Bug#773391: marked as done (unblock: t1utils/1.38-3)

To: Jonathan Wiltshire <jmw@debian.org>
Subject: Bug#773391: marked as done (unblock: t1utils/1.38-3)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 17 Dec 2014 23:03:10 +0000
Message-id: <[🔎] handler.773391.D773391.14188572687414.ackdone@bugs.debian.org>
References: <20141217230103.GN11902@lupin.home.powdarrmonkey.net> <[🔎] 20141217214307.6095.48016.reportbug@mangetsu.thykier.net>

Your message dated Wed, 17 Dec 2014 23:01:03 +0000
with message-id <20141217230103.GN11902@lupin.home.powdarrmonkey.net>
and subject line Re: Bug#773391: unblock: t1utils/1.38-3
has caused the Debian Bug report #773391,
regarding unblock: t1utils/1.38-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
773391: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773391
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: t1utils/1.38-3
From: Niels Thykier <niels@thykier.net>
Date: Wed, 17 Dec 2014 22:43:07 +0100
Message-id: <[🔎] 20141217214307.6095.48016.reportbug@mangetsu.thykier.net>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package t1utils as it fixes a DoS (infinite loop) via a
crafted font package (#772774).  This indirectly affects Lintian as
well, because lintian uses t1disasm (from t1utils) to analyse some
font packages.

If you prefer, we can also defer this to post-Jessie given the bug is
not RC.  If so, let me know, so I can set the necessary tags and retitle
the bug accordingly.

unblock t1utils/1.38-3

The debdiff is below.  For reference, my original solution (mentioned
in the changelog) was to error out if the newly read "block_len" was
negative (due to an overflow).

