Bug 692909 (CVE-2011-0764) - CVE-2011-0764 t1lib: Invalid pointer dereference via crafted Type 1 font
Summary: CVE-2011-0764 t1lib: Invalid pointer dereference via crafted Type 1 font
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-0764
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 679734 772899 772900 772901 773177 773178 773180 773183 773184 845624 984476
Blocks: 734178
TreeView+ depends on / blocked
 
Reported: 2011-04-01 15:24 UTC by Jan Lieskovsky
Modified: 2021-10-19 21:48 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-19 21:48:10 UTC
Embargoed:

Attachments (Terms of Use)
better patch (1.43 KB, patch)
2012-01-03 06:36 UTC, Huzaifa S. Sidhpurwala 		no flags Details | Diff
Combined patch (3.21 KB, patch)
2012-01-03 14:00 UTC, Jaroslav Škarvada 		no flags Details | Diff
newer patch (3.59 KB, patch)
2012-01-04 08:45 UTC, Huzaifa S. Sidhpurwala 		no flags Details | Diff
Updated patch (3.06 KB, patch)
2012-01-05 23:46 UTC, Jaroslav Škarvada 		no flags Details | Diff
Updated patch (4.75 KB, patch)
2012-01-10 00:08 UTC, Jaroslav Škarvada 		no flags Details | Diff
Show Obsolete (4) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0062 0 normal SHIPPED_LIVE Moderate: t1lib security update 2012-01-25 02:14:35 UTC
Red Hat Product Errata RHSA-2012:0137 0 normal SHIPPED_LIVE Moderate: texlive security update 2012-02-15 21:19:33 UTC
Red Hat Product Errata RHSA-2012:1201 0 normal SHIPPED_LIVE Moderate: tetex security update 2012-08-23 18:55:35 UTC

Description Jan Lieskovsky 2011-04-01 15:24:52 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0764 to
the following vulnerability:

t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other
products, uses an invalid pointer in conjunction with a dereference
operation, which allows remote attackers to execute arbitrary code via
a crafted Type 1 font in a PDF document, as demonstrated by
testz.2184122398.pdf.

References:
[1]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0764 
[2]  http://www.securityfocus.com/archive/1/archive/1/517205/100/0/threaded
[3]  http://www.toucan-system.com/advisories/tssa-2011-01.txt 
[4]  http://www.foolabs.com/xpdf/download.html
[5]  http://www.kb.cert.org/vuls/id/MAPG-8ECL8X
[6]  http://www.kb.cert.org/vuls/id/376500
[7]  http://www.securityfocus.com/bid/46941
[8]  http://securitytracker.com/id?1025266
[9]  http://secunia.com/advisories/43823
[10] http://www.vupen.com/english/advisories/2011/0728
[11] http://xforce.iss.net/xforce/xfdb/66208
Comment 6 Huzaifa S. Sidhpurwala 2012-01-03 06:36:28 UTC 
Created attachment 550366 [details]
better patch
Comment 7 José Matos 2012-01-03 12:13:34 UTC 
Thank you for the patch.

I am building the package with the patch now for rawhide and I will propagate the fix to F16 and F15 next.

http://koji.fedoraproject.org/koji/taskinfo?taskID=3615316
Comment 8 José Matos 2012-01-03 13:16:35 UTC 
Oops, I forgot to give you the credit for the patch in the spec file. My mistake. :-(

In order to mitigate this I added a note to the master git spec file but I will not rebuild the packages just for this change.
Comment 9 Jaroslav Škarvada 2012-01-03 14:00:47 UTC 
Created attachment 550422 [details]
Combined patch

Fixes more invalid reads.
Comment 11 Huzaifa S. Sidhpurwala 2012-01-04 08:45:13 UTC 
Created attachment 550629 [details]
newer patch
Comment 12 Huzaifa S. Sidhpurwala 2012-01-04 08:46:56 UTC 
(In reply to comment #8)
> Oops, I forgot to give you the credit for the patch in the spec file. My
> mistake. :-(
> 
> In order to mitigate this I added a note to the master git spec file but I will
> not rebuild the packages just for this change.

Jose,
This is still work is progress and there may be a few more changes to the final patch, Also we are trying to fix multiple issues in here. So i wouldnt build packages just yet.
Comment 14 José Matos 2012-01-04 11:17:04 UTC 
Thank you for the heads up.

