A heap based buffer overflow was found in the parser for AFM font files, which are used for rendering DVI files in GNOME evince document viewer. Due to insufficient bounds checks when writing data to a memory buffer allocated on a heap, it may be possible to cause an arbitrary memory overwrite, leading to code execution. Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2642 to this issue. The vulnerability is present in the code that handles loading of fonts used by DVI files.To exploit you need two files, a DVI file and the malicious font. The vulnerability is triggered not only by opening the document in evince, but also by browsing to a folder which contains the malicious files, where evince thumbnailer will load the malicious file to generate a thumbnail for it. Acknowledgements: Red Hat would like to thank the Evince development team for reporting this issue. Upstream acknowledges Jon Larimer of IBM X-Force as the original reporter.
Public via: http://git.gnome.org/browse/evince/commit/?id=d4139205b010ed06310d14284e63114e88ec6de2 (afmparse.c change is relevant to this CVE)
Created evince tracking bugs for this issue Affects: fedora-all [bug 667573]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0009 https://rhn.redhat.com/errata/RHSA-2011-0009.html
This issue affects the versions of the t1lib package, as shipped with Fedora release of 13 and 14. -- This issue affects the versions of the t1lib package, as present within EPEL-5 repository. Please schedule an update for both cases.
Created t1lib tracking bugs for this issue Affects: fedora-all [bug 679008]
Created t1lib tracking bugs for this issue Affects: epel-5 [bug 679010]
Statement: This issue did not affect the versions of evince as shipped with Red Hat Enterprise Linux 5.
A gnome BZ bug for the off-by-one issue in the original patch: https://bugzilla.gnome.org/show_bug.cgi?id=643882
Created t1lib tracking bugs for this issue Affects: fedora-all [bug 772899]
(In reply to comment #3) > Public via: > http://git.gnome.org/browse/evince/commit/?id=d4139205b010ed06310d14284e63114e88ec6de2 Trying to backport this patch in tetex: - afmprarse.c - no such file in tetex - looked for "while (ch != EOF && ch != ' ' && ch != lineterm" - nothing found in the whole code base - dviread.c - no such file in tetex - looked for "arg = dugetn(dvi, opcode - DVI_XXX1 + 1);" - nothing found in the whole code base - pk.c - present in xdvi and dvipng - no applicable - looked for "if(cc < loc)" - nothing found - tfmfile.c - nosuch file in tetex - looked for "if(fstat(fileno(in), &st) < 0)" - nothing found in the whole code base Trying to backport this patch in texlive: - afmparse.c - file present in psaux code - looked for "while (ch != EOF && ch != ' ' && ch != lineterm" - nothing found in the whole code base - dviread.c - no such file in texlive - looked for "arg = dugetn(dvi, opcode - DVI_XXX1 + 1);" - nothing found in the whole code base - pk.c - present in dvipng xdvik - looked for "if(cc < loc)" - nothing found -tfmfile.c - no such file texlive - looked for "if(fstat(fileno(in), &st) < 0)" - nothing found in the whole code base Are you sure it is anyhow related to tetex/texlive? Either it is not related to tetex/texlive or the files there are too old.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0062 https://rhn.redhat.com/errata/RHSA-2012-0062.html
t1lib-5.0.2-2 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
t1lib-5.1.1-9.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
t1lib-5.1.2-9.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
t1lib-5.1.2-9.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0137 https://rhn.redhat.com/errata/RHSA-2012-0137.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1201 https://rhn.redhat.com/errata/RHSA-2012-1201.html
Apparently, the same issue was fixed in 2008 in the copy of this code as used in OpenOffice.org and LibreOffice. This fix covers both token() and linetoken() functions (see bug 679732, comment 24), and without introducing the off-by-one problem (comment 16 above, or bug 878483): http://cgit.freedesktop.org/libreoffice/core/commit/?id=8b60389d7c36 There does not seem to be any CVE assigned for the OpenOffice.org fix.