CVE-2011-0764 – t1lib: Invalid pointer dereference via crafted Type 1 font
https://notcve.org/view.php?id=CVE-2011-0764
t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6, teTeX, and other products, uses an invalid pointer in conjunction with a dereference operation, which allows remote attackers to execute arbitrary code via a crafted Type 1 font in a PDF document, as demonstrated by testz.2184122398.pdf. t1lib v5.1.2 y versiones anteriores, utilizado en Xpdf anterior a v3.02pl6 y otros productos, utiliza un puntero no válido en una operación de eliminación de referencias, permitiendo a atacantes remotos ejecutar código arbitrario a través de un fuente Tipo 1 manipulada en un documento PDF, como lo demuestra el testz.2184122398.pdf • http://rhn.redhat.com/errata/RHSA-2012-1201.html http://secunia.com/advisories/43823 http://secunia.com/advisories/47347 http://secunia.com/advisories/48985 http://securityreason.com/securityalert/8171 http://securitytracker.com/id?1025266 http://www.foolabs.com/xpdf/download.html http://www.kb.cert.org/vuls/id/376500 http://www.kb.cert.org/vuls/id/MAPG-8ECL8X http://www.mandriva.com/security/advisories?name=MDVSA-2012:002 http://www.mandriva.com/security/advisories? • CWE-20: Improper Input Validation •
CVE-2010-2642 – t1lib: Heap based buffer overflow in DVI file AFM font parser
https://notcve.org/view.php?id=CVE-2010-2642
Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2.32 and earlier, teTeX 3.0, t1lib 5.1.2, and possibly other products allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer. Desbordamiento de búfer basado en memoria dinámica en el validador de fuentes AFM (AFM font parser) en el componente dvi-backend de Evince v2.32 y anteriores, permite a atacantes remotos provocar una denegación de servicio (caída de la aplicación) o puede que ejecutar código de su elección a través de una fuente manipulada junto con un fichero DVI que es procesado por el thumbnailer. • http://git.gnome.org/browse/evince/commit/?id=d4139205b010ed06310d14284e63114e88ec6de2 http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052910.html http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052995.html http://lists.mandriva.com/security-announce/2011-01/msg00006.php http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html http://rhn.redhat.com/errata/RHSA-2012-1201.html http://secunia.com/advisories/42769 http://secunia.com/advisories/4282 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVE-2007-4033 – T1lib - 'intT1_Env_GetCompletePath' Buffer Overflow (PoC)
https://notcve.org/view.php?id=CVE-2007-4033
Buffer overflow in the intT1_EnvGetCompletePath function in lib/t1lib/t1env.c in t1lib 5.1.1 allows context-dependent attackers to execute arbitrary code via a long FileName parameter. NOTE: this issue was originally reported to be in the imagepsloadfont function in php_gd2.dll in the gd (PHP_GD2) extension in PHP 5.2.3. Un desbordamiento de búfer en la función intTT1_EnvGetCompletePath en el archivo lib/t1lib/t1env.c en t1lib versión 5.1.1, permite a atacantes dependiendo del contexto ejecutar código arbitrario por medio de un parámetro FileName largo. NOTA: este problema se reportó originalmente de estar en la función imagepsloadfont en la biblioteca php_gd2.dll en la extensión gd (PHP_GD2) en PHP versión 5.2.3. • https://www.exploit-db.com/exploits/30401 https://www.exploit-db.com/exploits/4227 http://bugs.gentoo.org/show_bug.cgi?id=193437 http://fedoranews.org/updates/FEDORA-2007-234.shtml http://secunia.com/advisories/26241 http://secunia.com/advisories/26901 http://secunia.com/advisories/26981 http://secunia.com/advisories/26992 http://secunia.com/advisories/27239 http://secunia.com/advisories/27297 http://secunia.com/advisories/27439 http://secunia.com/advisories/27599 http • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •