Bug#652996: marked as done (t1lib: CVE-2011-0764)

Debian Bug Tracking System Sat, 31 Dec 2011 15:06:20 -0800

Your message dated Sat, 31 Dec 2011 23:02:27 +0000
with message-id <e1rh7wz-0005me...@franck.debian.org>
and subject line Bug#652996: fixed in t1lib 5.1.2-3.3
has caused the Debian Bug report #652996,
regarding t1lib: CVE-2011-0764
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
652996: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652996
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: t1lib
Version: 5.1.2-3
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0764

*** /tmp/tmpP7Dzmm
In Ubuntu, the attached patch was applied to achieve the following:

Prevents an invalid pointer from being dereferenced when using a
maliciously crafted font.

  * SECURITY UPDATE: Arbitrary code execution via crafted Type 1 font
    - lib/type1/type1.c: Only use ppoints when it is a valid pointer
    - CVE-2011-0764


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers oneiric-updates
  APT policy: (500, 'oneiric-updates'), (500, 'oneiric-security'), (500, 
'oneiric')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-14-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- t1lib-5.1.2.orig/debian/patches/CVE-2011-0764.patch
+++ t1lib-5.1.2/debian/patches/CVE-2011-0764.patch
@@ -0,0 +1,31 @@
+Description: Don't lookup previous point if there isn't any
+Author: Marc Deslauriers <marc.deslauri...@canonical.com>
+
+Index: t1lib-5.1.2/lib/type1/type1.c
+===================================================================
+--- t1lib-5.1.2.orig/lib/type1/type1.c	2011-12-13 14:24:14.280965637 -0600
++++ t1lib-5.1.2/lib/type1/type1.c	2011-12-13 14:25:25.893320747 -0600
+@@ -1700,6 +1700,7 @@
+   long pindex = 0;
+   
+   /* compute hinting for previous segment! */
++  if (ppoints == NULL) Error0i("RLineTo: No previous point!\n");
+   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy);
+ 
+   /* Allocate a new path point and pre-setup data */
+@@ -1728,6 +1729,7 @@
+   long pindex = 0;
+   
+   /* compute hinting for previous point! */
++  if (ppoints == NULL) Error0i("RRCurveTo: No previous point!\n");
+   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1);
+ 
+   /* Allocate three new path points and pre-setup data */
+@@ -1903,6 +1905,7 @@
+     FindStems( currx, curry, 0, 0, dx, dy);
+   }
+   else {
++    if (ppoints == NULL) Error0i("RMoveTo: No previous point!\n");
+     FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy);
+   }
+

--- End Message ---

--- Begin Message ---

Source: t1lib
Source-Version: 5.1.2-3.3

We believe that the bug you reported is fixed in the latest version of
t1lib, which is due to be installed in the Debian FTP archive:

