Re: CVE Request: t1utils: buffer overflow in set_cs_start

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://github.com/kohler/t1utils/blob/master/NEWS
> https://bugs.debian.org/779274
> https://github.com/kohler/t1utils/issues/4
> https://github.com/kohler/t1utils/commit/6b9d1aafcb61a3663c883663eb19ccdbfcde8d33
> https://bugzilla.redhat.com/show_bug.cgi?id=1218365#c7

> t1disasm: buffer overflow in set_cs_start

As far as we can tell, versions before 1.39 had two different
instances of the unchecked "while (!isspace(*q) && *q != '{')" loop.
One of them, found by a researcher using afl-fuzz, was in the
set_cs_start function in t1disasm.c. The other, apparently found
manually by the vendor, was in the main function of t1asm.c. There are
similar situations in which there might have been two CVE IDs
assigned. Here, however, we feel that there should be only one CVE ID,
because it seems extremely unlikely that t1disasm.c and t1asm.c had
independent mistakes. Almost certainly, the mistake was made once and
then copied from one file into the other.

Use CVE-2015-3905.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVX34lAAoJEKllVAevmvmscB8IAKAm+NMB+m8t9pLHGDS7M4Ks
QIaWmNEGPDNr+2JXWp3j5OUSty3cRNPg6OU2pjinnT7N7kIOVYdtKkAqxbvW+yIJ
B7w5j6IS7GdOO+X/zmt9/aP/4OZIxGOgDo++VBHN5Ozv4DxETecL2YN1grstr+/T
jMBXlUkXfaNaZBGWfJj5b1ys4dcjXMyVWKqie0orB2enZI2qCKdSV6RvcOJPn9CA
lK0wCJJ5tPgHaJbgcwM550dDMV+9jPqY0IP+cn7OddPIUXkW9PDh7u4loOVA+bR2
tvqoOv9ygOVxqj7SDpkQlMDhvIyItb7sadEbPjM6HFEL88rn+4vjw7z7MxjXP/E=
=5vl2
-----END PGP SIGNATURE-----