Bug 660555 - VUL-0: evince font parser vulnerabilties
VUL-0: evince font parser vulnerabilties
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Fan Jun Kong
Security Team bot
maint:released:11.2:38054 maint:relea...
:
Depends on: 660557 660558
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-20 15:57 UTC by Ludwig Nussel
Modified: 2011-01-23 17:55 UTC (History)
3 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
0001-backends-Fix-several-security-issues-in-the-dvi-back.patch (3.60 KB, text/plain)
2010-12-20 15:57 UTC, Ludwig Nussel
Details
tested dvi files (43.02 KB, application/x-gzip)
2011-01-10 08:26 UTC, Liu Shukui
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2010-12-20 15:57:11 UTC
Your friendly security team received the following report.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.
Note that build.opensuse.org *cannot* be used to prepare embargoed updates.

------------------------------------------------------------------------------
evince DVI file PK font parser memory overwrite vulnerability
CVE-2010-2640

evince DVI file VF font parser memory overwrite vulnerability
CVE-2010-2641

evince DVI file AFM font parser heap overflow vulnerability
CVE-2010-2642

evince DVI file TFM font parser integer overflow vulnerability
CVE-2010-2643
Comment 2 Ludwig Nussel 2010-12-20 15:57:45 UTC
Created attachment 405630 [details]
0001-backends-Fix-several-security-issues-in-the-dvi-back.patch
Comment 3 Vincent Untz 2011-01-03 14:27:48 UTC
CRD is January 5th, and I have the updates ready for 11.2 and 11.3 on my local disk. I'll submit them to the :Update:Test repos on Wednesday.

Alex: I guess someone should take care of it for SLE too.
Comment 4 Sebastian Krahmer 2011-01-05 07:36:28 UTC
via vendor-sec:


> diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c
> index 164366b..361e23d 100644
> --- a/backend/dvi/mdvi-lib/afmparse.c
> +++ b/backend/dvi/mdvi-lib/afmparse.c
> @@ -160,7 +160,7 @@ static char *token(FILE *stream)
>
>      idx = 0;
>      while (ch != EOF && ch != ' ' && ch != lineterm
> -           && ch != '\t' && ch != ':' && ch != ';')
> +           && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME)
>      {
>          ident[idx++] = ch;
>          ch = fgetc(stream);

This code seems to be from Adobe originally.  Wouldn't t1lib need a
similar patch?

> diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c
> index cd8cfa9..d014320 100644
> --- a/backend/dvi/mdvi-lib/dviread.c
> +++ b/backend/dvi/mdvi-lib/dviread.c
> @@ -1507,6 +1507,10 @@ int    special(DviContext *dvi, int opcode)
>       Int32   arg;
>
>       arg = dugetn(dvi, opcode - DVI_XXX1 + 1);
> +     if (arg <= 0) {
> +             dvierr(dvi, _("malformed special length\n"));
> +             return -1;
> +     }

This is not fully portable---but GCC should be fine even without
-fwrapv (as a GCC extension, a conversion from unsigned long to long
preserves the bit pattern, and mugetn() performs the computation in
unsigned long, so it should be fine).
Comment 5 Swamp Workflow Management 2011-01-05 07:39:08 UTC
The SWAMPID for this issue is 38053.
This issue was rated as moderate.
Please submit fixed packages until 2011-01-19.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 6 Bin Li 2011-01-05 07:48:31 UTC
Assign to Fanjun to take all these bugs together.
Comment 7 Vincent Untz 2011-01-05 08:38:59 UTC
Fixes for evince in openSUSE submitted: sr#57129 (11.2) and sr#57130 (11.3). I'm also pushing the fix to Factory (submitted to G:F).

I'll let Fanjun handle the SLE side of things.

Is there another bug for t1lib? (see comment #4)
Comment 8 Fan Jun Kong 2011-01-05 09:03:22 UTC
I have submitted both SLED10-sp4 and SLE11-sp1, anything else I can help?
Comment 9 Vincent Untz 2011-01-05 09:13:56 UTC
(In reply to comment #8)
> I have submitted both SLED10-sp4 and SLE11-sp1, anything else I can help?

Let's assign to the security team, and we'll see :-)
Comment 10 Liu Shukui 2011-01-07 08:56:43 UTC
(In reply to comment #2)
> Created an attachment (id=405630) [details]
> 0001-backends-Fix-several-security-issues-in-the-dvi-back.patch

Hi,

as a qa-maintenance member, how to verify/reproduce this bug? any suggestions?
Comment 11 Vincent Untz 2011-01-07 09:31:05 UTC
Unfortunately, I'm not aware of any proof of concept for the security issues. The only thing I can suggest is to test some DVI files and check they are still read fine by evince.
Comment 12 Thomas Biege 2011-01-07 09:49:57 UTC
We do not have a reproducer available for this bug. I am sorry.
Comment 13 Liu Shukui 2011-01-07 09:54:20 UTC
ok, then I will take the advice from comment 11 and do some generic tests.
Comment 14 Liu Shukui 2011-01-10 08:26:42 UTC
Created attachment 407497 [details]
tested dvi files
Comment 15 Liu Shukui 2011-01-10 08:27:47 UTC
Hi,

When I did some generic tests for evince-2.28.2-0.3.1 using some dvi files, it crashed(Segmentation fault). So I am not sure if this bug has been fixed or this situation means a new bug. The tested dvi files were attached at comment 14, they are collected by using www.google.com.
Comment 16 Vincent Untz 2011-01-10 09:37:21 UTC
Quickly testing with evince 2.32, I only see a crash with kankenn.9902.dvi. My guess is that you're seeing https://bugzilla.gnome.org/show_bug.cgi?id=600552

Can you check which stack traces you get for the crashes, and compare it with the crashes in this upstream bug?

I think those crashes are unrelated to the  vulnerabilities.
Comment 17 Vincent Untz 2011-01-10 09:42:03 UTC
I filed https://bugzilla.gnome.org/show_bug.cgi?id=639129 for the issue with kankenn.9902.dvi
Comment 19 Swamp Workflow Management 2011-01-15 18:40:29 UTC
Update released for: evince, evince-debuginfo, evince-debugsource, evince-devel, evince-lang, nautilus-evince, nautilus-evince-debuginfo
Products:
openSUSE 11.2 (debug, i586, x86_64)
openSUSE 11.3 (debug, i586, x86_64)
Comment 20 Swamp Workflow Management 2011-01-15 20:54:25 UTC
Update released for: evince, evince-debuginfo
Products:
SLE-DESKTOP 10-SP3 (i386, x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
Comment 21 Swamp Workflow Management 2011-01-15 21:13:18 UTC
Update released for: evince, evince-debuginfo, evince-debugsource, evince-devel, evince-doc, evince-lang
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 22 Fan Jun Kong 2011-01-18 03:29:19 UTC
so I can close this bug as fixed now.
Thanks