Bug#779274: marked as done (t1disasm: buffer overflow in set_cs_start)

Sun, 01 Mar 2015 13:52:17 -0800 

Your message dated Sun, 01 Mar 2015 21:50:01 +0000
with message-id <[email protected]>
and subject line Bug#779274: fixed in t1utils 1.38-4
has caused the Debian Bug report #779274,
regarding t1disasm: buffer overflow in set_cs_start
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
779274: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: t1utils
Version: 1.38-3
Severity: grave
Tags: security
Usertags: afl

$ t1asm crash.raw crash.pfb
t1asm: warning: no charstrings found in input file

$ t1disasm crash.pfb /dev/null
Segmentation fault

Backtrace:

#0  ___fprintf_chk (fp=0x6f6f6f6f, flag=1, format=0x804eedc "%.*s") at 
fprintf_chk.c:30
#1  0x0804d653 in fprintf (__fmt=0x804eedc "%.*s", __stream=<optimized out>) at 
/usr/include/i386-linux-gnu/bits/stdio2.h:97
#2  eexec_line (line=0xffffd320 "/m", 'o' <repeats 36 times>, "{string currentfile exch 
readstring pop}executeonly def\n", line_len=<optimized out>, line_len@entry=94) at t1disasm.c:462
#3  0x0804e05e in disasm_output_binary (data=0xffffd320 "/m", 'o' <repeats 36 times>, 
"{string currentfile exch readstring pop}executeonly def\n", len=94) at t1disasm.c:595
#4  0x0804cf67 in process_pfb (ifp=0x80531c0, ifp_filename=0xffffd9ff 
"crash.pfb", fr=0xffffd760) at t1lib.c:295
#5  0x08048f41 in main (argc=3, argv=0xffffd834) at t1disasm.c:770
This happened because set_cs_start overwrote the file pointer with data from the disassembled file.
I believe the bug can be exploited for code execution, at least on systems that don't have executable space protection. 

This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages t1utils depends on:
ii  libc6  2.19-15

--
Jakub Wilk

currentfile eexec
/moooooooooooooooooooooooooooooooooooo{string currentfile exch readstring 
pop}executeonly def

--- End Message ---
--- Begin Message --- 
Source: t1utils
Source-Version: 1.38-4

We believe that the bug you reported is fixed in the latest version of
t1utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niels Thykier <[email protected]> (supplier of updated t1utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 01 Mar 2015 22:30:57 +0100
Source: t1utils
Binary: t1utils
Architecture: source amd64
Version: 1.38-4
Distribution: unstable
Urgency: medium
Maintainer: Niels Thykier <[email protected]>
Changed-By: Niels Thykier <[email protected]>
Description:
 t1utils    - Collection of simple Type 1 font manipulation programs
Closes: 779274
Changes:
 t1utils (1.38-4) unstable; urgency=medium
 .
   * Add bounds check for cs_start buffer.  (Closes: #779274)
   * Increase the size of cs_start to 1024 from 10 to support
     longer values.  This is closer to the spirit upstream's
     fix that supports arbitrary long values provided the
     machine have enough memory.
Checksums-Sha1:
 2a7618557b7d26b5e1b714a8050dbaaad5e1b621 1707 t1utils_1.38-4.dsc
 7af5667eac30e0ac418b49acc13ef488a4a933c9 7560 t1utils_1.38-4.debian.tar.xz
 638054225965eee43f5986787ba4fcc408cb7e6a 58186 t1utils_1.38-4_amd64.deb
Checksums-Sha256:
 b116aa2cfa287418f350e259f4377a71ea160e72f9071ceb4a347e8ff358976b 1707 
t1utils_1.38-4.dsc
 7356a6e9cafdf69af42d17fac2bf55f5cd71c41513a8beaaab4e2c07e7edd6e2 7560 
t1utils_1.38-4.debian.tar.xz
 853f7f2786d612104dabb6810ddd191a35a4aa67d375a36c31b49ac9a4bb66ca 58186 
t1utils_1.38-4_amd64.deb
Files:
 0bdc010ce8a91cf13c08fde926cbb00d 1707 text optional t1utils_1.38-4.dsc
 5012900e5406fed93ca147feb30a2557 7560 text optional 
t1utils_1.38-4.debian.tar.xz
 d408fe4f18189ac6dc64795eea8949f9 58186 text optional t1utils_1.38-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJU84jpAAoJEAVLu599gGRC0lQP/0i32lhBNrsXNOSa/JQ0lA1r
WpWhy4x+QfozVGrjuQJkGNPJg0G+AFMiJdt0MbzirpC/RNnHxrod3qAGZ9otqGA9
waHImix/Oay6hhvdUv3awFrQeiHL6+8HJbJcLfMn9fEvo/pCwqjeMWzCa5KU5b/L
7bLf39oPLRG1rJ1W3/AjC1YXiIXC+5zeNsYl0YfL0FxBRERv1KAQNgM2XE85URAs
b2m7PH/wAnxrFkqlQMwmxksmiG5nfWGlGmdtdfDWhZi9/K6/Rv2Dbfhf4sfjoyWs
FN6hvXHd/dN/pFJMxisQl5nZYs3t4L8377fCEIy/P4aFsxLnyaCE9XwEbDzhB2bk
EPVn+t/U5NpGitHtt9ibC+dpCkEmMc4HxH2H7UMCM58P+wPqpSXOsU62gWqXIW7b
jKbVZVkkt/L4Nz0d5EQRfqcehhG+TzUcodKZ0t31WaOMXEPZWmdLegqqOFRGzw/P
ee6bMED0TXzOLQK+3EvK3IXPUNGtZf7L4SCwz1K0jAzkFPrTJPXJuSVV811hkfjM
+96RIlK75Nox2bQo+jEB/CoPya50HAfHQ8I9CrfAeQQRM5s+SKJKlz2Toin7lXF0
lQ2o3fVXoqdUGW7dDvjclujlz6tjJ8tyZRP27olLafw3zK42fws8qBKBXSrvtMzp
zvppaJok5RcJEEU0OXDe
=t/OI
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to