Bug#773391: unblock: t1utils/1.38-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#773391: unblock: t1utils/1.38-3
From: Niels Thykier <niels@thykier.net>
Date: Wed, 17 Dec 2014 22:43:07 +0100
Message-id: <[🔎] 20141217214307.6095.48016.reportbug@mangetsu.thykier.net>
Reply-to: Niels Thykier <niels@thykier.net>, 773391@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package t1utils as it fixes a DoS (infinite loop) via a
crafted font package (#772774).  This indirectly affects Lintian as
well, because lintian uses t1disasm (from t1utils) to analyse some
font packages.

If you prefer, we can also defer this to post-Jessie given the bug is
not RC.  If so, let me know, so I can set the necessary tags and retitle
the bug accordingly.

unblock t1utils/1.38-3

The debdiff is below.  For reference, my original solution (mentioned
in the changelog) was to error out if the newly read "block_len" was
negative (due to an overflow).

Thanks,
~Niels


*** ../t1utils.debdiff
diff -Nru t1utils-1.38/debian/changelog t1utils-1.38/debian/changelog
--- t1utils-1.38/debian/changelog	2014-10-14 20:14:48.000000000 +0200
+++ t1utils-1.38/debian/changelog	2014-12-11 18:43:32.000000000 +0100
@@ -1,3 +1,19 @@
+t1utils (1.38-3) unstable; urgency=medium
+
+  * Replace the Debian patch for #772774 with upstreams
+    own version for the same issue.
+
+ -- Niels Thykier <niels@thykier.net>  Thu, 11 Dec 2014 18:43:27 +0100
+
+t1utils (1.38-2) unstable; urgency=medium
+
+  * Apply patch to avoid infinite loop on some fonts files
+    in t1disasm.  Thanks to Jakub Wilk for reporting and the
+    "American fuzzy lop" tool for creating the crafted font
+    file.  (Closes: #772774)
+
+ -- Niels Thykier <niels@thykier.net>  Thu, 11 Dec 2014 17:58:11 +0100
+
 t1utils (1.38-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru t1utils-1.38/debian/patches/commit-1b33735.patch t1utils-1.38/debian/patches/commit-1b33735.patch
--- t1utils-1.38/debian/patches/commit-1b33735.patch	1970-01-01 01:00:00.000000000 +0100
+++ t1utils-1.38/debian/patches/commit-1b33735.patch	2014-12-11 18:38:40.000000000 +0100
@@ -0,0 +1,71 @@
+From 1b3373527dd2c8928e9db7cbfd7cde4d70b85fe5 Mon Sep 17 00:00:00 2001
+From: Eddie Kohler <ekohler@gmail.com>
+Date: Thu, 11 Dec 2014 12:33:11 -0500
+Subject: [PATCH] Fix infinite loop reported by Jakup Wilk via Niels Thykier.
+
+---
+ t1lib.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/t1lib.c b/t1lib.c
+index 6b49a19..f34fa0a 100644
+--- a/t1lib.c
++++ b/t1lib.c
+@@ -244,9 +244,9 @@ void
+ process_pfb(FILE *ifp, const char *ifp_filename, struct font_reader *fr)
+ {
+   int blocktyp = 0;
+-  int block_len = 0;
++  unsigned block_len = 0;
+   int c = 0;
+-  int filepos = 0;
++  unsigned filepos = 0;
+   int linepos = 0;
+   char line[LINESIZE];
+ 
+@@ -260,7 +260,7 @@ process_pfb(FILE *ifp, const char *ifp_filename, struct font_reader *fr)
+ 	if (c == EOF || blocktyp == EOF)
+ 	  error("%s corrupted: no end-of-file marker", ifp_filename);
+ 	else
+-	  error("%s corrupted: bad block marker at position %d",
++	  error("%s corrupted: bad block marker at position %u",
+ 		ifp_filename, filepos);
+ 	blocktyp = PFB_DONE;
+       }
+@@ -270,9 +270,9 @@ process_pfb(FILE *ifp, const char *ifp_filename, struct font_reader *fr)
+       block_len = getc(ifp) & 0xFF;
+       block_len |= (getc(ifp) & 0xFF) << 8;
+       block_len |= (getc(ifp) & 0xFF) << 16;
+-      block_len |= (getc(ifp) & 0xFF) << 24;
++      block_len |= (unsigned) (getc(ifp) & 0xFF) << 24;
+       if (feof(ifp)) {
+-	error("%s corrupted: bad block length at position %d",
++	error("%s corrupted: bad block length at position %u",
+ 	      ifp_filename, filepos);
+ 	blocktyp = PFB_DONE;
+ 	goto done;
+@@ -282,11 +282,11 @@ process_pfb(FILE *ifp, const char *ifp_filename, struct font_reader *fr)
+ 
+     /* read the block in its entirety, in LINESIZE chunks */
+     while (block_len > 0) {
+-      int rest = LINESIZE - 1 - linepos; /* leave space for '\0' */
+-      int n = (block_len > rest ? rest : block_len);
++      unsigned rest = LINESIZE - 1 - linepos; /* leave space for '\0' */
++      unsigned n = (block_len > rest ? rest : block_len);
+       int actual = fread(line + linepos, 1, n, ifp);
+-      if (actual != n) {
+-	error("%s corrupted: block short by %d bytes at position %d",
++      if (actual != (int) n) {
++	error("%s corrupted: block short by %u bytes at position %u",
+ 	      ifp_filename, block_len - actual, filepos);
+ 	block_len = actual;
+       }
+@@ -311,7 +311,7 @@ process_pfb(FILE *ifp, const char *ifp_filename, struct font_reader *fr)
+  done:
+   c = getc(ifp);
+   if (c != EOF)
+-    error("%s corrupted: data after PFB end marker at position %d",
++    error("%s corrupted: data after PFB end marker at position %u",
+ 	  ifp_filename, filepos - 2);
+   fr->output_end();
+ }
diff -Nru t1utils-1.38/debian/patches/series t1utils-1.38/debian/patches/series
--- t1utils-1.38/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ t1utils-1.38/debian/patches/series	2014-12-11 18:39:20.000000000 +0100
@@ -0,0 +1 @@
+commit-1b33735.patch

Reply to:

Follow-Ups:
- Bug#773391: marked as done (unblock: t1utils/1.38-3)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: tagging 771520
Next by Date: Re: Bug#773142: reportbug: add support for jessie-pu
Previous by thread: Processed: severity of 773180 is normal, severity of 773183 is normal
Next by thread: Bug#773391: marked as done (unblock: t1utils/1.38-3)
Index(es):
- Date
- Thread