Bug#779274: marked as done (t1disasm: buffer overflow in set_cs_start)

Sat, 28 Feb 2015 01:54:58 -0800 

Your message dated Sat, 28 Feb 2015 09:50:58 +0000
with message-id <e1yre30-0007an...@franck.debian.org>
and subject line Bug#779274: fixed in t1utils 1.39-1
has caused the Debian Bug report #779274,
regarding t1disasm: buffer overflow in set_cs_start
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
779274: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: t1utils
Version: 1.38-3
Severity: grave
Tags: security
Usertags: afl

$ t1asm crash.raw crash.pfb
t1asm: warning: no charstrings found in input file

$ t1disasm crash.pfb /dev/null
Segmentation fault

Backtrace:

#0  ___fprintf_chk (fp=0x6f6f6f6f, flag=1, format=0x804eedc "%.*s") at 
fprintf_chk.c:30
#1  0x0804d653 in fprintf (__fmt=0x804eedc "%.*s", __stream=<optimized out>) at 
/usr/include/i386-linux-gnu/bits/stdio2.h:97
#2  eexec_line (line=0xffffd320 "/m", 'o' <repeats 36 times>, "{string currentfile exch 
readstring pop}executeonly def\n", line_len=<optimized out>, line_len@entry=94) at t1disasm.c:462
#3  0x0804e05e in disasm_output_binary (data=0xffffd320 "/m", 'o' <repeats 36 times>, 
"{string currentfile exch readstring pop}executeonly def\n", len=94) at t1disasm.c:595
#4  0x0804cf67 in process_pfb (ifp=0x80531c0, ifp_filename=0xffffd9ff 
"crash.pfb", fr=0xffffd760) at t1lib.c:295
#5  0x08048f41 in main (argc=3, argv=0xffffd834) at t1disasm.c:770
This happened because set_cs_start overwrote the file pointer with data from the disassembled file.
I believe the bug can be exploited for code execution, at least on systems that don't have executable space protection. 

This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages t1utils depends on:
ii  libc6  2.19-15

--
Jakub Wilk

currentfile eexec
/moooooooooooooooooooooooooooooooooooo{string currentfile exch readstring 
pop}executeonly def

--- End Message ---
--- Begin Message --- 
Source: t1utils
Source-Version: 1.39-1

We believe that the bug you reported is fixed in the latest version of
t1utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 779...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niels Thykier <ni...@thykier.net> (supplier of updated t1utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 28 Feb 2015 08:53:38 +0100
Source: t1utils
Binary: t1utils
Architecture: source
Version: 1.39-1
Distribution: experimental
Urgency: medium
Maintainer: Niels Thykier <ni...@thykier.net>
Changed-By: Niels Thykier <ni...@thykier.net>
Description:
 t1utils    - Collection of simple Type 1 font manipulation programs
Closes: 779274
Changes:
 t1utils (1.39-1) experimental; urgency=medium
 .
   * New upstream release.
     - Fix infinite loop in t1disasm on some fonts.
     - Fix leak of va_list by adding necessary va_end calls.
     - Fix buffer-overflow that can reliably overwrite a
       FILE* pointer.  (Closes: #779274)
   * Drop patch for the infinite loop in t1disasm, since it is
     included in the upstream release.
Checksums-Sha1:
 d053866efeadfdf28efdbb2da77493fcbac55d6b 1704 t1utils_1.39-1.dsc
 655711f5150dd75e45bdc6b81ddb87ff16b0d567 65681 t1utils_1.39.orig.tar.gz
 8056fbacd0a28208cb158ffca94db808913cf778 5928 t1utils_1.39-1.debian.tar.xz
Checksums-Sha256:
 aba5f8c2280a1d1b6c014a8014d60ec3c17d57407f1ce35ecf82952f1b734759 1704 
t1utils_1.39-1.dsc
 13d7e8f5095fbabce23dc8a91278c7d347cec1564202370236207d3a7c1ab6b8 65681 
t1utils_1.39.orig.tar.gz
 cd1310aee01267cfc07f94b20b2e6016769cd79ec843e4b32363787648eb0f76 5928 
t1utils_1.39-1.debian.tar.xz
Files:
 96bf33b585f3f8ffc19132eed1b455b7 1704 text optional t1utils_1.39-1.dsc
 1084d7722d64b9a0d20819c60cacfa58 65681 text optional t1utils_1.39.orig.tar.gz
 4afec396395f0f49deedbec67519cff6 5928 text optional 
t1utils_1.39-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJU8XTHAAoJEAVLu599gGRCZJ4P/14ZgMHucmqHcrCpATPNmkKu
UYkaGj+K/Kn/gAiz5tS8uv51072RktKwdb+iThJL8G45ovePVSR/6qPIY0OQhyRs
DJYggHhXkhGdu+MEEltVkq30hYKA6zD9/keDxp92vfXtLnWVbxA1SQ1Grf4G+uxX
P5X2iQQZXkLfGH/6Z9MYRIuI6jZjClmLY7+TBjeh0KRcjbBmiC3GV3Bu+Ayc7Aiq
h+elwhUD8aHdp8p7IpNPy+YqVAIombpiS9AH0yQ4uy3fwocG+M5zcuhV6MxI6flk
iMxmBL1mOUu/7Cq+j/JHkOOMIQDjDQ2jYN0anfHaamsPYGm49FEiWSRu6NuNi4S7
sIcbnYSdwQ8vmbIMHXCvCvObgsxVlkbAiBy77ahvcEakwQ9ISmN1U9t6++BwrTo/
UHYGeMNmPnU8AV81WwPxSRGB1RoCaXLfAFv9HH5knWtAK5MQrbOK2dRfPFWSMf3W
9LV7vD3OUc8Sv9a4osTA3f4Lvm+yW9U7UFVFGIeAVqW1OidzyFyBZMc4K9uQcGsK
4MSlHNUCM0q92Sj+h/l80hQE+Dt+Kr9Nwn8S5My7j16gx1BIyY95XieutH5sOBLy
LTDNvvXSa7ZwXQYUOi276PBmRtprgypTCQ+sT12km5MD8b7e2kx96OvhDXAN8H0a
qsAaproy89Oke+GAtEid
=bUCB
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to