Bug 193437

Summary:	<media-libs/t1lib-5.0.2-r1 "intT1_EnvGetCompletePath()" Buffer Overflow (CVE-2007-4033)
Product:	Gentoo Security	Reporter:	Pierre-Yves Rofes (RETIRED) <py>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	fonts
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://secunia.com/advisories/26241/
Whiteboard:	B2 [glsa]
Package list:		Runtime testing required:	---

Description Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-09-22 18:07:16 UTC

Hamid Ebadi has reported a vulnerability in t1lib, which can be exploited by malicious users to potentially compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the "intT1_EnvGetCompletePath()" function in lib/t1lib/t1env.c. This can be exploited to cause a buffer overflow when an application processes an overly long string in the "FileName" parameter.

The vulnerability is reported in version 5.1.1. Other versions may also be affected.

Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-09-22 18:11:56 UTC

Advisory mentions 5.1.1, but our last version (5.0.2) is also affected. Ubuntu released a patch for this: 
http://security.ubuntu.com/ubuntu/pool/main/t/t1lib/t1lib_5.1.0-2ubuntu0.6.06.1.diff.gz

The relevant part should be:
---------------------------------------------------
--- t1lib-5.1.0.orig/lib/t1lib/t1env.c
+++ t1lib-5.1.0/lib/t1lib/t1env.c
@@ -611,6 +611,12 @@
 #endif 
     strcat( pathbuf, DIRECTORY_SEP);
     /* And finally the filename: */
+    /* If current pathbuf + StrippedName + 1 byte for NULL is bigger than pathbuf
+       let's try next pathbuf */
+    if( strlen(pathbuf) + strlen(StrippedName) + 1 > sizeof(pathbuf) ) {
+	i++;
+    	continue;
+    }
     strcat( pathbuf, StrippedName);
     
     /* Check for existence of the path: */
----------------------------------------------------

Fonts, please provide an updated ebuild. and maybe combine this with bug 130362.

Comment 2 Ryan Hill (RETIRED) gentoo-dev

2007-09-22 19:13:37 UTC

media-libs/t1lib-5.0.2-r1 and t1lib-5.1.1 are in the tree.  5.0.2-r1 is the target for stabilization.  thanks.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2007-09-22 19:43:05 UTC

Ubuntu mentions CVE-2007-4033 with this bug, but I doubt that is correct.
If so, we should request a name for this issue.

Thanks Ryan.
Arches, please test and mark stable media-libs/t1lib-5.0.2-r1.
Targets are: "alpha amd64 arm hppa ia64 mips ppc ppc-macos ppc64 s390 sh sparc x86"

Comment 4 Jurek Bartuszek (RETIRED) gentoo-dev

2007-09-22 23:21:22 UTC

x86 stable

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2007-09-23 04:26:18 UTC

Stable for HPPA.

Comment 6 Raúl Porcel (RETIRED) gentoo-dev

2007-09-23 13:41:05 UTC

alpha/ia64 stable

Comment 7 Markus Rothe (RETIRED) gentoo-dev

2007-09-24 19:07:56 UTC

ppc64 stable

Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev

2007-09-25 17:10:12 UTC

ppc stable

Comment 9 Raúl Porcel (RETIRED) gentoo-dev

2007-09-25 17:58:50 UTC

sparc stable

Comment 10 Fabian Groffen gentoo-dev

2007-09-25 20:50:58 UTC

ppc-macos keyword moved to prefix

Comment 11 Togge 2007-09-26 09:43:40 UTC

--- amd64 ---
 
media-libs/t1lib-5.0.2-r1 - USE: X -doc

1: emerges
2: passes collision-protect, (multilib-)strict, test
3: works (kpdf emerges fine and workes)

Portage 2.1.3.9 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r5 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r5 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
Timestamp of tree: Wed, 26 Sep 2007 04:00:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r5
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -ggdb -march=athlon64 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/init.d /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -ggdb -march=athlon64 -pipe"
DISTDIR="/tmp/portage"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms splitdebug strict test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ds.thn.htu.se/linux/gentoo 		http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ 		http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ 		http://mirror.switch.ch/mirror/gentoo/ 		http://trumpetti.atm.tut.fi/gentoo/"
LANG="en_US.utf-8"
LINGUAS="en sv"
MAKEOPTS="-j3"
PKGDIR="/tmp/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/private"
SYNC="rsync://dx/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acpi aiglx alsa amd64 apache2 arts asf avi bash-completion berkdb bitmap-fonts branding browserplugin cairo ccache cdr cli cpudetection cracklib crypt cscope css cups cvs dbus divx divx4linux dlloader dri dvd dvdr dvdread eds emboss encode esd evo fam ffmpeg firefox flac foomaticdb fortran freetype gdbm geoip gif gimp gmedia gnokii gnome gpm gstreamer gtk hal http iconv ieee1394 imap imlib ipv6 isdnlog java javascript jfs jpeg kde kdeenablefinal kdehiddenvisibility kdepim kerberos logitech-mouse mad madwifi maildir midi mikmod mmx mmx2 mmxext mono mozbranding moznopango mozsvg mp3 mpeg mplayer msn mudflap mysql ncurses nls nptl nptlonly nsplugin ntfs nvidia obex ogg oggvorbis opengl openmp oss pam pcre pdf pdflib perl png pppd python qt qt3 qt3support qt4 quicktime readline realmedia reflection reiserfs samba scanner sdl session spell spl sse sse2 ssl subversion svg symlink tcpd test tetex theora threads tiff truetype truetype-fonts type1-fonts udev unicode usb v4l v4l2 vim-syntax vim-with-x visualization vorbis wifi wmf wmp wxwindows xcomposite xface xfs xine xinerama xml xorg xosd xpm xprint xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en sv" USERLAND="GNU" VIDEO_CARDS="nv nvidia"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 12 Christoph Mende (RETIRED) gentoo-dev

2007-09-26 12:26:21 UTC

amd64 stable

Comment 13 Robert Buchholz (RETIRED) gentoo-dev

2007-09-26 12:35:00 UTC

[glsa] then.

Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-10-13 08:40:53 UTC

GLSA 200710-12

Comment 15 Robert Buchholz (RETIRED) gentoo-dev

2009-05-28 15:54:26 UTC

A tree audit revealed that this never got stabled on HPPA.

Comment 16 Robert Buchholz (RETIRED) gentoo-dev

2009-05-28 15:54:46 UTC

Arches, please test and mark stable:
=media-libs/t1lib-5.0.2-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Already stabled : "alpha amd64 arm ia64 ppc ppc64 s390 sh sparc x86"
Missing keywords: "hppa"

Comment 17 Jeroen Roovers (RETIRED) gentoo-dev

2009-05-28 16:08:34 UTC

Looks like I stabilised the ChangeLog back then. HPPA is all done now. :)

Comment 18 Robert Buchholz (RETIRED) gentoo-dev

2009-05-29 10:35:40 UTC

thanks, closing again.