Thanks,
~Niels


*** ../t1utils.debdiff
diff -Nru t1utils-1.38/debian/changelog t1utils-1.38/debian/changelog
--- t1utils-1.38/debian/changelog	2014-10-14 20:14:48.000000000 +0200
+++ t1utils-1.38/debian/changelog	2014-12-11 18:43:32.000000000 +0100
@@ -1,3 +1,19 @@
+t1utils (1.38-3) unstable; urgency=medium
+
+  * Replace the Debian patch for #772774 with upstreams
+    own version for the same issue.
+
+ -- Niels Thykier <niels@thykier.net>  Thu, 11 Dec 2014 18:43:27 +0100
+
+t1utils (1.38-2) unstable; urgency=medium
+
+  * Apply patch to avoid infinite loop on some fonts files
+    in t1disasm.  Thanks to Jakub Wilk for reporting and the
+    "American fuzzy lop" tool for creating the crafted font
+    file.  (Closes: #772774)
+
+ -- Niels Thykier <niels@thykier.net>  Thu, 11 Dec 2014 17:58:11 +0100
+
 t1utils (1.38-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru t1utils-1.38/debian/patches/commit-1b33735.patch t1utils-1.38/debian/patches/commit-1b33735.patch
--- t1utils-1.38/debian/patches/commit-1b33735.patch	1970-01-01 01:00:00.000000000 +0100
+++ t1utils-1.38/debian/patches/commit-1b33735.patch	2014-12-11 18:38:40.000000000 +0100
@@ -0,0 +1,71 @@
+From 1b3373527dd2c8928e9db7cbfd7cde4d70b85fe5 Mon Sep 17 00:00:00 2001
+From: Eddie Kohler <ekohler@gmail.com>
+Date: Thu, 11 Dec 2014 12:33:11 -0500
+Subject: [PATCH] Fix infinite loop reported by Jakup Wilk via Niels Thykier.
+
+---
+ t1lib.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/t1lib.c b/t1lib.c
+index 6b49a19..f34fa0a 100644
+--- a/t1lib.c
++++ b/t1lib.c
+@@ -244,9 +244,9 @@ void
+ process_pfb(FILE *ifp, const char *ifp_filename, struct font_reader *fr)
+ {
+   int blocktyp = 0;
+-  int block_len = 0;
++  unsigned block_len = 0;
+   int c = 0;
+-  int filepos = 0;
++  unsigned filepos = 0;
+   int linepos = 0;
+   char line[LINESIZE];
+ 
+@@ -260,7 +260,7 @@ process_pfb(FILE *ifp, const char *ifp_filename, struct font_reader *fr)
+ 	if (c == EOF || blocktyp == EOF)
+ 	  error("%s corrupted: no end-of-file marker", ifp_filename);
+ 	else
+-	  error("%s corrupted: bad block marker at position %d",
++	  error("%s corrupted: bad block marker at position %u",
+ 		ifp_filename, filepos);
+ 	blocktyp = PFB_DONE;
+       }
+@@ -270,9 +270,9 @@ process_pfb(FILE *ifp, const char *ifp_filename, struct font_reader *fr)
+       block_len = getc(ifp) & 0xFF;
+       block_len |= (getc(ifp) & 0xFF) << 8;
+       block_len |= (getc(ifp) & 0xFF) << 16;
+-      block_len |= (getc(ifp) & 0xFF) << 24;
++      block_len |= (unsigned) (getc(ifp) & 0xFF) << 24;
+       if (feof(ifp)) {
+-	error("%s corrupted: bad block length at position %d",
++	error("%s corrupted: bad block length at position %u",
+ 	      ifp_filename, filepos);
+ 	blocktyp = PFB_DONE;
+ 	goto done;
+@@ -282,11 +282,11 @@ process_pfb(FILE *ifp, const char *ifp_filename, struct font_reader *fr)
+ 
+     /* read the block in its entirety, in LINESIZE chunks */
+     while (block_len > 0) {
+-      int rest = LINESIZE - 1 - linepos; /* leave space for '\0' */
+-      int n = (block_len > rest ? rest : block_len);
++      unsigned rest = LINESIZE - 1 - linepos; /* leave space for '\0' */
++      unsigned n = (block_len > rest ? rest : block_len);
+       int actual = fread(line + linepos, 1, n, ifp);
+-      if (actual != n) {
+-	error("%s corrupted: block short by %d bytes at position %d",
++      if (actual != (int) n) {
++	error("%s corrupted: block short by %u bytes at position %u",
+ 	      ifp_filename, block_len - actual, filepos);
+ 	block_len = actual;
+       }
+@@ -311,7 +311,7 @@ process_pfb(FILE *ifp, const char *ifp_filename, struct font_reader *fr)
+  done:
+   c = getc(ifp);
+   if (c != EOF)
+-    error("%s corrupted: data after PFB end marker at position %d",
++    error("%s corrupted: data after PFB end marker at position %u",
+ 	  ifp_filename, filepos - 2);
+   fr->output_end();
+ }
diff -Nru t1utils-1.38/debian/patches/series t1utils-1.38/debian/patches/series
--- t1utils-1.38/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ t1utils-1.38/debian/patches/series	2014-12-11 18:39:20.000000000 +0100
@@ -0,0 +1 @@
+commit-1b33735.patch

--- End Message ---

--- Begin Message ---

To: Niels Thykier <niels@thykier.net>, 773391-done@bugs.debian.org

Subject: Re: Bug#773391: unblock: t1utils/1.38-3

From: Jonathan Wiltshire <jmw@debian.org>

Date: Wed, 17 Dec 2014 23:01:03 +0000

Message-id: <20141217230103.GN11902@lupin.home.powdarrmonkey.net>

In-reply-to: <[🔎] 20141217214307.6095.48016.reportbug@mangetsu.thykier.net>

References: <[🔎] 20141217214307.6095.48016.reportbug@mangetsu.thykier.net>
On Wed, Dec 17, 2014 at 10:43:07PM +0100, Niels Thykier wrote:
> Please unblock package t1utils as it fixes a DoS (infinite loop) via a
> crafted font package (#772774).  This indirectly affects Lintian as
> well, because lintian uses t1disasm (from t1utils) to analyse some
> font packages.

Unblocked.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
Attachment: signature.asc
Description: Digital signature

--- End Message ---

Reply to:

References:
- Bug#773391: unblock: t1utils/1.38-3
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Bug#773224: (preapproval) unblock: grub2/2.02~beta2-19
Next by Date: Bug#773360: unblock: vala-mode-el/0.1-2
Previous by thread: Bug#773391: unblock: t1utils/1.38-3
Next by thread: Bug#773393: unblock: xorg-server/2:1.16.2.901-1
Index(es):
- Date
- Thread