Bug#652996: marked as done (t1lib: CVE-2011-0764)

[Debian Bug Tracking System]

Your message dated Sun, 15 Jan 2012 12:47:09 +0000
with message-id <e1rmpul-00056u...@franck.debian.org>
and subject line Bug#652996: fixed in t1lib 5.1.2-3+squeeze1
has caused the Debian Bug report #652996,
regarding t1lib: CVE-2011-0764
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
652996: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652996
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: t1lib
Version: 5.1.2-3
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0764

*** /tmp/tmpP7Dzmm
In Ubuntu, the attached patch was applied to achieve the following:

Prevents an invalid pointer from being dereferenced when using a
maliciously crafted font.

  * SECURITY UPDATE: Arbitrary code execution via crafted Type 1 font
    - lib/type1/type1.c: Only use ppoints when it is a valid pointer
    - CVE-2011-0764


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers oneiric-updates
  APT policy: (500, 'oneiric-updates'), (500, 'oneiric-security'), (500, 
'oneiric')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-14-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- t1lib-5.1.2.orig/debian/patches/CVE-2011-0764.patch
+++ t1lib-5.1.2/debian/patches/CVE-2011-0764.patch
@@ -0,0 +1,31 @@
+Description: Don't lookup previous point if there isn't any
+Author: Marc Deslauriers <marc.deslauri...@canonical.com>
+
+Index: t1lib-5.1.2/lib/type1/type1.c
+===================================================================
+--- t1lib-5.1.2.orig/lib/type1/type1.c	2011-12-13 14:24:14.280965637 -0600
++++ t1lib-5.1.2/lib/type1/type1.c	2011-12-13 14:25:25.893320747 -0600
+@@ -1700,6 +1700,7 @@
+   long pindex = 0;
+   
+   /* compute hinting for previous segment! */
++  if (ppoints == NULL) Error0i("RLineTo: No previous point!\n");
+   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy);
+ 
+   /* Allocate a new path point and pre-setup data */
+@@ -1728,6 +1729,7 @@
+   long pindex = 0;
+   
+   /* compute hinting for previous point! */
++  if (ppoints == NULL) Error0i("RRCurveTo: No previous point!\n");
+   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1);
+ 
+   /* Allocate three new path points and pre-setup data */
+@@ -1903,6 +1905,7 @@
+     FindStems( currx, curry, 0, 0, dx, dy);
+   }
+   else {
++    if (ppoints == NULL) Error0i("RMoveTo: No previous point!\n");
+     FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy);
+   }
+   

--- End Message ---

--- Begin Message ---

Source: t1lib
Source-Version: 5.1.2-3+squeeze1

We believe that the bug you reported is fixed in the latest version of
t1lib, which is due to be installed in the Debian FTP archive:

