Debian Bug report logs - #439927
CVE-2007-4033: Buffer overflow in GD extension

version graph

Package: t1lib; Maintainer for t1lib is Debian QA Group <packages@qa.debian.org>;

Reported by: Thijs Kinkhorst <thijs@debian.org>

Date: Tue, 28 Aug 2007 14:33:01 UTC

Severity: serious

Tags: confirmed, patch, security, upstream

Found in version 5.1.0-2

Fixed in versions t1lib/5.1.0-3, t1lib/5.0.2-3sarge1

Done: Noah Meyerhans <noahm@debian.org>

Bug is archived. No further changes may be made.

Forwarded to rainer.menzner@web.de

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#439927; Package php5. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: submit@bugs.debian.org
Subject: CVE-2007-4033: Buffer overflow in GD extension
Date: Tue, 28 Aug 2007 16:28:00 +0200
[Message part 1 (text/plain, inline)]
Package: php5
Tags: security

Hi,

A security issue has been reported against the GD extension in PHP:

> Buffer overflow in php_gd2.dll in the gd (PHP_GD2) extension in PHP 5.2.3
> allows context-dependent attackers to execute arbitrary code via a long
> argument to the imagepsloadfont function.  

I've tried to assess whether Debian is vulnerable to this, but cannot come to 
a definitive "yes" or "no". Could you please investigate?


thanks
Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#439927; Package php5. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 439927@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: pkg-php-maint@lists.alioth.debian.org, Thijs Kinkhorst <thijs@debian.org>, 439927@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: [php-maint] Bug#439927: CVE-2007-4033: Buffer overflow in GD extension
Date: Thu, 30 Aug 2007 00:20:58 +0200
[Message part 1 (text/plain, inline)]
reassign 439927 libt1
thanks

On Tuesday 28 August 2007 04:28:00 pm Thijs Kinkhorst wrote:
> Package: php5
> Tags: security
>
> Hi,
>
> A security issue has been reported against the GD extension in PHP:
> > Buffer overflow in php_gd2.dll in the gd (PHP_GD2) extension in PHP 5.2.3
> > allows context-dependent attackers to execute arbitrary code via a long
> > argument to the imagepsloadfont function.
>
> I've tried to assess whether Debian is vulnerable to this, but cannot come
> to a definitive "yes" or "no". Could you please investigate?

to answer the question:

yes, this is a vulnerability, albeit a rather low one.  but no, it is not php 
that is vulnerable but libt1, as the vulnerability can be traced back there 
in the core dump, and this seems to be backed up by updates to 
http://www.securityfocus.com/bid/25079 (esp see discussion section).


	sean
[signature.asc (application/pgp-signature, inline)]

Bug reassigned from package `php5' to `libt1'. Request was from sean finney <seanius@debian.org> to control@bugs.debian.org. (Wed, 29 Aug 2007 22:24:03 GMT) Full text and rfc822 format available.

Bug reassigned from package `libt1' to `t1lib'. Request was from Martin Michlmayr <tbm@cyrius.com> to control@bugs.debian.org. (Sat, 01 Sep 2007 13:12:03 GMT) Full text and rfc822 format available.

Noted your statement that Bug has been forwarded to rainer.menzner@web.de. Request was from "Artur R. Czechowski" <arturcz@hell.pl> to control@bugs.debian.org. (Sun, 16 Sep 2007 18:33:02 GMT) Full text and rfc822 format available.

Tags added: patch, confirmed, upstream Request was from "Artur R. Czechowski" <arturcz@hell.pl> to control@bugs.debian.org. (Sun, 16 Sep 2007 18:33:03 GMT) Full text and rfc822 format available.

Severity set to `serious' from `normal' Request was from "Artur R. Czechowski" <arturcz@hell.pl> to control@bugs.debian.org. (Sun, 16 Sep 2007 18:33:03 GMT) Full text and rfc822 format available.

Bug marked as found in version 5.1.0-2. Request was from "Artur R. Czechowski" <arturcz@hell.pl> to control@bugs.debian.org. (Sun, 16 Sep 2007 18:33:04 GMT) Full text and rfc822 format available.

Message sent on to Thijs Kinkhorst <thijs@debian.org>:
Bug#439927. Full text and rfc822 format available.

