Bug 12986

Summary: freetype2 new security issue fixed upstream in 2.5.3 (CVE-2014-2240)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: marc.lattemann, rverschelde, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/590903/
Whiteboard: advisory MGA4-32-OK MGA4-64-OK
Source RPM: freetype2-2.5.0.1-3.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-03-10 17:33:10 CET 
The upstream announcement mentions a security issue fixed in the new CFF driver:
http://sourceforge.net/projects/freetype/files/freetype2/2.5.3/

It appears that the affected source files were added in 2.5.0, so Mageia 3 would not be affected.

Funda has uploaded version 2.5.3 for Cauldron.

We'll need to issue an update for Mageia 4.

The upstream bug is here:
https://savannah.nongnu.org/bugs/?41697#comment0

A quick summary was posted to oss-security here:
http://openwall.com/lists/oss-security/2014/03/10/2

The two patches he linked apply cleanly to the package in Mageia 4.

It's not clear yet whether the second one is needed or if CVE-2014-2241 is a valid identifier.  I'm waiting for further clarification on this before committing anything to SVN.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-03-11 13:47:57 CET 
According to RedHat, the code was added in 2.4.12.  We have 2.4.11 in Mageia 3, so still not affected there.  It sounds like the second CVE probably won't be used:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-2240

Severity: normal => critical

Comment 2 David Walser 2014-03-11 20:38:32 CET 
I've added the two patches for Mageia 4 just as Fedora has done in git for F20.

I don't have an advisory yet, but all the details available about this issue are linked in the previous comments.  Assigning to QA for testing.

Updated packages in core/updates_testing:
========================================
libfreetype6-2.5.0.1-3.1.mga4
libfreetype6-devel-2.5.0.1-3.1.mga4
libfreetype6-static-devel-2.5.0.1-3.1.mga4
freetype2-demos-2.5.0.1-3.1.mga4

from freetype2-2.5.0.1-3.1.mga4.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2014-03-12 12:57:25 CET 
Advisory:
========================

Updated freetype2 packages fix security vulnerabilities:

It was reported that Freetype before 2.5.3 suffers from an out-of-bounds
stack-based read/write flaw in cf2_hintmap_build() in the CFF rasterizing
code, which could lead to a buffer overflow (CVE-2014-2240).

It was also reported that Freetype before 2.5.3 has a denial-of-service
vulnerability in the CFF rasterizing code, due to a reachable assertion
(CVE-2014-2241).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2240
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2241
https://bugzilla.redhat.com/show_bug.cgi?id=1074646
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741299
Comment 4 David Walser 2014-03-13 21:46:10 CET 
Apparently there's an ftbench tool (freetype2-demos package) that you can run with the fonts attached to the upstream bug to cause a crash and reproduce this issue.
Comment 5 Marc Lattemann 2014-03-14 22:43:01 CET 
test files from original bug report (see Comment #0) are not available anymore. So simply test, that updates will install...

tested succesfully in MGA4 64bit

CC: (none) => marc.lattemann
Whiteboard: (none) => MGA4-64-OK

Comment 6 Marc Lattemann 2014-03-14 22:52:36 CET 
installation of updates works as well in MGA4 32bit.

Please upload advisory from Comment #3 and validate the update.

Thanks

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 7 Rémi Verschelde 2014-03-14 23:08:23 CET 
Validating update, advisory has been uploaded.
Please push to 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 8 Thomas Backlund 2014-03-15 17:35:56 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0130.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 9 Marc Lattemann 2014-03-16 10:51:48 CET 
Re-open bug-report:

When it was installed on my laptop I figured out, that there is a tainted package available for libfreetype6, which is removed by the update...?

  9/9: libfreetype6          ##############################################################
      1/1: libfreetype6-2.5.0.1-3.mga4.tainted.i586 wird entfernt
                                 ##############################################################

should the tainted version be updated as well?

Sorry, I wasn't aware that there is an tainted packaged while testing it.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 10 David Walser 2014-03-16 12:16:00 CET 
Yes, I didn't realize the tainted version still existed, I thought the patents had expired or whatever.  Anyway, the tainted version is now built in updates_testing.
Comment 11 Marc Lattemann 2014-03-16 12:42:46 CET 
Removed tags. 

Is there also a need for an updated advisory?

Keywords: validated_update => (none)
Whiteboard: MGA4-64-OK MGA4-32-OK advisory => (none)

Comment 12 Rémi Verschelde 2014-03-16 12:45:52 CET 
I edited the advisory to add the missing package. When pushing the update, the advisory html page should be updated too.

Whiteboard: (none) => advisory

Comment 13 Marc Lattemann 2014-03-16 14:37:46 CET 
tested successfully for mga4 32bit and 64bit. Tainted packages will replace core packages.

Advisory already updated, so validating...

sysadmins, please push packages to tainted_updates. Thx

Keywords: (none) => validated_update
Whiteboard: advisory => advisory MGA4-32-OK MGA4-64-OK

Comment 14 Thomas Backlund 2014-03-16 15:24:13 CET 
tainted packages pushed

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-03-18 17:51:02 CET

URL: (none) => http://lwn.net/Vulnerabilities/590903/