I will wait then before proceeding. :-)
Comment 16 Jaroslav Škarvada 2012-01-05 23:46:56 UTC 
Created attachment 551043 [details]
Updated patch

Removed probably left-over code fragment, extended "paranoia" NULL ppoints check to the rest of checks (all are probably redundant). The patch is not completed yet.
Comment 17 Jaroslav Škarvada 2012-01-10 00:08:18 UTC 
Created attachment 551723 [details]
Updated patch

Fixed crash on oversized fonts.
Comment 19 Huzaifa S. Sidhpurwala 2012-01-10 09:42:29 UTC 
Created t1lib tracking bugs for this issue

Affects: epel-5 [bug 679734]
Affects: fedora-all [bug 772899]
Comment 22 Jindrich Novy 2012-01-12 12:46:59 UTC 
(In reply to comment #17)
> Created attachment 551723 [details]
> Updated patch
> 
> Fixed crash on oversized fonts.

BTW. this patch collides with the patch for bug 692853. This one seems more complete as it at least displays an error message.
Comment 23 Jaroslav Škarvada 2012-01-12 13:34:14 UTC 
Jindra, the patch in bug 692853 was my early attempt to fix CVE-2011-1552. It is now deprecated by patch from comment 17 which should address (as we believe) CVE-2011-0764, CVE-2011-1552, CVE-2011-1553 and CVE-2011-1554. I will also backport the patch to tlib-5.0.2 (which should be trivial).
Comment 24 Jindrich Novy 2012-01-12 14:39:20 UTC 
(In reply to comment #23)
> Jindra, the patch in bug 692853 was my early attempt to fix CVE-2011-1552. It
> is now deprecated by patch from comment 17 which should address (as we believe)
> CVE-2011-0764, CVE-2011-1552, CVE-2011-1553 and CVE-2011-1554. I will also
> backport the patch to tlib-5.0.2 (which should be trivial).

Jardo, the newer patch misses these hunks from the old one:

diff -up texlive-2007/libs/type1/type1.c.CVE-2011-1552 texlive-2007/libs/type1/type1.c
--- texlive-2007/libs/type1/type1.c.CVE-2011-1552       2006-01-16 01:09:26.000000000 +0100
+++ texlive-2007/libs/type1/type1.c     2012-01-12 13:23:01.949917940 +0100
@@ -1698,6 +1699,7 @@ static int RLineTo(dx, dy)
 {
   long pindex = 0;

+  if (numppoints < 2) return 0;
   /* compute hinting for previous segment! */
   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy);

@@ -1726,6 +1728,7 @@ static int RRCurveTo(dx1, dy1, dx2, dy2,
 {
   long pindex = 0;

+  if (numppoints < 2) return 0;
   /* compute hinting for previous point! */
   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1);

@@ -2148,6 +2154,7 @@ static void FlxProc(c1x2, c1y2, c3x0, c3
   DOUBLE ex, ey;


+  if (numppoints < 8) return;
   /* Our PPOINT list now contains 7 moveto commands which
      are about to be consumed by the Flex mechanism. --> Remove these
      seven elements (their values already reside on the PSFakeStack!)

Is it intentional? Thanks.
Comment 25 Jaroslav Škarvada 2012-01-12 15:08:08 UTC 
(In reply to comment #24)
> Jardo, the newer patch misses these hunks from the old one:
...
> Is it intentional? Thanks.

They were replaced by more robust:

@@ -1700,6 +1701,7 @@.
   long pindex = 0;
   
   /* compute hinting for previous segment! */
+  if (ppoints == NULL || numppoints < 2 ) Error0i("RLineTo: No previous point!\n");
   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy);
 
   /* Allocate a new path point and pre-setup data */
@@ -1728,6 +1730,7 @@.
   long pindex = 0;
   
   /* compute hinting for previous point! */
+  if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous point!\n");
   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1);
 
   /* Allocate three new path points and pre-setup data */
@@ -2152,6 +2159,7 @@.
   DOUBLE cx, cy;
   DOUBLE ex, ey;
 
+  if (ppoints == NULL || numppoints < 8) Error0v("FlxProc: No previous point!");
 
   /* Our PPOINT list now contains 7 moveto commands which
      are about to be consumed by the Flex mechanism. --> Remove these
Comment 26 errata-xmlrpc 2012-01-24 21:17:39 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0062 https://rhn.redhat.com/errata/RHSA-2012-0062.html
Comment 27 Fedora Update System 2012-01-27 19:19:29 UTC 
t1lib-5.0.2-2 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 28 Fedora Update System 2012-01-27 19:21:18 UTC 
t1lib-5.1.1-9.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 29 Fedora Update System 2012-01-28 03:23:12 UTC 
t1lib-5.1.2-9.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2012-01-28 03:28:17 UTC 
t1lib-5.1.2-9.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 31 errata-xmlrpc 2012-02-15 16:21:01 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0137 https://rhn.redhat.com/errata/RHSA-2012-0137.html
Comment 32 errata-xmlrpc 2012-08-23 14:58:30 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1201 https://rhn.redhat.com/errata/RHSA-2012-1201.html
Note You need to log in before you can comment on or make changes to this bug.