Message #25 received at 439927-submitter@bugs.debian.org (full text, mbox):

From: "Artur R. Czechowski" <arturcz@hell.pl>
To: 439927-submitter@bugs.debian.org
Cc: debian-security@lists.debian.org, twerner@debian.org, george@pks.mpg.de
Subject: t1lib security flaw: CVE-2007-4033/#439927
Date: Sun, 16 Sep 2007 20:28:26 +0200
[Message part 1 (text/plain, inline)]
forwarded 439927 rainer.menzner@web.de
tag 439927 patch confirmed upstream
severity 439927 serious
found 439927 5.1.0-2
thanks

Hi,
The t1lib 5.1.0 available in Debian (either etch as lenny and sid[1]) is
vulnerable to CVE-2007-4033 security flaw.
Upstream version 5.1.1 is vulnerable too. Upstream has been informed
about the issue.

I attached a patch solving the issue.

Best regards
	Artur

[1] sarge probably too, I didn't check it.
-- 
Po co mamy ze sobą rozmawiać, skoro tak łatwo się komunikować?
						/Jean Baudrillard/
[t1env.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information stored:
Bug#439927; Package t1lib. Full text and rfc822 format available.

Acknowledgement sent to "Torsten Werner" <mail.twerner@googlemail.com>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #30 received at 439927-quiet@bugs.debian.org (full text, mbox):

From: "Torsten Werner" <mail.twerner@googlemail.com>
To: "Artur R. Czechowski" <arturcz@hell.pl>
Cc: 439927-quiet@bugs.debian.org, debian-security@lists.debian.org, george@pks.mpg.de
Subject: Re: t1lib security flaw: CVE-2007-4033/#439927
Date: Mon, 17 Sep 2007 23:31:38 +0200
[Message part 1 (text/plain, inline)]
Hi,

On 9/16/07, Artur R. Czechowski <arturcz@hell.pl> wrote:
> The t1lib 5.1.0 available in Debian (either etch as lenny and sid[1]) is
> vulnerable to CVE-2007-4033 security flaw.

I have uploaded a new package to unstable that can be easily
backported to etch/lenny. I am attaching the output of debdiff.


Cheers,
Torsten


-- 
blog: http://twerner.blogspot.com/
homepage: http://www.twerner42.de/
[debdiff (application/octet-stream, attachment)]

Reply sent to Torsten Werner <twerner@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #35 received at 439927-close@bugs.debian.org (full text, mbox):

From: Torsten Werner <twerner@debian.org>
To: 439927-close@bugs.debian.org
Subject: Bug#439927: fixed in t1lib 5.1.0-3
Date: Mon, 17 Sep 2007 21:47:06 +0000
Source: t1lib
Source-Version: 5.1.0-3

We believe that the bug you reported is fixed in the latest version of
t1lib, which is due to be installed in the Debian FTP archive:

libt1-5_5.1.0-3_i386.deb
  to pool/main/t/t1lib/libt1-5_5.1.0-3_i386.deb
libt1-dev_5.1.0-3_i386.deb
  to pool/main/t/t1lib/libt1-dev_5.1.0-3_i386.deb
libt1-doc_5.1.0-3_all.deb
  to pool/main/t/t1lib/libt1-doc_5.1.0-3_all.deb
t1lib-bin_5.1.0-3_i386.deb
  to pool/main/t/t1lib/t1lib-bin_5.1.0-3_i386.deb
t1lib_5.1.0-3.diff.gz
  to pool/main/t/t1lib/t1lib_5.1.0-3.diff.gz
t1lib_5.1.0-3.dsc
  to pool/main/t/t1lib/t1lib_5.1.0-3.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 439927@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Torsten Werner <twerner@debian.org> (supplier of updated t1lib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 17 Sep 2007 23:25:45 +0200
Source: t1lib
Binary: t1lib-bin libt1-5 libt1-doc libt1-dev
Architecture: source all i386
Version: 5.1.0-3
Distribution: unstable
Urgency: low
Maintainer: Artur R. Czechowski <arturcz@hell.pl>
Changed-By: Torsten Werner <twerner@debian.org>
Description: 
 libt1-5    - Type 1 font rasterizer library - runtime
 libt1-dev  - Type 1 font rasterizer library - development
 libt1-doc  - Type 1 font rasterizer library - developers documentation
 t1lib-bin  - Type 1 font rasterizer library - user binaries
Closes: 439927
Changes: 
 t1lib (5.1.0-3) unstable; urgency=low
 .
   * Apply patch from Artur R. Czechowski to fix CVE-2007-4033.
     (Closes: #439927)
Files: 
 c583a20126832df245039484b94de3a0 702 libs optional t1lib_5.1.0-3.dsc
 bb507acf4494d25beaeead129122e005 13727 libs optional t1lib_5.1.0-3.diff.gz
 1cd420c05a487da9cda0992e771514c2 608786 doc optional libt1-doc_5.1.0-3_all.deb
 9ce9a8f5d895aef1dfa80afb43ef2f22 146164 libs optional libt1-5_5.1.0-3_i386.deb
 8bedd829dae543d9a2f9d0a6f52c1ff0 168952 libdevel optional libt1-dev_5.1.0-3_i386.deb
 6f2d3c9290c17c3e342f1a2883ebbbcd 54360 misc optional t1lib-bin_5.1.0-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG7vJvfY3dicTPjsMRAuEkAJ9vTbY0tci2XS2JXKDiM59E9OMvDgCdHLOH
P+ebIdqUckStXyPTaDYerpY=
=zIgn
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, arturcz@hell.pl (Artur R. Czechowski):
Bug#439927; Package t1lib. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to arturcz@hell.pl (Artur R. Czechowski). Full text and rfc822 format available.

