Bug 878483 – CVE-2011-5244 t1lib: off-by-one errors in token and linetoken

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 878483 - (CVE-2011-5244) CVE-2011-5244 t1lib: off-by-one errors in token and linetoken

Summary:	CVE-2011-5244 t1lib: off-by-one errors in token and linetoken

Status:	CLOSED NOTABUG

Aliases:	CVE-2011-5244

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20110304,repor...
Keywords:	Security

Depends On:
Blocks:	878488
	Show dependency tree / graph

Reported:	2012-11-20 09:32 EST by Jan Lieskovsky
Modified:	2016-03-04 06:23 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2012-11-29 05:04:08 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Jan Lieskovsky 2012-11-20 09:32:55 EST

Common Vulnerabilities and Exposures assigned an identifier CVE-2011-5244 to the following vulnerability:

Multiple off-by-one errors in the (1) token and (2) linetoken functions in backend/dvi/mdvi-lib/afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics ((AFM) file, different vulnerabilities than CVE-2010-2642 and CVE-2011-0433.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5244
[2] http://www.openwall.com/lists/oss-security/2011/03/04/21
[3] http://git.gnome.org/browse/evince/commit/?id=439c5070022e
[4] http://git.gnome.org/browse/evince/commit/?id=d4139205b010
[5] https://bugzilla.gnome.org/show_bug.cgi?id=643882

Comment 2 Tomas Hoger 2012-11-23 07:59:08 EST

Upstream fix for this issues is:

http://git.gnome.org/browse/evince/commit/?id=efadec4ffcdd

This issue is related to CVE-2010-2642 (bug 666318) and CVE-2011-0433 (bug 679732), as it is a problem in the fix for those issues.  This problem was known when those issues were dealt with (bug 666318, comment 16, bug 679732, comment 11) and it was fixed in updates released to address the above two issues.

Hence, t1lib, evince, tetex and texlive packages in Red Hat Enterprise Linux were not affected by this issue.

Comment 3 Tomas Hoger 2012-11-23 08:33:11 EST

This was previously fixed in OpenOffice.org / LibreOffice, see bug 666318, comment 30.

Comment 6 Huzaifa S. Sidhpurwala 2012-11-29 05:04:08 EST

Statement:

Not Vulnerable. This issue did not affect the version of tetex as shipped with Red Hat Enterprise Linux 5. This issue does not affect the version of t1lib and evince as shipped with Red Hat Enterprise Linux 6. Because the advisory released to fix CVE-2010-2642 completely resolved the problem without introducing this flaw.

Note You need to log in before you can comment on or make changes to this bug.