libt1-5-dbg_5.1.2-3.3_i386.deb
  to main/t/t1lib/libt1-5-dbg_5.1.2-3.3_i386.deb
libt1-5_5.1.2-3.3_i386.deb
  to main/t/t1lib/libt1-5_5.1.2-3.3_i386.deb
libt1-dev_5.1.2-3.3_i386.deb
  to main/t/t1lib/libt1-dev_5.1.2-3.3_i386.deb
libt1-doc_5.1.2-3.3_all.deb
  to main/t/t1lib/libt1-doc_5.1.2-3.3_all.deb
t1lib-bin_5.1.2-3.3_i386.deb
  to main/t/t1lib/t1lib-bin_5.1.2-3.3_i386.deb
t1lib_5.1.2-3.3.diff.gz
  to main/t/t1lib/t1lib_5.1.2-3.3.diff.gz
t1lib_5.1.2-3.3.dsc
  to main/t/t1lib/t1lib_5.1.2-3.3.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 652...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luk Claes <l...@debian.org> (supplier of updated t1lib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 29 Dec 2011 23:21:33 +0100
Source: t1lib
Binary: libt1-5 libt1-dev t1lib-bin libt1-doc libt1-5-dbg
Architecture: source all i386
Version: 5.1.2-3.3
Distribution: unstable
Urgency: low
Maintainer: Ruben Molina <rmol...@udea.edu.co>
Changed-By: Luk Claes <l...@debian.org>
Description: 
 libt1-5    - Type 1 font rasterizer library - runtime
 libt1-5-dbg - Type 1 font rasterizer library - debugging runtime
 libt1-dev  - Type 1 font rasterizer library - development
 libt1-doc  - Type 1 font rasterizer library - developers documentation
 t1lib-bin  - Type 1 font rasterizer library - user binaries
Closes: 633247 652996
Changes: 
 t1lib (5.1.2-3.3) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Fix arbitrary code execution CVE-2011-0764 by only using ppoints when
     it is a valid pointer (Closes: #652996).
   * Don't ship .la file anymore (Closes: #633247).
Checksums-Sha1: 
 5e60ff30eccd7d1a0d4fb82dc72cdac0dfaef9cf 1303 t1lib_5.1.2-3.3.dsc
 06b4cf6d0c2460060c9febf516a905bbc5e1b8e1 18771 t1lib_5.1.2-3.3.diff.gz
 640de30e9f91a3666e7493cf62e787ed31b62a90 610622 libt1-doc_5.1.2-3.3_all.deb
 2088c1fe15bdd4cb1fe0765f88a76e29a426fde4 162426 libt1-5_5.1.2-3.3_i386.deb
 37dddcc605e1e821e1f1875e894427206d27d8cd 182334 libt1-dev_5.1.2-3.3_i386.deb
 27ad1ed1f719579190cab512d1c4e9000be713a6 55416 t1lib-bin_5.1.2-3.3_i386.deb
 2b9c2632bad9aab02ee0d0cff31e54cf69a9ab0d 235436 libt1-5-dbg_5.1.2-3.3_i386.deb
Checksums-Sha256: 
 e20267dec6ee3f3d8ccef9456c63d27f0124254b47c5adfffa5df191fd619472 1303 
t1lib_5.1.2-3.3.dsc
 18a5c544423f0aa0a2647439f88c20bfe57a48da906e4e26b57d94f3360dd1d8 18771 
t1lib_5.1.2-3.3.diff.gz
 4b4abfde40581b9ea205e06945ea6b8d00d8a869944132731cb5b8d917296f7a 610622 
libt1-doc_5.1.2-3.3_all.deb
 2395c0cafa307495644c1ee851e8d437f1abe4febda94588b7ce31c626f91452 162426 
libt1-5_5.1.2-3.3_i386.deb
 71feb5f58826ac7e9b7ce9e9964a75bc3def8e5a56d7f4d66356a9c3d6cce977 182334 
libt1-dev_5.1.2-3.3_i386.deb
 74c5ed3e113b5fd24da14ae4c0b03d30cd97cb70d6a144b201775aa2f11400bd 55416 
t1lib-bin_5.1.2-3.3_i386.deb
 437d179a0b4479c685c16724effb2bca6c017c8103ee8a2915bec9abb3de5fe9 235436 
libt1-5-dbg_5.1.2-3.3_i386.deb
Files: 
 633c5af209002f0784f1c3c0f264cbf0 1303 libs optional t1lib_5.1.2-3.3.dsc
 c5a9dcccbd2ffcbe116432f0ed387d57 18771 libs optional t1lib_5.1.2-3.3.diff.gz
 21390c32e88efbb6870ab6ea540f964d 610622 doc optional 
libt1-doc_5.1.2-3.3_all.deb
 719687174675e77a9b579242a1beabf0 162426 libs optional 
libt1-5_5.1.2-3.3_i386.deb
 2273f31c28b7b7dc14fb269f0847482b 182334 libdevel optional 
libt1-dev_5.1.2-3.3_i386.deb
 da77503bf50225ac4d8f307442b1d71b 55416 misc optional 
t1lib-bin_5.1.2-3.3_i386.deb
 9d740f9c40ce9720af6eae175187e271 235436 libdevel extra 
libt1-5-dbg_5.1.2-3.3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk786zsACgkQ5UTeB5t8Mo31JgCfZeR3W4pvDF8jjcDm5NfIC3is
7HAAn2AuXk+IUCtCPzSmx7iQL7mPsxXn
=Qu2y
-----END PGP SIGNATURE-----

--- End Message ---

Bug#652996: marked as done (t1lib: CVE-2011-0764)

Reply via email to