Bug 1218365 (CVE-2015-3905) - CVE-2015-3905 t1utils: buffer overflow flaw
Summary: CVE-2015-3905 t1utils: buffer overflow flaw
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-3905
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1218366 1218367
Blocks: 1220681
TreeView+ depends on / blocked
 
Reported: 2015-05-04 17:58 UTC by Martin Prpič
Modified: 2021-06-11 21:04 UTC (History)
4 users (show)

Fixed In Version: t1utils 1.39
Clone Of:
Environment:
Last Closed: 2021-06-11 21:04:03 UTC
Embargoed:


Attachments (Terms of Use)

Description Martin Prpič 2015-05-04 17:58:30 UTC
The 1.39 release of t1utils fixed a buffer overflow flaw:

https://github.com/kohler/t1utils/blob/master/NEWS

Additional details (including a reproducer):

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274

Comment 1 Martin Prpič 2015-05-04 17:59:03 UTC
Created t1utils tracking bugs for this issue:

Affects: fedora-all [bug 1218366]
Affects: epel-all [bug 1218367]

Comment 2 Robert Scheck 2015-05-09 14:01:54 UTC
Martin, this is not really epel-all, the "t1utils" package is part of RHEL 7,
thus I am unpushing my EPEL 7 update now. This flaw also needs to be fixed in
RHEL 7.

Comment 3 Robert Scheck 2015-05-09 14:02:26 UTC
See also bug #1218367 comment #6 and #7

Comment 4 Fedora Update System 2015-05-11 19:02:30 UTC
t1utils-1.39-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Martin Prpič 2015-05-12 08:02:44 UTC
(In reply to Robert Scheck from comment #2)
> Martin, this is not really epel-all, the "t1utils" package is part of RHEL 7,
> thus I am unpushing my EPEL 7 update now. This flaw also needs to be fixed in
> RHEL 7.

Thanks, Robert. I amended the whiteboard. This package should also be removed from EPEL 7 then.

Comment 6 Robert Scheck 2015-05-12 18:21:50 UTC
(In reply to Martin Prpic from comment #5)
> Thanks, Robert. I amended the whiteboard. This package should also be
> removed from EPEL 7 then.

Yes. Is t1utils part of all RHEL architectures that EPEL supports? Or just
the usual x86_64 thing? Otherwise I would have to import the RHEL srpm for
EPEL ppc64.

Comment 7 Stefan Cornelius 2015-05-13 06:36:18 UTC
This may be more critical than expected. It's a global buffer overflow, which none of the usual buffer overflow stoppers seem to catch.

In t1disasm.c:

global variables:
>     76 static FILE *ofp;
>     77 static int lenIV = 4;
>     78 static char cs_start[10];
>     79 static int unknown = 0;

>    105 set_cs_start(char *line)
>    106 {
>    107   char *p, *q, *r;
>    108 
>    109   if ((p = strstr(line, "string currentfile"))) {
>    110     /* enforce presence of `readstring' -- 5/29/99 */
>    111     if (!strstr(line, "readstring"))
>    112       return;
>    113     /* locate the name of the charstring start command */
>    114     *p = '\0';					  /* damage line[] */
>    115     q = strrchr(line, '/');
>    116     if (q) {
>    117       r = cs_start;
>    118       ++q;
>    119       while (!isspace(*q) && *q != '{')
>    120 	*r++ = *q++;
>    121       *r = '\0';
>    122     }
>    123     *p = 's';					  /* repair line[] */
>    124   }
>    125 }

The interesting parts are line 119 and 120. The loop will continue to copy whatever is in line into the global cs_start until a space-ish or '{' character is encountered, without paying any attention to the buffer space available in cs_start. This allows for FILE* ofp to be overwritten. This might be enough to gain code execution, although I haven't confirmed that part.

For now I'm bumping this up to moderate.

Comment 9 Stefan Cornelius 2015-05-15 09:03:20 UTC
Upstream patch:
https://github.com/kohler/t1utils/commit/6b9d1aafcb61a3663c883663eb19ccdbfcde8d33

Comment 10 Stefan Cornelius 2015-05-15 09:04:58 UTC
Statement:

Red Hat Product Security has rated this issue as having moderate security impact, a future update may address this flaw in t1utils.

Comment 11 Fedora Update System 2015-05-17 06:39:08 UTC
t1utils-1.39-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2015-05-17 06:39:19 UTC
t1utils-1.39-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2015-05-21 05:12:03 UTC
t1utils-1.39-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2015-05-21 05:12:56 UTC
t1utils-1.39-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Product Security DevOps Team 2021-06-11 21:04:03 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-3905


Note You need to log in before you can comment on or make changes to this bug.