[security] TeXLive CVE-2018-17407

Wed, 10 Oct 2018 03:41:22 -0700 

"An issue was discovered in t1_check_unusual_charstring functions in
writet1.c files in TeX Live before 2018-09-21. A buffer overflow in the
handling of Type 1 fonts allows arbitrary code execution when
a malicious font is loaded by one of the vulnerable tools: pdflatex,
pdftex, dvips, or luatex."

  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17407
  
https://github.com/TeX-Live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c

Here's a diff for our port.  patch-texk_web2c_luatexdir_font_writet1_w
doesn't seem needed since that .w is not converted into source code by
the build process ; I included it for completeness nevertheless.

ok for 6.4?


Index: Makefile
===================================================================
RCS file: /cvs/ports/print/texlive/base/Makefile,v
retrieving revision 1.103
diff -u -p -r1.103 Makefile
--- Makefile    9 Oct 2018 23:36:19 -0000       1.103
+++ Makefile    10 Oct 2018 07:20:21 -0000
@@ -7,7 +7,7 @@ DISTNAME =              texlive-${DIST_V}-source
 PKGNAME =              texlive_base-${V}
 WRKDIST =              ${WRKDIR}/texlive-${DIST_V}-source
 
-REVISION =             3
+REVISION =             4
 
 MULTI_PACKAGES = -main -mktexlsr
 PKGNAME-mktexlsr =     texlive_mktexlsr-${V}
Index: patches/patch-texk_dvipsk_writet1_c
===================================================================
RCS file: patches/patch-texk_dvipsk_writet1_c
diff -N patches/patch-texk_dvipsk_writet1_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-texk_dvipsk_writet1_c 9 Oct 2018 21:49:44 -0000
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+CVE-2018-17407
+https://github.com/TeX-Live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c
+
+Index: texk/dvipsk/writet1.c
+--- texk/dvipsk/writet1.c.orig
++++ texk/dvipsk/writet1.c
+@@ -1449,7 +1449,9 @@ static void t1_check_unusual_charstring(void)
+         *(strend(t1_buf_array) - 1) = ' ';
+ 
+         t1_getline();
++        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, 
T1_BUF_SIZE);
+         strcat(t1_buf_array, t1_line_array);
++        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
+         strcpy(t1_line_array, t1_buf_array);
+         t1_line_ptr = eol(t1_line_array);
+     }
Index: patches/patch-texk_web2c_luatexdir_font_writet1_w
===================================================================
RCS file: patches/patch-texk_web2c_luatexdir_font_writet1_w
diff -N patches/patch-texk_web2c_luatexdir_font_writet1_w
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-texk_web2c_luatexdir_font_writet1_w   9 Oct 2018 21:50:17 
-0000
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+CVE-2018-17407
+https://github.com/TeX-Live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c
+
+Index: texk/web2c/luatexdir/font/writet1.w
+--- texk/web2c/luatexdir/font/writet1.w.orig
++++ texk/web2c/luatexdir/font/writet1.w
+@@ -1625,7 +1625,9 @@ static void t1_check_unusual_charstring(void)
+     if (sscanf(p, "%i", &i) != 1) {
+         strcpy(t1_buf_array, t1_line_array);
+         t1_getline();
++        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, 
T1_BUF_SIZE);
+         strcat(t1_buf_array, t1_line_array);
++        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
+         strcpy(t1_line_array, t1_buf_array);
+         t1_line_ptr = eol(t1_line_array);
+     }
Index: patches/patch-texk_web2c_pdftexdir_writet1_c
===================================================================
RCS file: patches/patch-texk_web2c_pdftexdir_writet1_c
diff -N patches/patch-texk_web2c_pdftexdir_writet1_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-texk_web2c_pdftexdir_writet1_c        9 Oct 2018 21:50:25 
-0000
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+CVE-2018-17407
+https://github.com/TeX-Live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c
+
+Index: texk/web2c/pdftexdir/writet1.c
+--- texk/web2c/pdftexdir/writet1.c.orig
++++ texk/web2c/pdftexdir/writet1.c
+@@ -1598,7 +1598,9 @@ static void t1_check_unusual_charstring(void)
+         *(strend(t1_buf_array) - 1) = ' ';
+ 
+         t1_getline();
++        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, 
T1_BUF_SIZE);
+         strcat(t1_buf_array, t1_line_array);
++        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
+         strcpy(t1_line_array, t1_buf_array);
+         t1_line_ptr = eol(t1_line_array);
+     }


-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Attachment: signature.asc
Description: PGP signature

Reply via email to