666318 – (CVE-2010-2642) CVE-2010-2642 t1lib: Heap based buffer overflow in DVI file AFM font parser

Bug 666318 (CVE-2010-2642) - CVE-2010-2642 t1lib: Heap based buffer overflow in DVI file AFM font parser

Summary: CVE-2010-2642 t1lib: Heap based buffer overflow in DVI file AFM font parser

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-2642
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	666323 666324 667573 679008 679010 680005 772899 772900 772901 773177 773178 773180 773183 773184 845624 984476
Blocks:	734178
TreeView+	depends on / blocked

Reported:	2010-12-30 05:34 UTC by Huzaifa S. Sidhpurwala
Modified:	2023-05-11 16:35 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-19 21:46:57 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
GNOME Bugzilla	643882	None	None	None	Never
Red Hat Product Errata	RHSA-2011:0009	normal	SHIPPED_LIVE	Moderate: evince security update	2011-01-06 18:28:15 UTC
Red Hat Product Errata	RHSA-2012:0062	normal	SHIPPED_LIVE	Moderate: t1lib security update	2012-01-25 02:14:35 UTC
Red Hat Product Errata	RHSA-2012:0137	normal	SHIPPED_LIVE	Moderate: texlive security update	2012-02-15 21:19:33 UTC
Red Hat Product Errata	RHSA-2012:1201	normal	SHIPPED_LIVE	Moderate: tetex security update	2012-08-23 18:55:35 UTC

Description Huzaifa S. Sidhpurwala 2010-12-30 05:34:05 UTC

A heap based buffer overflow was found in the parser for AFM font files, 
which are used for rendering DVI files in GNOME evince document viewer.
Due to insufficient bounds checks when writing data to a memory buffer 
allocated on a heap, it may be possible to cause an arbitrary memory 
overwrite, leading to code execution.

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2642 to
this issue.

The vulnerability is present in the code that handles loading of fonts used by
DVI files.To exploit you need two files, a DVI file and the malicious font.
The vulnerability is triggered not only by opening the document in evince, but
also by browsing to a folder which contains the malicious files, where evince
thumbnailer will load the malicious file to generate a thumbnail for it.

Acknowledgements:

Red Hat would like to thank the Evince development team for reporting this issue. Upstream acknowledges Jon Larimer of IBM X-Force as the original reporter.

Comment 3 Huzaifa S. Sidhpurwala 2011-01-06 02:52:44 UTC

Public via:
http://git.gnome.org/browse/evince/commit/?id=d4139205b010ed06310d14284e63114e88ec6de2

(afmparse.c change is relevant to this CVE)

Comment 4 Huzaifa S. Sidhpurwala 2011-01-06 03:01:43 UTC

Created evince tracking bugs for this issue

Affects: fedora-all [bug 667573]

Comment 5 errata-xmlrpc 2011-01-06 18:28:26 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0009 https://rhn.redhat.com/errata/RHSA-2011-0009.html

Comment 8 Jan Lieskovsky 2011-02-21 09:36:12 UTC

This issue affects the versions of the t1lib package, as shipped
with Fedora release of 13 and 14.

--

This issue affects the versions of the t1lib package, as present
within EPEL-5 repository.

Please schedule an update for both cases.

Comment 10 Jan Lieskovsky 2011-02-21 09:37:21 UTC

Created t1lib tracking bugs for this issue

Affects: fedora-all [bug 679008]

Comment 11 Jan Lieskovsky 2011-02-21 09:38:19 UTC

Created t1lib tracking bugs for this issue

Affects: epel-5 [bug 679010]

Comment 14 Huzaifa S. Sidhpurwala 2011-02-25 07:11:34 UTC

Statement:

This issue did not affect the versions of evince as shipped with Red Hat Enterprise Linux 5.

Comment 16 Tomas Hoger 2011-03-04 16:09:08 UTC

A gnome BZ bug for the off-by-one issue in the original patch:
  https://bugzilla.gnome.org/show_bug.cgi?id=643882

Comment 18 Huzaifa S. Sidhpurwala 2012-01-10 09:39:58 UTC

Created t1lib tracking bugs for this issue

Affects: fedora-all [bug 772899]

Comment 21 Jindrich Novy 2012-01-12 12:01:07 UTC

(In reply to comment #3)
> Public via:
> http://git.gnome.org/browse/evince/commit/?id=d4139205b010ed06310d14284e63114e88ec6de2

Trying to backport this patch in tetex:

- afmprarse.c
  - no such file in tetex
  - looked for "while (ch != EOF && ch != ' ' && ch != lineterm" - nothing 
    found in the whole code base
- dviread.c
  - no such file in tetex
  - looked for "arg = dugetn(dvi, opcode - DVI_XXX1 + 1);" - nothing 
    found in the whole code base
- pk.c
  - present in xdvi and dvipng - no applicable
  - looked for "if(cc < loc)" - nothing found
- tfmfile.c
  - nosuch file in tetex
  - looked for "if(fstat(fileno(in), &st) < 0)" - nothing 
    found in the whole code base

Trying to backport this patch in texlive:

- afmparse.c
  - file present in psaux code
  - looked for "while (ch != EOF && ch != ' ' && ch != lineterm" - nothing 
    found in the whole code base
- dviread.c
  - no such file in texlive
  - looked for "arg = dugetn(dvi, opcode - DVI_XXX1 + 1);" - nothing 
    found in the whole code base
- pk.c
  - present in dvipng xdvik
  - looked for "if(cc < loc)" - nothing found
-tfmfile.c
  - no such file texlive
  - looked for "if(fstat(fileno(in), &st) < 0)" - nothing 
    found in the whole code base

Are you sure it is anyhow related to tetex/texlive? Either it is not related to tetex/texlive or the files there are too old.

Comment 23 errata-xmlrpc 2012-01-24 21:17:23 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0062 https://rhn.redhat.com/errata/RHSA-2012-0062.html

Comment 24 Fedora Update System 2012-01-27 19:19:12 UTC

t1lib-5.0.2-2 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2012-01-27 19:20:59 UTC

t1lib-5.1.1-9.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2012-01-28 03:22:57 UTC

t1lib-5.1.2-9.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Fedora Update System 2012-01-28 03:28:03 UTC

t1lib-5.1.2-9.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 28 errata-xmlrpc 2012-02-15 16:20:37 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0137 https://rhn.redhat.com/errata/RHSA-2012-0137.html

Comment 29 errata-xmlrpc 2012-08-23 14:58:11 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1201 https://rhn.redhat.com/errata/RHSA-2012-1201.html

Comment 30 Tomas Hoger 2012-11-23 13:30:26 UTC

Apparently, the same issue was fixed in 2008 in the copy of this code as used in OpenOffice.org and LibreOffice.  This fix covers both token() and linetoken() functions (see bug 679732, comment 24), and without introducing the off-by-one problem (comment 16 above, or bug 878483):

http://cgit.freedesktop.org/libreoffice/core/commit/?id=8b60389d7c36

There does not seem to be any CVE assigned for the OpenOffice.org fix.

Note You need to log in before you can comment on or make changes to this bug.