Package: t1lib
Version: 5.1.2-3.4
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch
Dear Maintainer,
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: fix denial of service via oversized fonts
- debian/patches/CVE-2011-1552_1553_1554.patch: add additional tests to
address remaining crashes
- CVE-2011-1552
- CVE-2011-1553
- CVE-2011-1554
* SECURITY UPDATE: fix heap-based buffer overflow via AFM font parser
- update debian/patches/series to apply CVE-2010-2642.patch which was
mistakenly not updated in 5.1.2-3.4
- CVE-2010-2642
- CVE-2011-0433
Debian took the Ubuntu patch for CVE-2011-0764 (which is great). RedHat
later fixed the remaining open CVEs with a patch landing in Fedora's
http://koji.fedoraproject.org/koji/buildinfo?buildID=282529. I then
verified all the patches in Debian against Fedora's patchset and came up
with this patch against 5.1.2-3.4. While Debian included an equivalent
patch for CVE-2010-2642 (which also fixes CVE-2011-0433), it was not
added to the debian/patches/series file, so it wasn't applied during the
build. The attached debdiff should bring unstable up to date on these
issues.
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers precise-updates
APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500,
'precise')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-8-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u t1lib-5.1.2/debian/changelog t1lib-5.1.2/debian/changelog
diff -u t1lib-5.1.2/debian/control t1lib-5.1.2/debian/control
--- t1lib-5.1.2/debian/control
+++ t1lib-5.1.2/debian/control
@@ -1,7 +1,8 @@
Source: t1lib
Section: libs
Priority: optional
-Maintainer: Ruben Molina <rmol...@udea.edu.co>
+Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com>
+XSBC-Original-Maintainer: Ruben Molina <rmol...@udea.edu.co>
Build-Depends: cdbs, debhelper (>= 7), autotools-dev, libice-dev, libsm-dev, libx11-dev, libxext-dev, libxaw7-dev, quilt
Standards-Version: 3.8.0
Homepage: ftp://sunsite.unc.edu/pub/Linux/libs/graphics/
diff -u t1lib-5.1.2/debian/patches/series t1lib-5.1.2/debian/patches/series
--- t1lib-5.1.2/debian/patches/series
+++ t1lib-5.1.2/debian/patches/series
@@ -6,0 +7,2 @@
+CVE-2011-1552_1553_1554.patch
+CVE-2010-2642.patch
only in patch2:
unchanged:
--- t1lib-5.1.2.orig/debian/patches/CVE-2011-1552_1553_1554.patch
+++ t1lib-5.1.2/debian/patches/CVE-2011-1552_1553_1554.patch
@@ -0,0 +1,133 @@
+Author: Jaroslav Škarvada <jskar...@redhat.com>
+Description: Fix more crashes on oversized fonts
+Bug-Redhat: http://bugzilla.redhat.com/show_bug.cgi?id=692909
+Index: t1lib-5.1.2/lib/type1/lines.c
+===================================================================
+--- t1lib-5.1.2.orig/lib/type1/lines.c 2007-12-23 09:49:42.000000000 -0600
++++ t1lib-5.1.2/lib/type1/lines.c 2012-01-17 14:15:08.000000000 -0600
+@@ -67,6 +67,10 @@
+ None.
