t1utils: CVE-2015-3905: buffer overflow in set_cs_start

Debian Bug report logs - #779274
t1utils: CVE-2015-3905: buffer overflow in set_cs_start

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: t1disasm: buffer overflow in set_cs_start

Date: Thu, 26 Feb 2015 12:32:01 +0100

[Message part 1 (text/plain, inline)]

Package: t1utils
Version: 1.38-3
Severity: grave
Tags: security
Usertags: afl

$ t1asm crash.raw crash.pfb
t1asm: warning: no charstrings found in input file

$ t1disasm crash.pfb /dev/null
Segmentation fault

Backtrace:

#0  ___fprintf_chk (fp=0x6f6f6f6f, flag=1, format=0x804eedc "%.*s") at fprintf_chk.c:30
#1  0x0804d653 in fprintf (__fmt=0x804eedc "%.*s", __stream=<optimized out>) at /usr/include/i386-linux-gnu/bits/stdio2.h:97
#2  eexec_line (line=0xffffd320 "/m", 'o' <repeats 36 times>, "{string currentfile exch readstring pop}executeonly def\n", line_len=<optimized out>, line_len@entry=94) at t1disasm.c:462
#3  0x0804e05e in disasm_output_binary (data=0xffffd320 "/m", 'o' <repeats 36 times>, "{string currentfile exch readstring pop}executeonly def\n", len=94) at t1disasm.c:595
#4  0x0804cf67 in process_pfb (ifp=0x80531c0, ifp_filename=0xffffd9ff "crash.pfb", fr=0xffffd760) at t1lib.c:295
#5  0x08048f41 in main (argc=3, argv=0xffffd834) at t1disasm.c:770

This happened because set_cs_start overwrote the file pointer with data 
from the disassembled file.

I believe the bug can be exploited for code execution, at least on 
systems that don't have executable space protection.

This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages t1utils depends on:
ii  libc6  2.19-15

-- 
Jakub Wilk

[crash.raw (text/plain, attachment)]

Message #8 received at 779274@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: 779274@bugs.debian.org

Subject: Re: Bug#779274: t1disasm: buffer overflow in set_cs_start

Date: Thu, 26 Feb 2015 19:21:43 +0100

[Message part 1 (text/plain, inline)]

* Jakub Wilk <jwilk@debian.org>, 2015-02-26, 12:32:
>$ t1asm crash.raw crash.pfb
>t1asm: warning: no charstrings found in input file

Now with crash.pfb also attached.

-- 
Jakub Wilk

[crash.pfb (application/x-font, attachment)]

Message #13 received at 779274-close@bugs.debian.org (full text, mbox, reply):

From: Niels Thykier <niels@thykier.net>

To: 779274-close@bugs.debian.org

Subject: Bug#779274: fixed in t1utils 1.39-1

Date: Sat, 28 Feb 2015 09:50:58 +0000

Source: t1utils
Source-Version: 1.39-1

We believe that the bug you reported is fixed in the latest version of
t1utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 779274@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niels Thykier <niels@thykier.net> (supplier of updated t1utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 28 Feb 2015 08:53:38 +0100
Source: t1utils
Binary: t1utils
Architecture: source
Version: 1.39-1
Distribution: experimental
Urgency: medium
Maintainer: Niels Thykier <niels@thykier.net>
Changed-By: Niels Thykier <niels@thykier.net>
Description:
 t1utils    - Collection of simple Type 1 font manipulation programs
Closes: 779274
Changes:
 t1utils (1.39-1) experimental; urgency=medium
 .
   * New upstream release.
     - Fix infinite loop in t1disasm on some fonts.
     - Fix leak of va_list by adding necessary va_end calls.
     - Fix buffer-overflow that can reliably overwrite a
       FILE* pointer.  (Closes: #779274)
   * Drop patch for the infinite loop in t1disasm, since it is
     included in the upstream release.
Checksums-Sha1:
 d053866efeadfdf28efdbb2da77493fcbac55d6b 1704 t1utils_1.39-1.dsc
 655711f5150dd75e45bdc6b81ddb87ff16b0d567 65681 t1utils_1.39.orig.tar.gz
 8056fbacd0a28208cb158ffca94db808913cf778 5928 t1utils_1.39-1.debian.tar.xz
Checksums-Sha256:
 aba5f8c2280a1d1b6c014a8014d60ec3c17d57407f1ce35ecf82952f1b734759 1704 t1utils_1.39-1.dsc
 13d7e8f5095fbabce23dc8a91278c7d347cec1564202370236207d3a7c1ab6b8 65681 t1utils_1.39.orig.tar.gz
 cd1310aee01267cfc07f94b20b2e6016769cd79ec843e4b32363787648eb0f76 5928 t1utils_1.39-1.debian.tar.xz
Files:
 96bf33b585f3f8ffc19132eed1b455b7 1704 text optional t1utils_1.39-1.dsc
 1084d7722d64b9a0d20819c60cacfa58 65681 text optional t1utils_1.39.orig.tar.gz
 4afec396395f0f49deedbec67519cff6 5928 text optional t1utils_1.39-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJU8XTHAAoJEAVLu599gGRCZJ4P/14ZgMHucmqHcrCpATPNmkKu
UYkaGj+K/Kn/gAiz5tS8uv51072RktKwdb+iThJL8G45ovePVSR/6qPIY0OQhyRs
DJYggHhXkhGdu+MEEltVkq30hYKA6zD9/keDxp92vfXtLnWVbxA1SQ1Grf4G+uxX
P5X2iQQZXkLfGH/6Z9MYRIuI6jZjClmLY7+TBjeh0KRcjbBmiC3GV3Bu+Ayc7Aiq
h+elwhUD8aHdp8p7IpNPy+YqVAIombpiS9AH0yQ4uy3fwocG+M5zcuhV6MxI6flk
iMxmBL1mOUu/7Cq+j/JHkOOMIQDjDQ2jYN0anfHaamsPYGm49FEiWSRu6NuNi4S7
sIcbnYSdwQ8vmbIMHXCvCvObgsxVlkbAiBy77ahvcEakwQ9ISmN1U9t6++BwrTo/
UHYGeMNmPnU8AV81WwPxSRGB1RoCaXLfAFv9HH5knWtAK5MQrbOK2dRfPFWSMf3W
9LV7vD3OUc8Sv9a4osTA3f4Lvm+yW9U7UFVFGIeAVqW1OidzyFyBZMc4K9uQcGsK
4MSlHNUCM0q92Sj+h/l80hQE+Dt+Kr9Nwn8S5My7j16gx1BIyY95XieutH5sOBLy
LTDNvvXSa7ZwXQYUOi276PBmRtprgypTCQ+sT12km5MD8b7e2kx96OvhDXAN8H0a
qsAaproy89Oke+GAtEid
=bUCB
-----END PGP SIGNATURE-----

