Some vulnerabilities have been discovered in t1lib, which can be exploited by malicious people to compromise an application using the library. 1) A boundary error within the "token()" function in lib/t1lib/parseAFM.c can be exploited to cause a heap-based buffer overflow by tricking a user into processing a specially crafted AFM font file in an application using the library. This is related to vulnerability #3 in: SA42769 2) A boundary error within the "linetoken()" function in lib/t1lib/parseAFM.c can be exploited to cause a heap-based buffer overflow by tricking a user into processing a specially crafted AFM font file in an application using the library. This is related to vulnerability #5 in: SA42769 The vulnerabilities are confirmed in version 5.1.2. Other versions may also be affected. http://secunia.com/advisories/43491/
CVE-2011-1554 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1554): Off-by-one error in t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory read, integer overflow, and invalid pointer dereference, a different vulnerability than CVE-2011-0764. CVE-2011-1553 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1553): Use-after-free vulnerability in t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory write, a different vulnerability than CVE-2011-0764. CVE-2011-1552 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1552): t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, reads from invalid memory locations, which allows remote attackers to cause a denial of service (application crash) via a crafted Type 1 font in a PDF document, a different vulnerability than CVE-2011-0764. CVE-2011-0764 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0764): t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, uses an invalid pointer in conjunction with a dereference operation, which allows remote attackers to execute arbitrary code via a crafted Type 1 font in a PDF document, as demonstrated by testz.2184122398.pdf.
CVE-2011-0433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0433): Heap-based buffer overflow in the linetoken function in afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM) file, a different vulnerability than CVE-2010-2642.
CVE-2011-5244 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5244): Multiple off-by-one errors in the (1) token and (2) linetoken functions in backend/dvi/mdvi-lib/afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM) file, different vulnerabilities than CVE-2010-2642 and CVE-2011-0433.
*** Bug 444161 has been marked as a duplicate of this bug. ***
@ Maintainer(s): I submitted a PR which addresses the reported issues. Please review/comment, accept/decline: https://github.com/gentoo/gentoo/pull/2906
Merged: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0730b1f650e3914fc18814f3a5f6901896b8119 @fonts, ready for stable?
@arches, please stabilize: =media-libs/t1lib-5.1.2-r1
amd64 stable
x86 stable
Stable on alpha.
arm stable
ppc stable
ppc64 stable
Stable for HPPA.
sparc stable
ia64 stable. Maintainer(s), please cleanup.
cleanup complete: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=13bf7cb0ff00807c17eeefce4c12fbad5ad4f0b1 New GLSA request filed.
This issue was resolved and addressed in GLSA 201701-57 at https://security.gentoo.org/glsa/201701-57 by GLSA coordinator Aaron Bauman (b-man).