Message #40 received at 439927@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 439927@bugs.debian.org
Cc: debian-release@lists.debian.org
Subject: bumping urgency: t1lib
Date: Wed, 19 Sep 2007 23:43:49 +1000
[Message part 1 (text/plain, inline)]
Hi All

From the testing-security point of view, I would not see any problem with 
bumping the urgency and letting it migrate to lenny. The ppc buildd still 
needs to pick it up and I guess that S390 is a matter of time.
Thanks for your efforts.

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Information stored:
Bug#439927; Package t1lib. Full text and rfc822 format available.

Acknowledgement sent to "Torsten Werner" <mail.twerner@googlemail.com>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #45 received at 439927-quiet@bugs.debian.org (full text, mbox):

From: "Torsten Werner" <mail.twerner@googlemail.com>
To: debian-security@lists.debian.org
Cc: 439927-quiet@bugs.debian.org, george@pks.mpg.de, "Artur R. Czechowski" <arturcz@hell.pl>
Subject: Re: Bug#439927: t1lib security flaw: CVE-2007-4033/#439927
Date: Thu, 27 Sep 2007 20:12:38 +0200
On 9/17/07, Torsten Werner <mail.twerner@googlemail.com> wrote:
> On 9/16/07, Artur R. Czechowski <arturcz@hell.pl> wrote:
> > The t1lib 5.1.0 available in Debian (either etch as lenny and sid[1]) is
> > vulnerable to CVE-2007-4033 security flaw.
>
> I have uploaded a new package to unstable that can be easily
> backported to etch/lenny. I am attaching the output of debdiff.

Do you plan to update the package through security.debian.org?

Cheers,
Torsten


-- 
blog: http://twerner.blogspot.com/
homepage: http://www.twerner42.de/




Information stored:
Bug#439927; Package t1lib. Full text and rfc822 format available.

Acknowledgement sent to Ionut Georgescu <george@pks.mpg.de>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #50 received at 439927-quiet@bugs.debian.org (full text, mbox):

From: Ionut Georgescu <george@pks.mpg.de>
To: Torsten Werner <mail.twerner@googlemail.com>
Cc: debian-security@lists.debian.org, 439927-quiet@bugs.debian.org, "Artur R. Czechowski" <arturcz@hell.pl>
Subject: Re: Bug#439927: t1lib security flaw: CVE-2007-4033/#439927
Date: Fri, 28 Sep 2007 12:39:13 +0200
On Thu, 2007-09-27 at 20:12 +0200, Torsten Werner wrote:
> On 9/17/07, Torsten Werner <mail.twerner@googlemail.com> wrote:
> > On 9/16/07, Artur R. Czechowski <arturcz@hell.pl> wrote:
> > > The t1lib 5.1.0 available in Debian (either etch as lenny and sid[1]) is
> > > vulnerable to CVE-2007-4033 security flaw.
> >
> > I have uploaded a new package to unstable that can be easily
> > backported to etch/lenny. I am attaching the output of debdiff.
> 
> Do you plan to update the package through security.debian.org?
> 
> Cheers,
> Torsten
> 

Hi Torsten,

I think one should, because php depends on it. It would be nice if any
of you could do that at the moment. My laptop kissed me goodbye a few
weeks ago together with all my work. I could do it from work, but there
I hardly have any time to breathe.

