Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 548638 (CVE-2015-3905) - <app-text/t1utils-1.39: buffer overflow flaw (CVE-2015-3905)
Summary: <app-text/t1utils-1.39: buffer overflow flaw (CVE-2015-3905)
Status: RESOLVED FIXED
Alias: CVE-2015-3905
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-05 07:37 UTC by Agostino Sarubbo
Modified: 2015-07-10 08:05 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-05 07:37:27 UTC
From ${URL} :

The 1.39 release of t1utils fixed a buffer overflow flaw:

https://github.com/kohler/t1utils/blob/master/NEWS

Additional details (including a reproducer):

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Alexis Ballier gentoo-dev 2015-05-05 07:59:56 UTC
(In reply to Agostino Sarubbo from comment #0)

> @maintainer(s): since the fixed package is already in the tree, please let
> us know if it is ready for the stabilization or not.

yes
Comment 2 Jeroen Roovers gentoo-dev 2015-05-05 08:17:42 UTC
Do what?
Comment 3 Agostino Sarubbo gentoo-dev 2015-05-05 12:21:33 UTC
(In reply to Jeroen Roovers from comment #2)
> Do what?

Arches, please test and mark stable:
=app-text/t1utils-1.39
Target keywords : "alpha amd64 arm hppa ia64 ppc64 x86"
Comment 4 Agostino Sarubbo gentoo-dev 2015-05-05 12:34:55 UTC
amd64 stable
Comment 5 Jeroen Roovers gentoo-dev 2015-05-07 04:50:12 UTC
Stable for PPC64.
Comment 6 Jeroen Roovers gentoo-dev 2015-05-07 04:53:19 UTC
Stable for HPPA.
Comment 7 Jack Morgan (RETIRED) gentoo-dev 2015-05-13 05:38:52 UTC
ia64 stable
Comment 8 Pacho Ramos gentoo-dev 2015-05-15 10:57:33 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-05-19 07:25:58 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-05-27 13:02:26 UTC
arm stable
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 20:07:10 UTC
CVE-2015-3905 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3905):
  Buffer overflow in the set_cs_start function in t1disasm.c in t1utils before
  1.39 allows remote attackers to cause a denial of service (crash) and
  possibly execute arbitrary code via a crafted font file.
Comment 12 Agostino Sarubbo gentoo-dev 2015-06-17 08:52:23 UTC
sparc stable
Comment 13 Yury German Gentoo Infrastructure gentoo-dev Security 2015-06-30 18:51:34 UTC
Ping for alpha.
Comment 14 Agostino Sarubbo gentoo-dev 2015-07-03 10:04:16 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev Security 2015-07-06 04:38:54 UTC
Arches, Thank you for your work.

Maintainer(s), please drop the vulnerable version(s).

New GLSA Request filed.
Comment 16 Ben de Groot (RETIRED) gentoo-dev 2015-07-07 05:59:17 UTC
(In reply to Yury German from comment #15)
> Maintainer(s), please drop the vulnerable version(s).

Done:

+  07 Jul 2015; Ben de Groot <yngwin@gentoo.org> -t1utils-1.38.ebuild:
+  Remove vulnerable version (bug #548638)
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2015-07-10 08:05:47 UTC
This issue was resolved and addressed in
 GLSA 201507-10 at https://security.gentoo.org/glsa/201507-10
by GLSA coordinator Mikle Kolyada (Zlogene).