Bug#652996: marked as done (t1lib: CVE-2011-0764)

Sun, 15 Jan 2012 14:21:50 -0800 

Your message dated Sun, 15 Jan 2012 22:19:36 +0000
with message-id <e1rmyqk-0001n1...@franck.debian.org>
and subject line Bug#652996: fixed in t1lib 5.1.2-3+lenny1
has caused the Debian Bug report #652996,
regarding t1lib: CVE-2011-0764
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
652996: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652996
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: t1lib
Version: 5.1.2-3
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0764

*** /tmp/tmpP7Dzmm
In Ubuntu, the attached patch was applied to achieve the following:

Prevents an invalid pointer from being dereferenced when using a
maliciously crafted font.

  * SECURITY UPDATE: Arbitrary code execution via crafted Type 1 font
    - lib/type1/type1.c: Only use ppoints when it is a valid pointer
    - CVE-2011-0764


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers oneiric-updates
  APT policy: (500, 'oneiric-updates'), (500, 'oneiric-security'), (500, 
'oneiric')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-14-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- t1lib-5.1.2.orig/debian/patches/CVE-2011-0764.patch
+++ t1lib-5.1.2/debian/patches/CVE-2011-0764.patch
@@ -0,0 +1,31 @@
+Description: Don't lookup previous point if there isn't any
+Author: Marc Deslauriers <marc.deslauri...@canonical.com>
+
+Index: t1lib-5.1.2/lib/type1/type1.c
+===================================================================
+--- t1lib-5.1.2.orig/lib/type1/type1.c	2011-12-13 14:24:14.280965637 -0600
++++ t1lib-5.1.2/lib/type1/type1.c	2011-12-13 14:25:25.893320747 -0600
+@@ -1700,6 +1700,7 @@
+   long pindex = 0;
+   
+   /* compute hinting for previous segment! */
++  if (ppoints == NULL) Error0i("RLineTo: No previous point!\n");
+   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy);
+ 
+   /* Allocate a new path point and pre-setup data */
+@@ -1728,6 +1729,7 @@
+   long pindex = 0;
+   
+   /* compute hinting for previous point! */
++  if (ppoints == NULL) Error0i("RRCurveTo: No previous point!\n");
+   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1);
+ 
+   /* Allocate three new path points and pre-setup data */
+@@ -1903,6 +1905,7 @@
+     FindStems( currx, curry, 0, 0, dx, dy);
+   }
+   else {
++    if (ppoints == NULL) Error0i("RMoveTo: No previous point!\n");
+     FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy);
+   }
+

--- End Message ---
--- Begin Message --- 
Source: t1lib
Source-Version: 5.1.2-3+lenny1

We believe that the bug you reported is fixed in the latest version of
t1lib, which is due to be installed in the Debian FTP archive:

libt1-5-dbg_5.1.2-3+lenny1_amd64.deb
  to main/t/t1lib/libt1-5-dbg_5.1.2-3+lenny1_amd64.deb
libt1-5_5.1.2-3+lenny1_amd64.deb
  to main/t/t1lib/libt1-5_5.1.2-3+lenny1_amd64.deb
libt1-dev_5.1.2-3+lenny1_amd64.deb
  to main/t/t1lib/libt1-dev_5.1.2-3+lenny1_amd64.deb
libt1-doc_5.1.2-3+lenny1_all.deb
  to main/t/t1lib/libt1-doc_5.1.2-3+lenny1_all.deb
t1lib-bin_5.1.2-3+lenny1_amd64.deb
  to main/t/t1lib/t1lib-bin_5.1.2-3+lenny1_amd64.deb
t1lib_5.1.2-3+lenny1.diff.gz
  to main/t/t1lib/t1lib_5.1.2-3+lenny1.diff.gz
t1lib_5.1.2-3+lenny1.dsc
  to main/t/t1lib/t1lib_5.1.2-3+lenny1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 652...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <cor...@debian.org> (supplier of updated t1lib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 14 Jan 2012 21:55:47 +0100
Source: t1lib
Binary: libt1-5 libt1-dev t1lib-bin libt1-doc libt1-5-dbg
Architecture: source all amd64
Version: 5.1.2-3+lenny1
Distribution: oldstable-security
Urgency: high
Maintainer: Ruben Molina <rmol...@udea.edu.co>
Changed-By: Yves-Alexis Perez <cor...@debian.org>
Description: 
 libt1-5    - Type 1 font rasterizer library - runtime
 libt1-5-dbg - Type 1 font rasterizer library - debugging runtime
 libt1-dev  - Type 1 font rasterizer library - development
 libt1-doc  - Type 1 font rasterizer library - developers documentation
 t1lib-bin  - Type 1 font rasterizer library - user binaries
Closes: 652996
Changes: 
 t1lib (5.1.2-3+lenny1) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * debian/patches:
     - CVE-2010-2642 added, fix heap-based buffer overflow first found in
       evince but applicable to the embedded afmparse library found in t1lib
       too. Fixes CVE-2011-0433 too on the same patch.
     - CVE-2011-0764 added, fix arbitrary code execution by only using ppoints
       when it is a valid pointer.                               closes: #652996
       This fixes CVE-2011-0764, CVE-2011-1552, CVE-2011-1553 and CVE-2011-1554
   * format-string added, fix a format string error IfTrace0 macro and another
     in T1_SubfsetFont().
Checksums-Sha1: 
 35f4e36d7be0cd0c8c4da3f2bbf892fdb810a514 1795 t1lib_5.1.2-3+lenny1.dsc
 8d32b215d0f42562cc8c937fa2f8aacd177488ab 18921 t1lib_5.1.2-3+lenny1.diff.gz
 f2a5664535f0028ddc5f3644757f207ebf7d946a 610678 
libt1-doc_5.1.2-3+lenny1_all.deb
 517f442cb6eca20b8e4a3d70955503b026027b6a 169264 
libt1-5_5.1.2-3+lenny1_amd64.deb
 6aff81694daf18c192a71cf032e8b8d708ea0c28 196424 
libt1-dev_5.1.2-3+lenny1_amd64.deb
 5730dd086e24af74e410421a7980cb39c268809f 61620 
t1lib-bin_5.1.2-3+lenny1_amd64.deb
 4c237a91a18afd679339607b9e07a03a33722710 232556 
libt1-5-dbg_5.1.2-3+lenny1_amd64.deb
Checksums-Sha256: 
 8e170f289f97bddef482afa860466a5ce489bbc50dc90db656644ba9f3602f3f 1795 
t1lib_5.1.2-3+lenny1.dsc
 2d4af32481a2e5e48cf33d5f5813e9e364412fad6d2fd5504e8465b951c178cb 18921 
t1lib_5.1.2-3+lenny1.diff.gz
 98b9709c593c7094a9d000bb5692611c1daa46161b9d7c87923435df5c165eab 610678 
libt1-doc_5.1.2-3+lenny1_all.deb
 52aaa436870d083486e43fae8719002393d5402f2cff1f928b35da41e74fe675 169264 
libt1-5_5.1.2-3+lenny1_amd64.deb
 9f1ad8522544c599ee4e54a756f36268e3a618d19e75afebb7e550432ad941e6 196424 
libt1-dev_5.1.2-3+lenny1_amd64.deb
 3417a687ce15d6dbdea74fcdd3c1f62e9533e43c8788249358131a38441213dd 61620 
t1lib-bin_5.1.2-3+lenny1_amd64.deb
 e6e35a022c8a0764b8f5123e058c0e9fab7892e274c22f8591552f6c6c5af8ea 232556 
libt1-5-dbg_5.1.2-3+lenny1_amd64.deb
Files: 
 c659fd54e4347a87ddd4bed8d67330b9 1795 libs optional t1lib_5.1.2-3+lenny1.dsc
 dc15f07486c6e5a4dd02b1bcb80c5b09 18921 libs optional 
t1lib_5.1.2-3+lenny1.diff.gz
 eb22cde970983eb97d1fd024de1661d7 610678 doc optional 
libt1-doc_5.1.2-3+lenny1_all.deb
 e84d2f2513b232e9cf23d2e15eaeb8c7 169264 libs optional 
libt1-5_5.1.2-3+lenny1_amd64.deb
 a4956bfa9653f4ca6d39ef9326458dc3 196424 libdevel optional 
libt1-dev_5.1.2-3+lenny1_amd64.deb
 e39e155e203dc3fbdd8dce39b59010fa 61620 misc optional 
t1lib-bin_5.1.2-3+lenny1_amd64.deb
 89f1a1244eb19445ef178eba7b0830d2 232556 libdevel extra 
libt1-5-dbg_5.1.2-3+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJPEq9MAAoJEDBVD3hx7wuop0MQAN0U/bZY3e1We190hVws1y9I
Z3ogZpAO/agJKnsaarW3KAQYqYagDZG/weYxuVJayJZ/+/1OsUNCTab2pQVJ4YyS
61ZsYuXdy+AapUlxTWn7+3+8CSoV8LLNtkOBCjl2Dp9RhHTnfDieyUElh4njHgZ9
xU1K1yFbCrcx5SA/mdET3uTd78dhf307K5CtnCXx1wpJ1XJZcog5RmffJ6Bi+b/o
mx1L7FO8PPYkxxPrAy/zDD6evui+IO2fgP5UW204nQG7rgYwVdJhleChyfpGTe8y
5sLop1oDXv0Hi7Rd8ongRxIqKCUtysph/DfHJmCiPZ22KNbiXrxasA3RFpgYGkHe
olfUkHc9XqPufH3qC8Hq5JOjXSjK/kagJ/QVniAMR/WKwMq5GyNC6+Yl1AmfFXrx
OkWSmEh4x2Bx8palr+SghgEYA0cKa/tRanT71/4jWfGfRG2Mm3HvxORN9YB1AWln
Gh8rXMsCm/M2BAHIQhRcY/sDxrDD8qKsrL+YxlTCM5XWgACJaTCyfMdbwYFRI+Xo
rsvj+gDy12txK3RVflaf+t+rcJDuOrhLVuPH6QDovKjiNLLMxgsGp6bywGazWzQ3
R6hBX+6IiBgpIJ4BP1uz2i/DHRqcxRvYmP5A/kyf0k7toqWkNCFy3YDFbFhpD0pe
vg9UiPfBY9AxkrkkYpAS
=FYsO
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to