Thanks a lot,
Ionut


-- 
***************
* Ionuţ Georgescu
* Max-Planck-Institut für Physik komplexer Systeme
* Noethnitzer Str. 38, D-01187 Dresden
* Phone: +49 (351) 871-2209
* Fax:   +49 (351) 871-1999 






Reply sent to Noah Meyerhans <noahm@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #55 received at 439927-close@bugs.debian.org (full text, mbox):

From: Noah Meyerhans <noahm@debian.org>
To: 439927-close@bugs.debian.org
Subject: Bug#439927: fixed in t1lib 5.0.2-3sarge1
Date: Mon, 22 Oct 2007 19:56:18 +0000
Source: t1lib
Source-Version: 5.0.2-3sarge1

We believe that the bug you reported is fixed in the latest version of
t1lib, which is due to be installed in the Debian FTP archive:

libt1-5_5.0.2-3sarge1_i386.deb
  to pool/main/t/t1lib/libt1-5_5.0.2-3sarge1_i386.deb
libt1-dev_5.0.2-3sarge1_i386.deb
  to pool/main/t/t1lib/libt1-dev_5.0.2-3sarge1_i386.deb
libt1-doc_5.0.2-3sarge1_all.deb
  to pool/main/t/t1lib/libt1-doc_5.0.2-3sarge1_all.deb
t1lib-bin_5.0.2-3sarge1_i386.deb
  to pool/main/t/t1lib/t1lib-bin_5.0.2-3sarge1_i386.deb
t1lib_5.0.2-3sarge1.diff.gz
  to pool/main/t/t1lib/t1lib_5.0.2-3sarge1.diff.gz
t1lib_5.0.2-3sarge1.dsc
  to pool/main/t/t1lib/t1lib_5.0.2-3sarge1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 439927@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noah Meyerhans <noahm@debian.org> (supplier of updated t1lib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 13 Oct 2007 17:43:21 -0400
Source: t1lib
Binary: t1lib-bin libt1-5 libt1-doc libt1-dev
Architecture: source all i386
Version: 5.0.2-3sarge1
Distribution: oldstable-security
Urgency: high
Maintainer: noahm@debian.org
Changed-By: Noah Meyerhans <noahm@debian.org>
Description: 
 libt1-5    - Type 1 font rasterizer library - runtime
 libt1-dev  - Type 1 font rasterizer library - development
 libt1-doc  - Type 1 font rasterizer library - developers documentation
 t1lib-bin  - Type 1 font rasterizer library - user binaries
Closes: 439927
Changes: 
 t1lib (5.0.2-3sarge1) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Apply patch from Artur R. Czechowski to fix CVE-2007-4033.
     (Closes: #439927)
Files: 
 d82a7a9aaeca3868a1c01f3588a59137 717 libs optional t1lib_5.0.2-3sarge1.dsc
 cc5d4130b25bb8a1c930488b78930e9b 1697086 libs optional t1lib_5.0.2.orig.tar.gz
 73b04c0083681da97813ced3783dbd02 315328 libs optional t1lib_5.0.2-3sarge1.diff.gz
 9f58a16450cc7c2ccd7477cc04c30fac 607008 doc optional libt1-doc_5.0.2-3sarge1_all.deb
 e65ca2e30180f0ed3d9eadc6cc62216d 144334 libs optional libt1-5_5.0.2-3sarge1_i386.deb
 ad6838104a95c3a9f6933cdb072abaee 171504 libdevel optional libt1-dev_5.0.2-3sarge1_i386.deb
 68660615bdbb04de7c79c56efcfe4e96 53630 misc optional t1lib-bin_5.0.2-3sarge1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHET0VYrVLjBFATsMRAsjMAJ9OgdyYZHyEll9Ymw2lQIL2psSDTQCfTF9e
AnThZYryTGfS3n3Gom2agSA=
=8OBx
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 08:19:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 09:59:22 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.