Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 548638 (CVE-2015-3905)

Summary: <app-text/t1utils-1.39: buffer overflow flaw (CVE-2015-3905)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: aballier, fonts, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1218365
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-05-05 07:37:27 UTC 
From ${URL} :

The 1.39 release of t1utils fixed a buffer overflow flaw:

https://github.com/kohler/t1utils/blob/master/NEWS

Additional details (including a reproducer):

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Alexis Ballier gentoo-dev 2015-05-05 07:59:56 UTC 
(In reply to Agostino Sarubbo from comment #0)

> @maintainer(s): since the fixed package is already in the tree, please let
> us know if it is ready for the stabilization or not.

yes
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-05 08:17:42 UTC 
Do what?
Comment 3 Agostino Sarubbo gentoo-dev 2015-05-05 12:21:33 UTC 
(In reply to Jeroen Roovers from comment #2)
> Do what?

Arches, please test and mark stable:
=app-text/t1utils-1.39
Target keywords : "alpha amd64 arm hppa ia64 ppc64 x86"
Comment 4 Agostino Sarubbo gentoo-dev 2015-05-05 12:34:55 UTC 
amd64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-07 04:50:12 UTC 
Stable for PPC64.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-07 04:53:19 UTC 
Stable for HPPA.
Comment 7 Jack Morgan (RETIRED) gentoo-dev 2015-05-13 05:38:52 UTC 
ia64 stable
Comment 8 Pacho Ramos gentoo-dev 2015-05-15 10:57:33 UTC 
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-05-19 07:25:58 UTC 
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-05-27 13:02:26 UTC 
arm stable
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 20:07:10 UTC 
CVE-2015-3905 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3905):
  Buffer overflow in the set_cs_start function in t1disasm.c in t1utils before
  1.39 allows remote attackers to cause a denial of service (crash) and
  possibly execute arbitrary code via a crafted font file.
Comment 12 Agostino Sarubbo gentoo-dev 2015-06-17 08:52:23 UTC 
sparc stable
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-06-30 18:51:34 UTC 
Ping for alpha.
Comment 14 Agostino Sarubbo gentoo-dev 2015-07-03 10:04:16 UTC 
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2015-07-06 04:38:54 UTC 
Arches, Thank you for your work.

Maintainer(s), please drop the vulnerable version(s).

New GLSA Request filed.
Comment 16 Ben de Groot (RETIRED) gentoo-dev 2015-07-07 05:59:17 UTC 
(In reply to Yury German from comment #15)
> Maintainer(s), please drop the vulnerable version(s).

Done:

+  07 Jul 2015; Ben de Groot <yngwin@gentoo.org> -t1utils-1.38.ebuild:
+  Remove vulnerable version (bug #548638)
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2015-07-10 08:05:47 UTC 
This issue was resolved and addressed in
 GLSA 201507-10 at https://security.gentoo.org/glsa/201507-10
by GLSA coordinator Mikle Kolyada (Zlogene).