Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0764 to the following vulnerability: t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, uses an invalid pointer in conjunction with a dereference operation, which allows remote attackers to execute arbitrary code via a crafted Type 1 font in a PDF document, as demonstrated by testz.2184122398.pdf. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0764 [2] http://www.securityfocus.com/archive/1/archive/1/517205/100/0/threaded [3] http://www.toucan-system.com/advisories/tssa-2011-01.txt [4] http://www.foolabs.com/xpdf/download.html [5] http://www.kb.cert.org/vuls/id/MAPG-8ECL8X [6] http://www.kb.cert.org/vuls/id/376500 [7] http://www.securityfocus.com/bid/46941 [8] http://securitytracker.com/id?1025266 [9] http://secunia.com/advisories/43823 [10] http://www.vupen.com/english/advisories/2011/0728 [11] http://xforce.iss.net/xforce/xfdb/66208
Created attachment 550366 [details] better patch
Thank you for the patch. I am building the package with the patch now for rawhide and I will propagate the fix to F16 and F15 next. http://koji.fedoraproject.org/koji/taskinfo?taskID=3615316
Oops, I forgot to give you the credit for the patch in the spec file. My mistake. :-( In order to mitigate this I added a note to the master git spec file but I will not rebuild the packages just for this change.
Created attachment 550422 [details] Combined patch Fixes more invalid reads.
Created attachment 550629 [details] newer patch
(In reply to comment #8) > Oops, I forgot to give you the credit for the patch in the spec file. My > mistake. :-( > > In order to mitigate this I added a note to the master git spec file but I will > not rebuild the packages just for this change. Jose, This is still work is progress and there may be a few more changes to the final patch, Also we are trying to fix multiple issues in here. So i wouldnt build packages just yet.
Thank you for the heads up. I will wait then before proceeding. :-)
Created attachment 551043 [details] Updated patch Removed probably left-over code fragment, extended "paranoia" NULL ppoints check to the rest of checks (all are probably redundant). The patch is not completed yet.
Created attachment 551723 [details] Updated patch Fixed crash on oversized fonts.
Created t1lib tracking bugs for this issue Affects: epel-5 [bug 679734] Affects: fedora-all [bug 772899]
(In reply to comment #17) > Created attachment 551723 [details] > Updated patch > > Fixed crash on oversized fonts. BTW. this patch collides with the patch for bug 692853. This one seems more complete as it at least displays an error message.
Jindra, the patch in bug 692853 was my early attempt to fix CVE-2011-1552. It is now deprecated by patch from comment 17 which should address (as we believe) CVE-2011-0764, CVE-2011-1552, CVE-2011-1553 and CVE-2011-1554. I will also backport the patch to tlib-5.0.2 (which should be trivial).
(In reply to comment #23) > Jindra, the patch in bug 692853 was my early attempt to fix CVE-2011-1552. It > is now deprecated by patch from comment 17 which should address (as we believe) > CVE-2011-0764, CVE-2011-1552, CVE-2011-1553 and CVE-2011-1554. I will also > backport the patch to tlib-5.0.2 (which should be trivial). Jardo, the newer patch misses these hunks from the old one: diff -up texlive-2007/libs/type1/type1.c.CVE-2011-1552 texlive-2007/libs/type1/type1.c --- texlive-2007/libs/type1/type1.c.CVE-2011-1552 2006-01-16 01:09:26.000000000 +0100 +++ texlive-2007/libs/type1/type1.c 2012-01-12 13:23:01.949917940 +0100 @@ -1698,6 +1699,7 @@ static int RLineTo(dx, dy) { long pindex = 0; + if (numppoints < 2) return 0; /* compute hinting for previous segment! */ FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy); @@ -1726,6 +1728,7 @@ static int RRCurveTo(dx1, dy1, dx2, dy2, { long pindex = 0; + if (numppoints < 2) return 0; /* compute hinting for previous point! */ FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1); @@ -2148,6 +2154,7 @@ static void FlxProc(c1x2, c1y2, c3x0, c3 DOUBLE ex, ey; + if (numppoints < 8) return; /* Our PPOINT list now contains 7 moveto commands which are about to be consumed by the Flex mechanism. --> Remove these seven elements (their values already reside on the PSFakeStack!) Is it intentional? Thanks.
(In reply to comment #24) > Jardo, the newer patch misses these hunks from the old one: ... > Is it intentional? Thanks. They were replaced by more robust: @@ -1700,6 +1701,7 @@. long pindex = 0; /* compute hinting for previous segment! */ + if (ppoints == NULL || numppoints < 2 ) Error0i("RLineTo: No previous point!\n"); FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy); /* Allocate a new path point and pre-setup data */ @@ -1728,6 +1730,7 @@. long pindex = 0; /* compute hinting for previous point! */ + if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous point!\n"); FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1); /* Allocate three new path points and pre-setup data */ @@ -2152,6 +2159,7 @@. DOUBLE cx, cy; DOUBLE ex, ey; + if (ppoints == NULL || numppoints < 8) Error0v("FlxProc: No previous point!"); /* Our PPOINT list now contains 7 moveto commands which are about to be consumed by the Flex mechanism. --> Remove these
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0062 https://rhn.redhat.com/errata/RHSA-2012-0062.html
t1lib-5.0.2-2 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
t1lib-5.1.1-9.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
t1lib-5.1.2-9.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
t1lib-5.1.2-9.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0137 https://rhn.redhat.com/errata/RHSA-2012-0137.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1201 https://rhn.redhat.com/errata/RHSA-2012-1201.html