+ */
+
++#define BITS (sizeof(LONG)*8)
++#define HIGHTEST(p) (((p)>>(BITS-2)) != 0) /* includes sign bit */
++#define TOOBIG(xy) ((xy < 0) ? HIGHTEST(-xy) : HIGHTEST(xy))
++
+ /*
+ :h2.StepLine() - Produces Run Ends for a Line After Checks
+
+@@ -84,6 +88,9 @@
+ IfTrace4((LineDebug > 0), ".....StepLine: (%d,%d) to (%d,%d)\n",
+ x1, y1, x2, y2);
+
++ if ( TOOBIG(x1) || TOOBIG(x2) || TOOBIG(y1) || TOOBIG(y2))
++ abort("Lines this big not supported", 49);
++
+ dy = y2 - y1;
+
+ /*
+Index: t1lib-5.1.2/lib/type1/objects.c
+===================================================================
+--- t1lib-5.1.2.orig/lib/type1/objects.c 2007-12-23 09:49:42.000000000 -0600
++++ t1lib-5.1.2/lib/type1/objects.c 2012-01-17 14:15:08.000000000 -0600
+@@ -1137,12 +1137,13 @@
+ "Context: out of them", /* 46 */
+ "MatrixInvert: can't", /* 47 */
+ "xiStub called", /* 48 */
+- "Illegal access type1 abort() message" /* 49 */
++ "Lines this big not supported", /* 49 */
++ "Illegal access type1 abort() message" /* 50 */
+ };
+
+- /* no is valid from 1 to 48 */
+- if ( (number<1)||(number>48))
+- number=49;
++ /* no is valid from 1 to 49 */
++ if ( (number<1)||(number>49))
++ number=50;
+ return( err_msgs[number-1]);
+
+ }
+Index: t1lib-5.1.2/lib/type1/type1.c
+===================================================================
+--- t1lib-5.1.2.orig/lib/type1/type1.c 2012-01-17 14:13:28.000000000 -0600
++++ t1lib-5.1.2/lib/type1/type1.c 2012-01-17 14:19:54.000000000 -0600
+@@ -1012,6 +1012,7 @@
+ double nextdtana = 0.0; /* tangent of post-delta against horizontal line */
+ double nextdtanb = 0.0; /* tangent of post-delta against vertical line */
+
++ if (ppoints == NULL || numppoints < 1) Error0v("FindStems: No previous point!\n");
+
+ /* setup default hinted position */
+ ppoints[numppoints-1].ax = ppoints[numppoints-1].x;
+@@ -1289,7 +1290,7 @@
+ static int DoRead(CodeP)
+ int *CodeP;
+ {
+- if (strindex >= CharStringP->len) return(FALSE); /* end of string */
++ if (!CharStringP || strindex >= CharStringP->len) return(FALSE); /* end of string */
+ /* We handle the non-documented Adobe convention to use lenIV=-1 to
+ suppress charstring encryption. */
+ if (blues->lenIV==-1) {
+@@ -1700,7 +1701,7 @@
+ long pindex = 0;
+
+ /* compute hinting for previous segment! */
+- if (ppoints == NULL) Error0i("RLineTo: No previous point!\n");
++ if (ppoints == NULL || numppoints < 2) Error0i("RLineTo: No previous point!\n");
+ FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy);
+
+ /* Allocate a new path point and pre-setup data */
+@@ -1729,7 +1730,7 @@
+ long pindex = 0;
+
+ /* compute hinting for previous point! */
+- if (ppoints == NULL) Error0i("RRCurveTo: No previous point!\n");
++ if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous point!\n");
+ FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1);
+
+ /* Allocate three new path points and pre-setup data */
+@@ -1788,7 +1789,9 @@
+ long tmpind;
+ double deltax = 0.0;
+ double deltay = 0.0;
+-
++
++ if (ppoints == NULL || numppoints < 1) Error0i("DoClosePath: No previous point!");
++
+ /* If this ClosePath command together with the starting point of this
+ path completes to a segment aligned to a stem, we would miss
+ hinting for this point. --> Check and explicitly care for this! */
+@@ -1803,6 +1806,7 @@
+ deltax = ppoints[i].x - ppoints[numppoints-1].x;
+ deltay = ppoints[i].y - ppoints[numppoints-1].y;
+
++ if (ppoints == NULL || numppoints <= i + 1) Error0i("DoClosePath: No previous point!");
+ /* save nummppoints and reset to move point */
+ tmpind = numppoints;
+ numppoints = i + 1;
+@@ -1905,7 +1909,7 @@
+ FindStems( currx, curry, 0, 0, dx, dy);
+ }
+ else {
+- if (ppoints == NULL) Error0i("RMoveTo: No previous point!\n");
++ if (ppoints == NULL || numppoints < 2) Error0i("RMoveTo: No previous point!\n");
+ FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy);
+ }
+
+@@ -2155,6 +2159,7 @@
+ DOUBLE cx, cy;
+ DOUBLE ex, ey;
+
++ if (ppoints == NULL || numppoints < 8) Error0v("FlxProc: No previous point!");
+
+ /* Our PPOINT list now contains 7 moveto commands which
+ are about to be consumed by the Flex mechanism. --> Remove these
+@@ -2324,6 +2329,7 @@
+ /* Returns currentpoint on stack */
+ static void FlxProc2()
+ {
++ if (ppoints == NULL || numppoints < 1) Error0v("FlxProc2: No previous point!");
+ /* Push CurrentPoint on fake PostScript stack */
+ PSFakePush( ppoints[numppoints-1].x);
+ PSFakePush( ppoints[numppoints-1].y);
