This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 666318 - (CVE-2010-2642) CVE-2010-2642 t1lib: Heap based buffer overflow in DVI file AFM font parser
CVE-2010-2642 t1lib: Heap based buffer overflow in DVI file AFM font parser
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110105,reported=20101229,sou...
: Security
Depends On: 666323 666324 667573 679008 679010 680005 772899 772900 772901 773177 773178 773180 773183 773184 845624 984476
Blocks: 734178
  Show dependency treegraph
 
Reported: 2010-12-30 00:34 EST by Huzaifa S. Sidhpurwala
Modified: 2016-03-04 06:12 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Desktop 643882 None None None Never

  None (edit)
Description Huzaifa S. Sidhpurwala 2010-12-30 00:34:05 EST
A heap based buffer overflow was found in the parser for AFM font files, 
which are used for rendering DVI files in GNOME evince document viewer.
Due to insufficient bounds checks when writing data to a memory buffer 
allocated on a heap, it may be possible to cause an arbitrary memory 
overwrite, leading to code execution.

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2642 to
this issue.

The vulnerability is present in the code that handles loading of fonts used by
DVI files.To exploit you need two files, a DVI file and the malicious font.
The vulnerability is triggered not only by opening the document in evince, but
also by browsing to a folder which contains the malicious files, where evince
thumbnailer will load the malicious file to generate a thumbnail for it.

Acknowledgements:

Red Hat would like to thank the Evince development team for reporting this issue. Upstream acknowledges Jon Larimer of IBM X-Force as the original reporter.
Comment 3 Huzaifa S. Sidhpurwala 2011-01-05 21:52:44 EST
Public via:
http://git.gnome.org/browse/evince/commit/?id=d4139205b010ed06310d14284e63114e88ec6de2

(afmparse.c change is relevant to this CVE)
Comment 4 Huzaifa S. Sidhpurwala 2011-01-05 22:01:43 EST
Created evince tracking bugs for this issue

Affects: fedora-all [bug 667573]
Comment 5 errata-xmlrpc 2011-01-06 13:28:26 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0009 https://rhn.redhat.com/errata/RHSA-2011-0009.html
Comment 8 Jan Lieskovsky 2011-02-21 04:36:12 EST
This issue affects the versions of the t1lib package, as shipped
with Fedora release of 13 and 14.

--

This issue affects the versions of the t1lib package, as present
within EPEL-5 repository.

Please schedule an update for both cases.
Comment 10 Jan Lieskovsky 2011-02-21 04:37:21 EST
Created t1lib tracking bugs for this issue

Affects: fedora-all [bug 679008]
Comment 11 Jan Lieskovsky 2011-02-21 04:38:19 EST
Created t1lib tracking bugs for this issue

Affects: epel-5 [bug 679010]
Comment 14 Huzaifa S. Sidhpurwala 2011-02-25 02:11:34 EST
Statement:

This issue did not affect the versions of evince as shipped with Red Hat Enterprise Linux 5.
Comment 16 Tomas Hoger 2011-03-04 11:09:08 EST
A gnome BZ bug for the off-by-one issue in the original patch:
  https://bugzilla.gnome.org/show_bug.cgi?id=643882
Comment 18 Huzaifa S. Sidhpurwala 2012-01-10 04:39:58 EST
Created t1lib tracking bugs for this issue

Affects: fedora-all [bug 772899]
Comment 21 Jindrich Novy 2012-01-12 07:01:07 EST
(In reply to comment #3)
> Public via:
> http://git.gnome.org/browse/evince/commit/?id=d4139205b010ed06310d14284e63114e88ec6de2

Trying to backport this patch in tetex:

- afmprarse.c
  - no such file in tetex
  - looked for "while (ch != EOF && ch != ' ' && ch != lineterm" - nothing 
    found in the whole code base
- dviread.c
  - no such file in tetex
  - looked for "arg = dugetn(dvi, opcode - DVI_XXX1 + 1);" - nothing 
    found in the whole code base
- pk.c
  - present in xdvi and dvipng - no applicable
  - looked for "if(cc < loc)" - nothing found
- tfmfile.c
  - nosuch file in tetex
  - looked for "if(fstat(fileno(in), &st) < 0)" - nothing 
    found in the whole code base

Trying to backport this patch in texlive:

- afmparse.c
  - file present in psaux code
  - looked for "while (ch != EOF && ch != ' ' && ch != lineterm" - nothing 
    found in the whole code base
- dviread.c
  - no such file in texlive
  - looked for "arg = dugetn(dvi, opcode - DVI_XXX1 + 1);" - nothing 
    found in the whole code base
- pk.c
  - present in dvipng xdvik
  - looked for "if(cc < loc)" - nothing found
-tfmfile.c
  - no such file texlive
  - looked for "if(fstat(fileno(in), &st) < 0)" - nothing 
    found in the whole code base

Are you sure it is anyhow related to tetex/texlive? Either it is not related to tetex/texlive or the files there are too old.
Comment 23 errata-xmlrpc 2012-01-24 16:17:23 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0062 https://rhn.redhat.com/errata/RHSA-2012-0062.html
Comment 24 Fedora Update System 2012-01-27 14:19:12 EST
t1lib-5.0.2-2 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2012-01-27 14:20:59 EST
t1lib-5.1.1-9.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2012-01-27 22:22:57 EST
t1lib-5.1.2-9.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 Fedora Update System 2012-01-27 22:28:03 EST
t1lib-5.1.2-9.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 28 errata-xmlrpc 2012-02-15 11:20:37 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0137 https://rhn.redhat.com/errata/RHSA-2012-0137.html
Comment 29 errata-xmlrpc 2012-08-23 10:58:11 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1201 https://rhn.redhat.com/errata/RHSA-2012-1201.html
Comment 30 Tomas Hoger 2012-11-23 08:30:26 EST
Apparently, the same issue was fixed in 2008 in the copy of this code as used in OpenOffice.org and LibreOffice.  This fix covers both token() and linetoken() functions (see bug 679732, comment 24), and without introducing the off-by-one problem (comment 16 above, or bug 878483):

http://cgit.freedesktop.org/libreoffice/core/commit/?id=8b60389d7c36

There does not seem to be any CVE assigned for the OpenOffice.org fix.

Note You need to log in before you can comment on or make changes to this bug.