Gentoo Bug 193437 - <media-libs/t1lib-5.0.2-r1 "intT1_EnvGetCompletePath()" Buffer Overflow (CVE-2007-4033)

Description:

Opened: 2007-09-22 18:07 0000

Hamid Ebadi has reported a vulnerability in t1lib, which can be exploited by
malicious users to potentially compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the
"intT1_EnvGetCompletePath()" function in lib/t1lib/t1env.c. This can be
exploited to cause a buffer overflow when an application processes an overly
long string in the "FileName" parameter.

The vulnerability is reported in version 5.1.1. Other versions may also be
affected.

------- Comment #1 From Pierre-Yves Rofes 2007-09-22 18:11:56 0000 -------

Advisory mentions 5.1.1, but our last version (5.0.2) is also affected. Ubuntu
released a patch for this: 
http://security.ubuntu.com/ubuntu/pool/main/t/t1lib/t1lib_5.1.0-2ubuntu0.6.06.1.diff.gz

The relevant part should be:
---------------------------------------------------
--- t1lib-5.1.0.orig/lib/t1lib/t1env.c
+++ t1lib-5.1.0/lib/t1lib/t1env.c
@@ -611,6 +611,12 @@
 #endif 
     strcat( pathbuf, DIRECTORY_SEP);
     /* And finally the filename: */
+    /* If current pathbuf + StrippedName + 1 byte for NULL is bigger than
pathbuf
+       let's try next pathbuf */
+    if( strlen(pathbuf) + strlen(StrippedName) + 1 > sizeof(pathbuf) ) {
+       i++;
+       continue;
+    }
     strcat( pathbuf, StrippedName);

     /* Check for existence of the path: */
----------------------------------------------------

Fonts, please provide an updated ebuild. and maybe combine this with bug
130362.

------- Comment #2 From Ryan Hill 2007-09-22 19:13:37 0000 -------

media-libs/t1lib-5.0.2-r1 and t1lib-5.1.1 are in the tree.  5.0.2-r1 is the
target for stabilization.  thanks.

------- Comment #3 From Robert Buchholz 2007-09-22 19:43:05 0000 -------

Ubuntu mentions CVE-2007-4033 with this bug, but I doubt that is correct.
If so, we should request a name for this issue.

Thanks Ryan.
Arches, please test and mark stable media-libs/t1lib-5.0.2-r1.
Targets are: "alpha amd64 arm hppa ia64 mips ppc ppc-macos ppc64 s390 sh sparc
x86"

------- Comment #4 From Jurek Bartuszek 2007-09-22 23:21:22 0000 -------

x86 stable

------- Comment #5 From Jeroen Roovers 2007-09-23 04:26:18 0000 -------

Stable for HPPA.

------- Comment #6 From Raúl Porcel 2007-09-23 13:41:05 0000 -------

alpha/ia64 stable

------- Comment #7 From Markus Rothe 2007-09-24 19:07:56 0000 -------

ppc64 stable

------- Comment #8 From Tobias Scherbaum 2007-09-25 17:10:12 0000 -------

ppc stable

------- Comment #9 From Raúl Porcel 2007-09-25 17:58:50 0000 -------

sparc stable

------- Comment #10 From Fabian Groffen 2007-09-25 20:50:58 0000 -------

ppc-macos keyword moved to prefix

------- Comment #11 From Togge 2007-09-26 09:43:40 0000 -------

--- amd64 ---

media-libs/t1lib-5.0.2-r1 - USE: X -doc

1: emerges
2: passes collision-protect, (multilib-)strict, test
3: works (kpdf emerges fine and workes)

Portage 2.1.3.9 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4,
2.6.22-gentoo-r5 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r5 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor
4200+
Timestamp of tree: Wed, 26 Sep 2007 04:00:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r5
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -ggdb -march=athlon64 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/init.d
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo
/etc/texmf/web2c"
CXXFLAGS="-O2 -ggdb -march=athlon64 -pipe"
DISTDIR="/tmp/portage"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict
parallel-fetch sandbox sfperms splitdebug strict test unmerge-orphans
userfetch"
GENTOO_MIRRORS="http://ds.thn.htu.se/linux/gentoo              
http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/           
http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/           
http://mirror.switch.ch/mirror/gentoo/         
http://trumpetti.atm.tut.fi/gentoo/"
LANG="en_US.utf-8"
LINGUAS="en sv"
MAKEOPTS="-j3"
PKGDIR="/tmp/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/private"
SYNC="rsync://dx/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acpi aiglx alsa amd64 apache2 arts asf avi
bash-completion berkdb bitmap-fonts branding browserplugin cairo ccache cdr cli
cpudetection cracklib crypt cscope css cups cvs dbus divx divx4linux dlloader
dri dvd dvdr dvdread eds emboss encode esd evo fam ffmpeg firefox flac
foomaticdb fortran freetype gdbm geoip gif gimp gmedia gnokii gnome gpm
gstreamer gtk hal http iconv ieee1394 imap imlib ipv6 isdnlog java javascript
jfs jpeg kde kdeenablefinal kdehiddenvisibility kdepim kerberos logitech-mouse
mad madwifi maildir midi mikmod mmx mmx2 mmxext mono mozbranding moznopango
mozsvg mp3 mpeg mplayer msn mudflap mysql ncurses nls nptl nptlonly nsplugin
ntfs nvidia obex ogg oggvorbis opengl openmp oss pam pcre pdf pdflib perl png
pppd python qt qt3 qt3support qt4 quicktime readline realmedia reflection
reiserfs samba scanner sdl session spell spl sse sse2 ssl subversion svg
symlink tcpd test tetex theora threads tiff truetype truetype-fonts type1-fonts
udev unicode usb v4l v4l2 vim-syntax vim-with-x visualization vorbis wifi wmf
wmp wxwindows xcomposite xface xfs xine xinerama xml xorg xosd xpm xprint xv
xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix
dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter
mulaw multi null plug rate route share shm softvol" ELIBC="glibc"
INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz
cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en sv"
USERLAND="GNU" VIDEO_CARDS="nv nvidia"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

------- Comment #12 From Christoph Mende 2007-09-26 12:26:21 0000 -------

amd64 stable

------- Comment #13 From Robert Buchholz 2007-09-26 12:35:00 0000 -------

[glsa] then.

------- Comment #14 From Pierre-Yves Rofes 2007-10-13 08:40:53 0000 -------

GLSA 200710-12

------- Comment #15 From Robert Buchholz 2009-05-28 15:54:26 0000 -------

A tree audit revealed that this never got stabled on HPPA.

------- Comment #16 From Robert Buchholz 2009-05-28 15:54:46 0000 -------

Arches, please test and mark stable:
=media-libs/t1lib-5.0.2-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Already stabled : "alpha amd64 arm ia64 ppc ppc64 s390 sh sparc x86"
Missing keywords: "hppa"

------- Comment #17 From Jeroen Roovers 2009-05-28 16:08:34 0000 -------

Looks like I stabilised the ChangeLog back then. HPPA is all done now. :)

------- Comment #18 From Robert Buchholz 2009-05-29 10:35:40 0000 -------

thanks, closing again.

Bug 193437 depends on:			Show dependency tree
Bug 193437 blocks:			Show dependency tree

Bugzilla Bug 193437

<media-libs/t1lib-5.0.2-r1 "intT1_EnvGetCompletePath()" Buffer Overflow (CVE-2007-4033)

Last modified: 2009-05-29 10:35:40 0000