28 UTC 
Created attachment 550366 [details]
better patch
Comment 7 José Matos 2012-01-03 12:13:34 UTC 
Thank you for the patch.

I am building the package with the patch now for rawhide and I will propagate the fix to F16 and F15 next.

http://koji.fedoraproject.org/koji/taskinfo?taskID=3615316
Comment 8 José Matos 2012-01-03 13:16:35 UTC 
Oops, I forgot to give you the credit for the patch in the spec file. My mistake. :-(

In order to mitigate this I added a note to the master git spec file but I will not rebuild the packages just for this change.
Comment 9 Jaroslav Škarvada 2012-01-03 14:00:47 UTC 
Created attachment 550422 [details]
Combined patch

Fixes more invalid reads.
Comment 11 Huzaifa S. Sidhpurwala 2012-01-04 08:45:13 UTC 
Created attachment 550629 [details]
newer patch
Comment 12 Huzaifa S. Sidhpurwala 2012-01-04 08:46:56 UTC 
(In reply to comment #8)
> Oops, I forgot to give you the credit for the patch in the spec file. My
> mistake. :-(
> 
> In order to mitigate this I added a note to the master git spec file but I will
> not rebuild the packages just for this change.

Jose,
This is still work is progress and there may be a few more changes to the final patch, Also we are trying to fix multiple issues in here. So i wouldnt build packages just yet.
Comment 14 José Matos 2012-01-04 11:17:04 UTC 
Thank you for the heads up.

I will wait then before proceeding. :-)
Comment 16 Jaroslav Škarvada 2012-01-05 23:46:56 UTC 
Created attachment 551043 [details]
Updated patch

Removed probably left-over code fragment, extended "paranoia" NULL ppoints check to the rest of checks (all are probably redundant). The patch is not completed yet.
Comment 17 Jaroslav Škarvada 2012-01-10 00:08:18 UTC 
Created attachment 551723 [details]
Updated patch

Fixed crash on oversized fonts.
Comment 19 Huzaifa S. Sidhpurwala 2012-01-10 09:42:29 UTC 
Created t1lib tracking bugs for this issue

Affects: epel-5 [bug 679734]
Affects: fedora-all [bug 772899]
Comment 22 Jindrich Novy 2012-01-12 12:46:59 UTC 
(In reply to comment #17)
> Created attachment 551723 [details]
> Updated patch
> 
> Fixed crash on oversized fonts.

BTW. this patch collides with the patch for bug 692853. This one seems more complete as it at least displays an error message.
Comment 23 Jaroslav Škarvada 2012-01-12 13:34:14 UTC 
Jindra, the patch in bug 692853 was my early attempt to fix CVE-2011-1552. It is now deprecated by patch from comment 17 which should address (as we believe) CVE-2011-0764, CVE-2011-1552, CVE-2011-1553 and CVE-2011-1554. I will also backport the patch to tlib-5.0.2 (which should be trivial).
Comment 24 Jindrich Novy 2012-01-12 14:39:20 UTC 
(In reply to comment #23)
> Jindra, the patch in bug 692853 was my early attempt to fix CVE-2011-1552. It
> is now deprecated by patch from comment 17 which should address (as we believe)
> CVE-2011-0764, CVE-2011-1552, CVE-2011-1553 and CVE-2011-1554. I will also
> backport the patch to tlib-5.0.2 (which should be trivial).

Jardo, the newer patch misses these hunks from the old one:

diff -up texlive-2007/libs/type1/type1.c.CVE-2011-1552 texlive-2007/libs/type1/type1.c
--- texlive-2007/libs/type1/type1.c.CVE-2011-1552       2006-01-16 01:09:26.000000000 +0100
+++ texlive-2007/libs/type1/type1.c     2012-01-12 13:23:01.949917940 +0100
@@ -1698,6 +1699,7 @@ static int RLineTo(dx, dy)
 {
   long pindex = 0;

+  if (numppoints < 2) return 0;
   /* compute hinting for previous segment! */
   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy);

@@ -1726,6 +1728,7 @@ static int RRCurveTo(dx1, dy1, dx2, dy2,
 {
   long pindex = 0;

+  if (numppoints < 2) return 0;
   /* compute hinting for previous point! */
   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1);

@@ -2148,6 +2154,7 @@ static void FlxProc(c1x2, c1y2, c3x0, c3
   DOUBLE ex, ey;


+  if (numppoints < 8) return;
   /* Our PPOINT list now contains 7 moveto commands which
      are about to be consumed by the Flex mechanism. --> Remove these
      seven elements (their values already reside on the PSFakeStack!)

Is it intentional? Thanks.
Comment 25 Jaroslav Škarvada 2012-01-12 15:08:08 UTC 
(In reply to comment #24)
> Jardo, the newer patch misses these hunks from the old one:
...
> Is it intentional? Thanks.

They were replaced by more robust:

@@ -1700,6 +1701,7 @@.
   long pindex = 0;
   
   /* compute hinting for previous segment! */
+  if (ppoints == NULL || numppoints < 2 ) Error0i("RLineTo: No previous point!\n");
   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy);
 
   /* Allocate a new path point and pre-setup data */
@@ -1728,6 +1730,7 @@.
   long pindex = 0;
   
   /* compute hinting for previous point! */
+  if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous point!\n");
   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1);
 
   /* Allocate three new path points and pre-setup data */
@@ -2152,6 +2159,7 @@.
   DOUBLE cx, cy;
   DOUBLE ex, ey;
 
+  if (ppoints == NULL || numppoints < 8) Error0v("FlxProc: No previous point!");
 
   /* Our PPOINT list now contains 7 moveto commands which
      are about to be consumed by the Flex mechanism. --> Remove these
Comment 26 errata-xmlrpc 2012-01-24 21:17:39 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0062 https://rhn.redhat.com/errata/RHSA-2012-0062.html
Comment 27 Fedora Update System 2012-01-27 19:19:29 UTC 
t1lib-5.0.2-2 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 28 Fedora Update System 2012-01-27 19:21:18 UTC 
t1lib-5.1.1-9.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 29 Fedora Update System 2012-01-28 03:23:12 UTC 
t1lib-5.1.2-9.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2012-01-28 03:28:17 UTC 
t1lib-5.1.2-9.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 31 errata-xmlrpc 2012-02-15 16:21:01 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0137 https://rhn.redhat.com/errata/RHSA-2012-0137.html
Comment 32 errata-xmlrpc 2012-08-23 14:58:30 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1201 https://rhn.redhat.com/errata/RHSA-2012-1201.html