The 1.39 release of t1utils fixed a buffer overflow flaw: https://github.com/kohler/t1utils/blob/master/NEWS Additional details (including a reproducer): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274
Created t1utils tracking bugs for this issue: Affects: fedora-all [bug 1218366] Affects: epel-all [bug 1218367]
Martin, this is not really epel-all, the "t1utils" package is part of RHEL 7, thus I am unpushing my EPEL 7 update now. This flaw also needs to be fixed in RHEL 7.
See also bug #1218367 comment #6 and #7
t1utils-1.39-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Robert Scheck from comment #2) > Martin, this is not really epel-all, the "t1utils" package is part of RHEL 7, > thus I am unpushing my EPEL 7 update now. This flaw also needs to be fixed in > RHEL 7. Thanks, Robert. I amended the whiteboard. This package should also be removed from EPEL 7 then.
(In reply to Martin Prpic from comment #5) > Thanks, Robert. I amended the whiteboard. This package should also be > removed from EPEL 7 then. Yes. Is t1utils part of all RHEL architectures that EPEL supports? Or just the usual x86_64 thing? Otherwise I would have to import the RHEL srpm for EPEL ppc64.
This may be more critical than expected. It's a global buffer overflow, which none of the usual buffer overflow stoppers seem to catch. In t1disasm.c: global variables: > 76 static FILE *ofp; > 77 static int lenIV = 4; > 78 static char cs_start[10]; > 79 static int unknown = 0; > 105 set_cs_start(char *line) > 106 { > 107 char *p, *q, *r; > 108 > 109 if ((p = strstr(line, "string currentfile"))) { > 110 /* enforce presence of `readstring' -- 5/29/99 */ > 111 if (!strstr(line, "readstring")) > 112 return; > 113 /* locate the name of the charstring start command */ > 114 *p = '\0'; /* damage line[] */ > 115 q = strrchr(line, '/'); > 116 if (q) { > 117 r = cs_start; > 118 ++q; > 119 while (!isspace(*q) && *q != '{') > 120 *r++ = *q++; > 121 *r = '\0'; > 122 } > 123 *p = 's'; /* repair line[] */ > 124 } > 125 } The interesting parts are line 119 and 120. The loop will continue to copy whatever is in line into the global cs_start until a space-ish or '{' character is encountered, without paying any attention to the buffer space available in cs_start. This allows for FILE* ofp to be overwritten. This might be enough to gain code execution, although I haven't confirmed that part. For now I'm bumping this up to moderate.
Upstream patch: https://github.com/kohler/t1utils/commit/6b9d1aafcb61a3663c883663eb19ccdbfcde8d33
Statement: Red Hat Product Security has rated this issue as having moderate security impact, a future update may address this flaw in t1utils.
t1utils-1.39-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
t1utils-1.39-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
t1utils-1.39-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
t1utils-1.39-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2015-3905