Package: t1utils
Version: 1.38-3
Severity: grave
Tags: security
Usertags: afl
$ t1asm crash.raw crash.pfb
t1asm: warning: no charstrings found in input file
$ t1disasm crash.pfb /dev/null
Segmentation fault
Backtrace:
#0 ___fprintf_chk (fp=0x6f6f6f6f, flag=1, format=0x804eedc "%.*s") at
fprintf_chk.c:30
#1 0x0804d653 in fprintf (__fmt=0x804eedc "%.*s", __stream=<optimized out>) at
/usr/include/i386-linux-gnu/bits/stdio2.h:97
#2 eexec_line (line=0xffffd320 "/m", 'o' <repeats 36 times>, "{string currentfile exch
readstring pop}executeonly def\n", line_len=<optimized out>, line_len@entry=94) at t1disasm.c:462
#3 0x0804e05e in disasm_output_binary (data=0xffffd320 "/m", 'o' <repeats 36 times>,
"{string currentfile exch readstring pop}executeonly def\n", len=94) at t1disasm.c:595
#4 0x0804cf67 in process_pfb (ifp=0x80531c0, ifp_filename=0xffffd9ff
"crash.pfb", fr=0xffffd760) at t1lib.c:295
#5 0x08048f41 in main (argc=3, argv=0xffffd834) at t1disasm.c:770
This happened because set_cs_start overwrote the file pointer with data
from the disassembled file.
I believe the bug can be exploited for code execution, at least on
systems that don't have executable space protection.
This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages t1utils depends on:
ii libc6 2.19-15
--
Jakub Wilk
currentfile eexec
/moooooooooooooooooooooooooooooooooooo{string currentfile exch readstring
pop}executeonly def
