Bug 660555 - VUL-0: evince font parser vulnerabilties
VUL-0: evince font parser vulnerabilties
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Fan Jun Kong
Security Team bot
maint:released:11.2:38054 maint:relea...
Depends on: 660557 660558
  Show dependency treegraph
Reported: 2010-12-20 15:57 UTC by Ludwig Nussel
Modified: 2011-01-23 17:55 UTC (History)
3 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

0001-backends-Fix-several-security-issues-in-the-dvi-back.patch (3.60 KB, text/plain)
2010-12-20 15:57 UTC, Ludwig Nussel
tested dvi files (43.02 KB, application/x-gzip)
2011-01-10 08:26 UTC, Liu Shukui

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2010-12-20 15:57:11 UTC
Your friendly security team received the following report.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.
Note that build.opensuse.org *cannot* be used to prepare embargoed updates.

evince DVI file PK font parser memory overwrite vulnerability

evince DVI file VF font parser memory overwrite vulnerability

evince DVI file AFM font parser heap overflow vulnerability

evince DVI file TFM font parser integer overflow vulnerability
Comment 2 Ludwig Nussel 2010-12-20 15:57:45 UTC
Created attachment 405630 [details]
Comment 3 Vincent Untz 2011-01-03 14:27:48 UTC
CRD is January 5th, and I have the updates ready for 11.2 and 11.3 on my local disk. I'll submit them to the :Update:Test repos on Wednesday.

Alex: I guess someone should take care of it for SLE too.
Comment 4 Sebastian Krahmer 2011-01-05 07:36:28 UTC
via vendor-sec:

> diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c
> index 164366b..361e23d 100644
> --- a/backend/dvi/mdvi-lib/afmparse.c
> +++ b/backend/dvi/mdvi-lib/afmparse.c
> @@ -160,7 +160,7 @@ static char *token(FILE *stream)
>      idx = 0;
>      while (ch != EOF && ch != ' ' && ch != lineterm
> -           && ch != '\t' && ch != ':' && ch != ';')
> +           && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME)
>      {
>          ident[idx++] = ch;
>          ch = fgetc(stream);

This code seems to be from Adobe originally.  Wouldn't t1lib need a
similar patch?

> diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c
> index cd8cfa9..d014320 100644
> --- a/backend/dvi/mdvi-lib/dviread.c
> +++ b/backend/dvi/mdvi-lib/dviread.c
> @@ -1507,6 +1507,10 @@ int    special(DviContext *dvi, int opcode)
>       Int32   arg;
>       arg = dugetn(dvi, opcode - DVI_XXX1 + 1);
> +     if (arg <= 0) {
> +             dvierr(dvi, _("malformed special length\n"));
> +             return -1;
> +     }

This is not fully portable---but GCC should be fine even without
-fwrapv (as a GCC extension, a conversion from unsigned long to long
preserves the bit pattern, and mugetn() performs the computation in
unsigned long, so it should be fine).
Comment 5 Swamp Workflow Management 2011-01-05 07:39:08 UTC
The SWAMPID for this issue is 38053.
This issue was rated as moderate.
Please submit fixed packages until 2011-01-19.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 6 Bin Li 2011-01-05 07:48:31 UTC
Assign to Fanjun to take all these bugs together.
Comment 7 Vincent Untz 2011-01-05 08:38:59 UTC
Fixes for evince in openSUSE submitted: sr#57129 (11.2) and sr#57130 (11.3). I'm also pushing the fix to Factory (submitted to G:F).

I'll let Fanjun handle the SLE side of things.

Is there another bug for t1lib? (see comment #4)
Comment 8 Fan Jun Kong 2011-01-05 09:03:22 UTC
I have submitted both SLED10-sp4 and SLE11-sp1, anything else I can help?
Comment 9 Vincent Untz 2011-01-05 09:13:56 UTC
(In reply to comment #8)
> I have submitted both SLED10-sp4 and SLE11-sp1, anything else I can help?

Let's assign to the security team, and we'll see :-)
Comment 10 Liu Shukui 2011-01-07 08:56:43 UTC
(In reply to comment #2)
> Created an attachment (id=405630) [details]
> 0001-backends-Fix-several-security-issues-in-the-dvi-back.patch


as a qa-maintenance member, how to verify/reproduce this bug? any suggestions?
Comment 11 Vincent Untz 2011-01-07 09:31:05 UTC
Unfortunately, I'm not aware of any proof of concept for the security issues. The only thing I can suggest is to test some DVI files and check they are still read fine by evince.
Comment 12 Thomas Biege 2011-01-07 09:49:57 UTC
We do not have a reproducer available for this bug. I am sorry.
Comment 13 Liu Shukui 2011-01-07 09:54:20 UTC
ok, then I will take the advice from comment 11 and do some generic tests.
Comment 14 Liu Shukui 2011-01-10 08:26:42 UTC
Created attachment 407497 [details]
tested dvi files
Comment 15 Liu Shukui 2011-01-10 08:27:47 UTC

When I did some generic tests for evince-2.28.2-0.3.1 using some dvi files, it crashed(Segmentation fault). So I am not sure if this bug has been fixed or this situation means a new bug. The tested dvi files were attached at comment 14, they are collected by using www.google.com.
Comment 16 Vincent Untz 2011-01-10 09:37:21 UTC
Quickly testing with evince 2.32, I only see a crash with kankenn.9902.dvi. My guess is that you're seeing https://bugzilla.gnome.org/show_bug.cgi?id=600552

Can you check which stack traces you get for the crashes, and compare it with the crashes in this upstream bug?

I think those crashes are unrelated to the  vulnerabilities.
Comment 17 Vincent Untz 2011-01-10 09:42:03 UTC
I filed https://bugzilla.gnome.org/show_bug.cgi?id=639129 for the issue with kankenn.9902.dvi
Comment 19 Swamp Workflow Management 2011-01-15 18:40:29 UTC
Update released for: evince, evince-debuginfo, evince-debugsource, evince-devel, evince-lang, nautilus-evince, nautilus-evince-debuginfo
openSUSE 11.2 (debug, i586, x86_64)
openSUSE 11.3 (debug, i586, x86_64)
Comment 20 Swamp Workflow Management 2011-01-15 20:54:25 UTC
Update released for: evince, evince-debuginfo
SLE-DESKTOP 10-SP3 (i386, x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
Comment 21 Swamp Workflow Management 2011-01-15 21:13:18 UTC
Update released for: evince, evince-debuginfo, evince-debugsource, evince-devel, evince-doc, evince-lang
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 22 Fan Jun Kong 2011-01-18 03:29:19 UTC
so I can close this bug as fixed now.