Bug 1218365 (CVE-2015-3905) - CVE-2015-3905 t1utils: buffer overflow flaw
Summary: CVE-2015-3905 t1utils: buffer overflow flaw
Status: NEW
Alias: CVE-2015-3905
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150226,repor...
Keywords: Security
Depends On: 1218366 1218367
Blocks: 1220681
TreeView+ depends on / blocked
 
Reported: 2015-05-04 17:58 UTC by Martin Prpič
Modified: 2019-06-08 20:34 UTC (History)
4 users (show)

(edit)
A buffer overflow flaw was found in the way t1utils processed, for example, certain PFB (Printer Font Binary) files. An attacker could use this flaw to potentially execute arbitrary code by tricking a user into processing a specially crafted PFB file with t1utils.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Martin Prpič 2015-05-04 17:58:30 UTC
The 1.39 release of t1utils fixed a buffer overflow flaw:

https://github.com/kohler/t1utils/blob/master/NEWS

Additional details (including a reproducer):

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274

Comment 1 Martin Prpič 2015-05-04 17:59:03 UTC
Created t1utils tracking bugs for this issue:

Affects: fedora-all [bug 1218366]
Affects: epel-all [bug 1218367]

Comment 2 Robert Scheck 2015-05-09 14:01:54 UTC
Martin, this is not really epel-all, the "t1utils" package is part of RHEL 7,
thus I am unpushing my EPEL 7 update now. This flaw also needs to be fixed in
RHEL 7.

Comment 3 Robert Scheck 2015-05-09 14:02:26 UTC
See also bug #1218367 comment #6 and #7

Comment 4 Fedora Update System 2015-05-11 19:02:30 UTC
t1utils-1.39-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Martin Prpič 2015-05-12 08:02:44 UTC
(In reply to Robert Scheck from comment #2)
> Martin, this is not really epel-all, the "t1utils" package is part of RHEL 7,
> thus I am unpushing my EPEL 7 update now. This flaw also needs to be fixed in
> RHEL 7.

Thanks, Robert. I amended the whiteboard. This package should also be removed from EPEL 7 then.

Comment 6 Robert Scheck 2015-05-12 18:21:50 UTC
(In reply to Martin Prpic from comment #5)
> Thanks, Robert. I amended the whiteboard. This package should also be
> removed from EPEL 7 then.

Yes. Is t1utils part of all RHEL architectures that EPEL supports? Or just
the usual x86_64 thing? Otherwise I would have to import the RHEL srpm for
EPEL ppc64.

Comment 7 Stefan Cornelius 2015-05-13 06:36:18 UTC
This may be more critical than expected. It's a global buffer overflow, which none of the usual buffer overflow stoppers seem to catch.

In t1disasm.c:

global variables:
>     76 static FILE *ofp;
>     77 static int lenIV = 4;
>     78 static char cs_start[10];
>     79 static int unknown = 0;

>    105 set_cs_start(char *line)
>    106 {
>    107   char *p, *q, *r;
>    108 
>    109   if ((p = strstr(line, "string currentfile"))) {
>    110     /* enforce presence of `readstring' -- 5/29/99 */
>    111     if (!strstr(line, "readstring"))
>    112       return;
>    113     /* locate the name of the charstring start command */
>    114     *p = '\0';					  /* damage line[] */
>    115     q = strrchr(line, '/');
>    116     if (q) {
>    117       r = cs_start;
>    118       ++q;
>    119       while (!isspace(*q) && *q != '{')
>    120 	*r++ = *q++;
>    121       *r = '\0';
>    122     }
>    123     *p = 's';					  /* repair line[] */
>    124   }
>    125 }

The interesting parts are line 119 and 120. The loop will continue to copy whatever is in line into the global cs_start until a space-ish or '{' character is encountered, without paying any attention to the buffer space available in cs_start. This allows for FILE* ofp to be overwritten. This might be enough to gain code execution, although I haven't confirmed that part.

For now I'm bumping this up to moderate.

Comment 9 Stefan Cornelius 2015-05-15 09:03:20 UTC
Upstream patch:
https://github.com/kohler/t1utils/commit/6b9d1aafcb61a3663c883663eb19ccdbfcde8d33

Comment 10 Stefan Cornelius 2015-05-15 09:04:58 UTC
Statement:

Red Hat Product Security has rated this issue as having moderate security impact, a future update may address this flaw in t1utils.

Comment 11 Fedora Update System 2015-05-17 06:39:08 UTC
t1utils-1.39-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2015-05-17 06:39:19 UTC
t1utils-1.39-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2015-05-21 05:12:03 UTC
t1utils-1.39-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2015-05-21 05:12:56 UTC
t1utils-1.39-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.