Message #18 received at 779274-close@bugs.debian.org (full text, mbox, reply):

From: Niels Thykier <niels@thykier.net>

To: 779274-close@bugs.debian.org

Subject: Bug#779274: fixed in t1utils 1.38-4

Date: Sun, 01 Mar 2015 21:50:01 +0000

Source: t1utils
Source-Version: 1.38-4

We believe that the bug you reported is fixed in the latest version of
t1utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 779274@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niels Thykier <niels@thykier.net> (supplier of updated t1utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 01 Mar 2015 22:30:57 +0100
Source: t1utils
Binary: t1utils
Architecture: source amd64
Version: 1.38-4
Distribution: unstable
Urgency: medium
Maintainer: Niels Thykier <niels@thykier.net>
Changed-By: Niels Thykier <niels@thykier.net>
Description:
 t1utils    - Collection of simple Type 1 font manipulation programs
Closes: 779274
Changes:
 t1utils (1.38-4) unstable; urgency=medium
 .
   * Add bounds check for cs_start buffer.  (Closes: #779274)
   * Increase the size of cs_start to 1024 from 10 to support
     longer values.  This is closer to the spirit upstream's
     fix that supports arbitrary long values provided the
     machine have enough memory.
Checksums-Sha1:
 2a7618557b7d26b5e1b714a8050dbaaad5e1b621 1707 t1utils_1.38-4.dsc
 7af5667eac30e0ac418b49acc13ef488a4a933c9 7560 t1utils_1.38-4.debian.tar.xz
 638054225965eee43f5986787ba4fcc408cb7e6a 58186 t1utils_1.38-4_amd64.deb
Checksums-Sha256:
 b116aa2cfa287418f350e259f4377a71ea160e72f9071ceb4a347e8ff358976b 1707 t1utils_1.38-4.dsc
 7356a6e9cafdf69af42d17fac2bf55f5cd71c41513a8beaaab4e2c07e7edd6e2 7560 t1utils_1.38-4.debian.tar.xz
 853f7f2786d612104dabb6810ddd191a35a4aa67d375a36c31b49ac9a4bb66ca 58186 t1utils_1.38-4_amd64.deb
Files:
 0bdc010ce8a91cf13c08fde926cbb00d 1707 text optional t1utils_1.38-4.dsc
 5012900e5406fed93ca147feb30a2557 7560 text optional t1utils_1.38-4.debian.tar.xz
 d408fe4f18189ac6dc64795eea8949f9 58186 text optional t1utils_1.38-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJU84jpAAoJEAVLu599gGRC0lQP/0i32lhBNrsXNOSa/JQ0lA1r
WpWhy4x+QfozVGrjuQJkGNPJg0G+AFMiJdt0MbzirpC/RNnHxrod3qAGZ9otqGA9
waHImix/Oay6hhvdUv3awFrQeiHL6+8HJbJcLfMn9fEvo/pCwqjeMWzCa5KU5b/L
7bLf39oPLRG1rJ1W3/AjC1YXiIXC+5zeNsYl0YfL0FxBRERv1KAQNgM2XE85URAs
b2m7PH/wAnxrFkqlQMwmxksmiG5nfWGlGmdtdfDWhZi9/K6/Rv2Dbfhf4sfjoyWs
FN6hvXHd/dN/pFJMxisQl5nZYs3t4L8377fCEIy/P4aFsxLnyaCE9XwEbDzhB2bk
EPVn+t/U5NpGitHtt9ibC+dpCkEmMc4HxH2H7UMCM58P+wPqpSXOsU62gWqXIW7b
jKbVZVkkt/L4Nz0d5EQRfqcehhG+TzUcodKZ0t31WaOMXEPZWmdLegqqOFRGzw/P
ee6bMED0TXzOLQK+3EvK3IXPUNGtZf7L4SCwz1K0jAzkFPrTJPXJuSVV811hkfjM
+96RIlK75Nox2bQo+jEB/CoPya50HAfHQ8I9CrfAeQQRM5s+SKJKlz2Toin7lXF0
lQ2o3fVXoqdUGW7dDvjclujlz6tjJ8tyZRP27olLafw3zK42fws8qBKBXSrvtMzp
zvppaJok5RcJEEU0OXDe
=t/OI
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.