Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 358667 (CVE-2010-2642, CVE-2011-0433, CVE-2011-0764, CVE-2011-1552, CVE-2011-1553, CVE-2011-1554, CVE-2011-5244)

Summary: <media-libs/t1lib-5.1.2-r1: Multiple Vulnerabilities (CVE-2010-2642,CVE-2011-{0433,0764,1552,1553,1554,5244})
Product: Gentoo Security Reporter: Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alexanderyt, fonts
Priority: Normal Flags: kensington: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/43491/
Whiteboard: B2 [glsa cve]
Package list:
=media-libs/t1lib-5.1.2-r1
Runtime testing required: ---

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-13 09:17:07 UTC
Some vulnerabilities have been discovered in t1lib, which can be exploited by malicious people to compromise an application using the library.

1) A boundary error within the "token()" function in lib/t1lib/parseAFM.c can be exploited to cause a heap-based buffer overflow by tricking a user into processing a specially crafted AFM font file in an application using the library.

This is related to vulnerability #3 in:
SA42769

2) A boundary error within the "linetoken()" function in lib/t1lib/parseAFM.c can be exploited to cause a heap-based buffer overflow by tricking a user into processing a specially crafted AFM font file in an application using the library.

This is related to vulnerability #5 in:
SA42769

The vulnerabilities are confirmed in version 5.1.2. Other versions may also be affected.

http://secunia.com/advisories/43491/
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-06-14 16:18:09 UTC
CVE-2011-1554 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1554):
  Off-by-one error in t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6
  and other products, allows remote attackers to cause a denial of service
  (application crash) via a PDF document containing a crafted Type 1 font that
  triggers an invalid memory read, integer overflow, and invalid pointer
  dereference, a different vulnerability than CVE-2011-0764.

CVE-2011-1553 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1553):
  Use-after-free vulnerability in t1lib 5.1.2 and earlier, as used in Xpdf
  before 3.02pl6 and other products, allows remote attackers to cause a denial
  of service (application crash) via a PDF document containing a crafted Type
  1 font that triggers an invalid memory write, a different vulnerability than
  CVE-2011-0764.

CVE-2011-1552 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1552):
  t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products,
  reads from invalid memory locations, which allows remote attackers to cause
  a denial of service (application crash) via a crafted Type 1 font in a PDF
  document, a different vulnerability than CVE-2011-0764.

CVE-2011-0764 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0764):
  t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products,
  uses an invalid pointer in conjunction with a dereference operation, which
  allows remote attackers to execute arbitrary code via a crafted Type 1 font
  in a PDF document, as demonstrated by testz.2184122398.pdf.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-11-20 00:46:20 UTC
CVE-2011-0433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0433):
  Heap-based buffer overflow in the linetoken function in afmparse.c in t1lib,
  as used in teTeX 3.0.x, GNOME evince, and possibly other products, allows
  remote attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM)
  file, a different vulnerability than CVE-2010-2642.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-11-20 01:04:30 UTC
CVE-2011-5244 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5244):
  Multiple off-by-one errors in the (1) token and (2) linetoken functions in
  backend/dvi/mdvi-lib/afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME
  evince, and possibly other products, allow remote attackers to cause a
  denial of service (crash) and possibly execute arbitrary code via a DVI file
  containing a crafted Adobe Font Metrics (AFM) file, different
  vulnerabilities than CVE-2010-2642 and CVE-2011-0433.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-21 19:56:38 UTC
*** Bug 444161 has been marked as a duplicate of this bug. ***
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-24 14:35:14 UTC
@ Maintainer(s): I submitted a PR which addresses the reported issues. Please review/comment, accept/decline: https://github.com/gentoo/gentoo/pull/2906
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-11-27 07:05:58 UTC
Merged:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0730b1f650e3914fc18814f3a5f6901896b8119

@fonts, ready for stable?
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-11-30 03:49:28 UTC
@arches, please stabilize:

=media-libs/t1lib-5.1.2-r1
Comment 8 Agostino Sarubbo gentoo-dev 2016-12-01 12:51:22 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-01 12:54:04 UTC
x86 stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-02 14:21:45 UTC
Stable on alpha.
Comment 11 Markus Meier gentoo-dev 2016-12-17 15:19:15 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-01-01 12:43:41 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2017-01-03 10:38:51 UTC
ppc64 stable
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-09 13:46:28 UTC
Stable for HPPA.
Comment 15 Agostino Sarubbo gentoo-dev 2017-01-11 10:35:59 UTC
sparc stable
Comment 16 Agostino Sarubbo gentoo-dev 2017-01-17 14:24:35 UTC
ia64 stable.

Maintainer(s), please cleanup.
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2017-01-18 03:19:57 UTC
cleanup complete:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=13bf7cb0ff00807c17eeefce4c12fbad5ad4f0b1

New GLSA request filed.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2017-01-23 22:41:56 UTC
This issue was resolved and addressed in
 GLSA 201701-57 at https://security.gentoo.org/glsa/201701-57
by GLSA coordinator Aaron Bauman (b-man).