Package: t1lib Version: 5.1.2-3 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu precise ubuntu-patch
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0764 *** /tmp/tmpP7Dzmm In Ubuntu, the attached patch was applied to achieve the following: Prevents an invalid pointer from being dereferenced when using a maliciously crafted font. * SECURITY UPDATE: Arbitrary code execution via crafted Type 1 font - lib/type1/type1.c: Only use ppoints when it is a valid pointer - CVE-2011-0764 Thanks for considering the patch. -- System Information: Debian Release: wheezy/sid APT prefers oneiric-updates APT policy: (500, 'oneiric-updates'), (500, 'oneiric-security'), (500, 'oneiric') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-14-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- t1lib-5.1.2.orig/debian/patches/CVE-2011-0764.patch +++ t1lib-5.1.2/debian/patches/CVE-2011-0764.patch @@ -0,0 +1,31 @@ +Description: Don't lookup previous point if there isn't any +Author: Marc Deslauriers <marc.deslauri...@canonical.com> + +Index: t1lib-5.1.2/lib/type1/type1.c +=================================================================== +--- t1lib-5.1.2.orig/lib/type1/type1.c 2011-12-13 14:24:14.280965637 -0600 ++++ t1lib-5.1.2/lib/type1/type1.c 2011-12-13 14:25:25.893320747 -0600 +@@ -1700,6 +1700,7 @@ + long pindex = 0; + + /* compute hinting for previous segment! */ ++ if (ppoints == NULL) Error0i("RLineTo: No previous point!\n"); + FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy); + + /* Allocate a new path point and pre-setup data */ +@@ -1728,6 +1729,7 @@ + long pindex = 0; + + /* compute hinting for previous point! */ ++ if (ppoints == NULL) Error0i("RRCurveTo: No previous point!\n"); + FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1); + + /* Allocate three new path points and pre-setup data */ +@@ -1903,6 +1905,7 @@ + FindStems( currx, curry, 0, 0, dx, dy); + } + else { ++ if (ppoints == NULL) Error0i("RMoveTo: No previous point!\n"); + FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy); + } +