libt1-5-dbg_5.1.2-3+squeeze1_amd64.deb
  to main/t/t1lib/libt1-5-dbg_5.1.2-3+squeeze1_amd64.deb
libt1-5_5.1.2-3+squeeze1_amd64.deb
  to main/t/t1lib/libt1-5_5.1.2-3+squeeze1_amd64.deb
libt1-dev_5.1.2-3+squeeze1_amd64.deb
  to main/t/t1lib/libt1-dev_5.1.2-3+squeeze1_amd64.deb
libt1-doc_5.1.2-3+squeeze1_all.deb
  to main/t/t1lib/libt1-doc_5.1.2-3+squeeze1_all.deb
t1lib-bin_5.1.2-3+squeeze1_amd64.deb
  to main/t/t1lib/t1lib-bin_5.1.2-3+squeeze1_amd64.deb
t1lib_5.1.2-3+squeeze1.diff.gz
  to main/t/t1lib/t1lib_5.1.2-3+squeeze1.diff.gz
t1lib_5.1.2-3+squeeze1.dsc
  to main/t/t1lib/t1lib_5.1.2-3+squeeze1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 652...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <cor...@debian.org> (supplier of updated t1lib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 14 Jan 2012 21:55:47 +0100
Source: t1lib
Binary: libt1-5 libt1-dev t1lib-bin libt1-doc libt1-5-dbg
Architecture: source all amd64
Version: 5.1.2-3+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Ruben Molina <rmol...@udea.edu.co>
Changed-By: Yves-Alexis Perez <cor...@debian.org>
Description: 
 libt1-5    - Type 1 font rasterizer library - runtime
 libt1-5-dbg - Type 1 font rasterizer library - debugging runtime
 libt1-dev  - Type 1 font rasterizer library - development
 libt1-doc  - Type 1 font rasterizer library - developers documentation
 t1lib-bin  - Type 1 font rasterizer library - user binaries
Closes: 652996
Changes: 
 t1lib (5.1.2-3+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * debian/patches:
     - CVE-2010-2642 added, fix heap-based buffer overflow first found in
       evince but applicable to the embedded afmparse library found in t1lib
       too. Fixes CVE-2011-0433 too on the same patch.
     - CVE-2011-0764 added, fix arbitrary code execution by only using ppoints
       when it is a valid pointer.                               closes: #652996
       This fixes CVE-2011-0764, CVE-2011-1552, CVE-2011-1553 and CVE-2011-1554
   * format-string added, fix a format string error IfTrace0 macro and another
     in T1_SubfsetFont().
Checksums-Sha1: 
 4e1dff94b71f461a27361ced4ef5cd0bbc5e9b4e 1803 t1lib_5.1.2-3+squeeze1.dsc
 4b4fc22c8688eefaaa8cfc990f0039f95f4287de 1872534 t1lib_5.1.2.orig.tar.gz
 0a5da8d9f5fed62e715527d4e341188fd5907817 19084 t1lib_5.1.2-3+squeeze1.diff.gz
 c554d06bb99bcd2363f6bc3f2bead01808243580 610678 
libt1-doc_5.1.2-3+squeeze1_all.deb
 4f30ff90daa6fef4329446e7d2eae7beaea5cc43 171790 
libt1-5_5.1.2-3+squeeze1_amd64.deb
 389c66b03f424f95ccf2775979351e970df62b16 198552 
libt1-dev_5.1.2-3+squeeze1_amd64.deb
 9c5d17df2ee88dc7eab3cfdbca26d4ad6a5f13c1 61608 
t1lib-bin_5.1.2-3+squeeze1_amd64.deb
 9d25aeb098f4c859763700b10f9464aa85b5ebae 216768 
libt1-5-dbg_5.1.2-3+squeeze1_amd64.deb
Checksums-Sha256: 
 25f41d5da8aadfe3625906ec43f4fe5ea70b299215feba65c97463722119ae6a 1803 
t1lib_5.1.2-3+squeeze1.dsc
 821328b5054f7890a0d0cd2f52825270705df3641dbd476d58d17e56ed957b59 1872534 
t1lib_5.1.2.orig.tar.gz
 b1f48e3aab44d724fcc2ca27b2ff44151dfd410616302ba8e54f749c358c4ba8 19084 
t1lib_5.1.2-3+squeeze1.diff.gz
 0c7e6d10185562dd260b8336dc6cf0a0ad4835ca832a02621f84b8add2ab29df 610678 
libt1-doc_5.1.2-3+squeeze1_all.deb
 237059183ded56498234c0229eb5549d1f6cff9bc288af8b27932f272325134c 171790 
libt1-5_5.1.2-3+squeeze1_amd64.deb
 a0f599b8ad18cb046191c362cff5d1c16c3d2d3feb6e598d4eb5e827e03198c3 198552 
libt1-dev_5.1.2-3+squeeze1_amd64.deb
 9203fef1d6142a7ecf369f5a24a0144197cd17dc0f5a1ca3be4cf5cd27c7f708 61608 
t1lib-bin_5.1.2-3+squeeze1_amd64.deb
 bfd1a2bdbf33e7197a4155b51eaccfa68759ce0f0c2e8850b54ad4e795d790bd 216768 
libt1-5-dbg_5.1.2-3+squeeze1_amd64.deb
Files: 
 ed598dc987a42843934e79c9b3e14e89 1803 libs optional t1lib_5.1.2-3+squeeze1.dsc
 a5629b56b93134377718009df1435f3c 1872534 libs optional t1lib_5.1.2.orig.tar.gz
 baf76641399eea88ac3a1f8937ba69eb 19084 libs optional 
t1lib_5.1.2-3+squeeze1.diff.gz
 d7fd6e672b03cc092fa59bdc838b1df5 610678 doc optional 
libt1-doc_5.1.2-3+squeeze1_all.deb
 d66e1f2af733c4156addd44c8963fb12 171790 libs optional 
libt1-5_5.1.2-3+squeeze1_amd64.deb
 d343c14aa322045f7d5072eee3b59389 198552 libdevel optional 
libt1-dev_5.1.2-3+squeeze1_amd64.deb
 e6c5fc1b460c32018f0bdb8ea741f393 61608 misc optional 
t1lib-bin_5.1.2-3+squeeze1_amd64.deb
 114dd281998ead532e045c5b9bc1838c 216768 libdevel extra 
libt1-5-dbg_5.1.2-3+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJPEo4nAAoJEDBVD3hx7wuoNfAP/0ysUDmTOeF6X01MYZKl7aJi
eRYMjwOb430Z8abXP2x8YtARH9W5cO0uB7hLToV8LE9n5/37/2wRZKU8qmZdngEh
bt+sc4gvKzfzjOj3oSwvQUokHZW/cuzkSW5I7uITgIX1My/U5T4BGwbo63b/Norl
fdhUcLaqJkpPISG3bUxtYlR5tWZ3UcRfilDSJm56bYrUN7NUNvJvG/Iuu0JHvYty
ckECfKOMMGtKW7gY3n0EMSvMJL+UeJRGE02QBZTZMvB5W7ZZx2kjplNrUbWNX62c
TleaRIhV+MFsOG3d96QXk9wi7MbVu/7MH6mqMhVWkW0Gr5tFJXQOk9uJwqHW/8fW
/qQybJ6HFUO2/sQsPsp9FUV12KKUAyMS7IjdhSPpmu1J8MywbdRI/vBO5tLQq3P8
h2Zzybeue8gOLzpAv8FbhrJIJyBYiy54QK+R83JvgrsWdHmBzwQNzTlIyq/hA27w
oCIKjN+P6qrcTstXqUWm0pif75VoubYVls5ACtJJmA7d+/vFaKKj0Ij6K2mlu6TM
ns3shX6JRUI5d/0loCENrT43ufdwoGRJzslR4eYbBKdS7egPYyextsQ+f8NLu72q
WkrmWqOsjGfZmVnDj5SC/iY1yulNe42dtWdCYSK5ogQhs+z+A66HzObn09/vuOLj
r+sbMawg5jl7uBgl2ngI
=pDhv
-----END PGP SIGNATURE-----

--- End Message ---