Red Hat Bugzilla – Bug 1218365
CVE-2015-3905 t1utils: buffer overflow flaw
Last modified: 2015-11-02 09:24:31 EST
The 1.39 release of t1utils fixed a buffer overflow flaw: https://github.com/kohler/t1utils/blob/master/NEWS Additional details (including a reproducer): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274
Created t1utils tracking bugs for this issue: Affects: fedora-all [bug 1218366] Affects: epel-all [bug 1218367]
Martin, this is not really epel-all, the "t1utils" package is part of RHEL 7, thus I am unpushing my EPEL 7 update now. This flaw also needs to be fixed in RHEL 7.
See also bug #1218367 comment #6 and #7
t1utils-1.39-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Robert Scheck from comment #2) > Martin, this is not really epel-all, the "t1utils" package is part of RHEL 7, > thus I am unpushing my EPEL 7 update now. This flaw also needs to be fixed in > RHEL 7. Thanks, Robert. I amended the whiteboard. This package should also be removed from EPEL 7 then.
(In reply to Martin Prpic from comment #5) > Thanks, Robert. I amended the whiteboard. This package should also be > removed from EPEL 7 then. Yes. Is t1utils part of all RHEL architectures that EPEL supports? Or just the usual x86_64 thing? Otherwise I would have to import the RHEL srpm for EPEL ppc64.
This may be more critical than expected. It's a global buffer overflow, which none of the usual buffer overflow stoppers seem to catch. In t1disasm.c: global variables: > 76 static FILE *ofp; > 77 static int lenIV = 4; > 78 static char cs_start[10]; > 79 static int unknown = 0; > 105 set_cs_start(char *line) > 106 { > 107 char *p, *q, *r; > 108 > 109 if ((p = strstr(line, "string currentfile"))) { > 110 /* enforce presence of `readstring' -- 5/29/99 */ > 111 if (!strstr(line, "readstring")) > 112 return; > 113 /* locate the name of the charstring start command */ > 114 *p = '\0'; /* damage line[] */ > 115 q = strrchr(line, '/'); > 116 if (q) { > 117 r = cs_start; > 118 ++q; > 119 while (!isspace(*q) && *q != '{') > 120 *r++ = *q++; > 121 *r = '\0'; > 122 } > 123 *p = 's'; /* repair line[] */ > 124 } > 125 } The interesting parts are line 119 and 120. The loop will continue to copy whatever is in line into the global cs_start until a space-ish or '{' character is encountered, without paying any attention to the buffer space available in cs_start. This allows for FILE* ofp to be overwritten. This might be enough to gain code execution, although I haven't confirmed that part. For now I'm bumping this up to moderate.
Upstream patch: https://github.com/kohler/t1utils/commit/6b9d1aafcb61a3663c883663eb19ccdbfcde8d33
Statement: Red Hat Product Security has rated this issue as having moderate security impact, a future update may address this flaw in t1utils.
t1utils-1.39-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
t1utils-1.39-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
t1utils-1.39-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
t1utils-1.39-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.