Opened 13 years ago

Closed 7 years ago

#29631 closed defect (fixed)

t1lib needs patch for afm parser; has other unpatched issues

Reported by: gnw3 Owned by: macports-tickets@…
Priority: Normal Milestone:
Component: ports Version: 1.9.2
Keywords: haspatch Cc: dbevans (David B. Evans), takanori@…, drkp (Dan Ports), ghosthound
Port: t1lib

Description

t1lib is the subject of 4 Security Vulnerabilities Published In 2011 http://www.cvedetails.com/cve/CVE-2011-1554/ http://www.cvedetails.com/cve/CVE-2011-1553/ http://www.cvedetails.com/cve/CVE-2011-1552/ http://www.cvedetails.com/cve/CVE-2011-0764/

and in 2010: http://www.cvedetails.com/cve/CVE-2010-2642/, http://secunia.com/advisories/cve_reference/CVE-2010-2642/

texlive 2011-pretest provides a patch for some issues in the AFM parser:

patch-01-buffer-limit (new): Avoid buffer overflow in

lib/t1lib/parseAFM.c token() and linetoken(). http://secunia.com/advisories/43491/

Attachments (1)

patch-01-buffer-limit (1.1 KB) - added by gnw3 13 years ago.
Avoid buffer overflow in lib/t1lib/parseAFM.c token() and linetoken().

Download all attachments as: .zip

Change History (8)

Changed 13 years ago by gnw3

Attachment: patch-01-buffer-limit added

Avoid buffer overflow in lib/t1lib/parseAFM.c token() and linetoken().

comment:1 Changed 13 years ago by gnw3

Cc: gnwiii@… added

Cc Me!

comment:2 Changed 13 years ago by gnw3

Note that the patch file was intended to use "patch -p1".

On my system, t1lib was being used for texlive and xpdf. For xpdf, upstream suggests that t1lib not be used (https://trac.macports.org/ticket/29629). I'm investigating how t1lib is used by texlive.

comment:3 Changed 13 years ago by jmroot (Joshua Root)

Cc: devans@… takanori@… dports@… ricci@… added; gnwiii@… removed
Keywords: haspatch added; graphics removed

Adding maintainers of ports that use t1lib (evince, pTeX, texlive-bin, xpdf) to Cc.

comment:4 in reply to:  2 Changed 13 years ago by drkp (Dan Ports)

Replying to gnwiii@…:

I'm investigating how t1lib is used by texlive.

It's used by xdvi, and some related utilities. Beyond that, I'm not sure.

comment:5 Changed 13 years ago by drkp (Dan Ports)

I committed the patch in r79146.

The other issues still remain. Do you know if there are patches available for any of them?

comment:6 in reply to:  5 Changed 13 years ago by gnw3

Replying to dports@…:

I committed the patch in r79146.

The other issues still remain. Do you know if there are patches available for any of them?

I haven't encountered more patches. I'm watching to see what problems crop up in xpdf to see if we can live without t1lib.

comment:7 Changed 7 years ago by jmroot (Joshua Root)

Resolution: fixed
Status: newclosed

Closing as it's been 6 years, so this seems to be as patched as it's going to get. If anyone has more patches to fix these issues, feel free to reopen and attach them, or open a PR on GitHub.

Note: See TracTickets for help on using tickets.