Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock t1utils/1.38-4. This version of t1utils fixes a buffer overflow that can be reliably triggered by a crashed pfb font file, as demonstrated by Jakub Wilk (in #779274). It is my understanding that Jakub concluded that this can be exploited to execute code on CPUs/architectures without the "NX" (No-eXec) flag. I have decided to patch this with a smaller patch compared to upstream. The upstream version of the fix involves dynamic memory allocation. The 1.38-4 version instead features a simple bounds check and an (vastly) increased buffer size to (hopefully) avoid flagging valid files. I have uploaded it as urgency medium. It should possibly have been urgency=high. Thanks, ~Niels
diff -Nru t1utils-1.38/debian/changelog t1utils-1.38/debian/changelog --- t1utils-1.38/debian/changelog 2015-02-22 13:44:09.000000000 +0100 +++ t1utils-1.38/debian/changelog 2015-03-01 22:33:59.000000000 +0100 @@ -1,3 +1,13 @@ +t1utils (1.38-4) unstable; urgency=medium + + * Add bounds check for cs_start buffer. (Closes: #779274) + * Increase the size of cs_start to 1024 from 10 to support + longer values. This is closer to the spirit upstream's + fix that supports arbitrary long values provided the + machine have enough memory. + + -- Niels Thykier <ni...@thykier.net> Sun, 01 Mar 2015 22:30:57 +0100 + t1utils (1.38-3) unstable; urgency=medium * Replace the Debian patch for #772774 with upstreams diff -Nru t1utils-1.38/debian/patches/fix-cs-start-buffer-overflow.patch t1utils-1.38/debian/patches/fix-cs-start-buffer-overflow.patch --- t1utils-1.38/debian/patches/fix-cs-start-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ t1utils-1.38/debian/patches/fix-cs-start-buffer-overflow.patch 2015-03-01 22:46:07.000000000 +0100 @@ -0,0 +1,45 @@ +Description: Fix buffer overflow in set_cs_start + +Upstream decided to fix this differently by using malloc to +dynamically resize the buffer as needed. Given the size of the +commit, I decided to "keep it simple" and just bail on this issue. + +At the same time, I also increased the buffer size "just incase". +Given 10 has been working without crashes so far, it seems reasonable +to assume that 1024 will be "more than enough" for Jessie. For +Stretch, we will be using the upstream version of the patch and +support arbitrary lengths for cs_start. + +Author: Niels Thykier <ni...@thykier.net> +Bug-Upstream: https://github.com/kohler/t1utils/issues/4 +Forwarded: not-needed + +diff --git a/t1disasm.c b/t1disasm.c +index 5def559..c899985 100644 +--- a/t1disasm.c ++++ b/t1disasm.c +@@ -79,7 +79,7 @@ typedef unsigned char byte; + + static FILE *ofp; + static int lenIV = 4; +-static char cs_start[10]; ++static char cs_start[1024]; + static int unknown = 0; + + /* decryption stuff */ +@@ -118,10 +118,14 @@ set_cs_start(char *line) + *p = '\0'; /* damage line[] */ + q = strrchr(line, '/'); + if (q) { ++ char *limit = cs_start + sizeof(cs_start); + r = cs_start; + ++q; +- while (!isspace(*q) && *q != '{') ++ while (!isspace(*q) && *q != '{' && r < limit) + *r++ = *q++; ++ if (r == limit) { ++ fatal_error("disassembly error: Unsupported file, cs_start value too long"); ++ } + *r = '\0'; + } + *p = 's'; /* repair line[] */ diff -Nru t1utils-1.38/debian/patches/series t1utils-1.38/debian/patches/series --- t1utils-1.38/debian/patches/series 2015-02-22 13:44:09.000000000 +0100 +++ t1utils-1.38/debian/patches/series 2015-03-01 22:30:20.000000000 +0100 @@ -1 +1,2 @@ commit-1b33735.patch +fix-cs-start-buffer-overflow.patch
