Bug#779533: unblock: t1utils/1.38-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock t1utils/1.38-4.
This version of t1utils fixes a buffer overflow that can be reliably
triggered by a crashed pfb font file, as demonstrated by Jakub Wilk
(in #779274). It is my understanding that Jakub concluded that this
can be exploited to execute code on CPUs/architectures without the
"NX" (No-eXec) flag.
I have decided to patch this with a smaller patch compared to
upstream. The upstream version of the fix involves dynamic memory
allocation. The 1.38-4 version instead features a simple bounds check
and an (vastly) increased buffer size to (hopefully) avoid flagging
valid files.
I have uploaded it as urgency medium. It should possibly have been
urgency=high.
Thanks,
~Niels
diff -Nru t1utils-1.38/debian/changelog t1utils-1.38/debian/changelog
--- t1utils-1.38/debian/changelog 2015-02-22 13:44:09.000000000 +0100
+++ t1utils-1.38/debian/changelog 2015-03-01 22:33:59.000000000 +0100
@@ -1,3 +1,13 @@
+t1utils (1.38-4) unstable; urgency=medium
+
+ * Add bounds check for cs_start buffer. (Closes: #779274)
+ * Increase the size of cs_start to 1024 from 10 to support
+ longer values. This is closer to the spirit upstream's
+ fix that supports arbitrary long values provided the
+ machine have enough memory.
+
+ -- Niels Thykier <niels@thykier.net> Sun, 01 Mar 2015 22:30:57 +0100
+
t1utils (1.38-3) unstable; urgency=medium
* Replace the Debian patch for #772774 with upstreams
diff -Nru t1utils-1.38/debian/patches/fix-cs-start-buffer-overflow.patch t1utils-1.38/debian/patches/fix-cs-start-buffer-overflow.patch
--- t1utils-1.38/debian/patches/fix-cs-start-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ t1utils-1.38/debian/patches/fix-cs-start-buffer-overflow.patch 2015-03-01 22:46:07.000000000 +0100
@@ -0,0 +1,45 @@
+Description: Fix buffer overflow in set_cs_start
+
+Upstream decided to fix this differently by using malloc to
+dynamically resize the buffer as needed. Given the size of the
+commit, I decided to "keep it simple" and just bail on this issue.
+
+At the same time, I also increased the buffer size "just incase".
+Given 10 has been working without crashes so far, it seems reasonable
+to assume that 1024 will be "more than enough" for Jessie. For
+Stretch, we will be using the upstream version of the patch and
+support arbitrary lengths for cs_start.
+
+Author: Niels Thykier <niels@thykier.net>
+Bug-Upstream: https://github.com/kohler/t1utils/issues/4
+Forwarded: not-needed
+
+diff --git a/t1disasm.c b/t1disasm.c
+index 5def559..c899985 100644
+--- a/t1disasm.c
++++ b/t1disasm.c
+@@ -79,7 +79,7 @@ typedef unsigned char byte;
+
+ static FILE *ofp;
+ static int lenIV = 4;
+-static char cs_start[10];
++static char cs_start[1024];
+ static int unknown = 0;
+
+ /* decryption stuff */
+@@ -118,10 +118,14 @@ set_cs_start(char *line)
+ *p = '\0'; /* damage line[] */
+ q = strrchr(line, '/');
+ if (q) {
++ char *limit = cs_start + sizeof(cs_start);
+ r = cs_start;
+ ++q;
+- while (!isspace(*q) && *q != '{')
++ while (!isspace(*q) && *q != '{' && r < limit)
+ *r++ = *q++;
++ if (r == limit) {
++ fatal_error("disassembly error: Unsupported file, cs_start value too long");
++ }
+ *r = '\0';
+ }
+ *p = 's'; /* repair line[] */
diff -Nru t1utils-1.38/debian/patches/series t1utils-1.38/debian/patches/series
--- t1utils-1.38/debian/patches/series 2015-02-22 13:44:09.000000000 +0100
+++ t1utils-1.38/debian/patches/series 2015-03-01 22:30:20.000000000 +0100
@@ -1 +1,2 @@
commit-1b33735.patch
+fix-cs-start-buffer-overflow.patch
Reply to: