Bug 14771

Summary: freetype2 new security issue fixed upstream in 2.5.4 (CVE-2014-9659)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: herman.viaene, shlomif, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/627590/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: freetype2-2.5.0.1-3.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-09 20:35:36 CET 
Upstream has released version 2.5.4 on December 6:
http://sourceforge.net/projects/freetype/files/freetype2/2.5.4/

It fixes a security issue similar to CVE-2014-2240, which we fixed in Bug 12986.

The upstream bug for this new issue is here:
http://savannah.nongnu.org/bugs/?43661

There is PoC information in the upstream bug, including attached files and instructions (using ftbench).

Funda has requested a freeze push for Cauldron.

Patched packages uploaded for Mageia 4.  Note that there are core and tainted builds for this package.

I have not seen a CVE request for this new issue.

Advisory:
========================

Updated freetype2 packages fix security vulnerability:

It was reported that Freetype before 2.5.4 suffers from an out-of-bounds
stack-based read/write flaw in cf2_hintmap_build() in the CFF rasterizing
code, which could lead to a buffer overflow.  This is due to an incomplete
fix for CVE-2014-2240.

References:
http://sourceforge.net/projects/freetype/files/freetype2/2.5.4/
http://advisories.mageia.org/MGASA-2014-0130.html
========================

Updated packages in {core,tainted}/updates_testing:
========================
libfreetype6-2.5.0.1-3.2.mga4
libfreetype6-devel-2.5.0.1-3.2.mga4
libfreetype6-static-devel-2.5.0.1-3.2.mga4
freetype2-demos-2.5.0.1-3.2.mga4

from freetype2-2.5.0.1-3.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Shlomi Fish 2014-12-10 11:46:44 CET 
ftbench runs fine on my Mageia 4 x86-64 VM with the first two files of the proof-of-concept before the upgrade - no crashes here:

<QUOTE>

[shlomif@localhost ~]$ ftbench Downloads/asan_stack-oob_703c16_2728_cov_367593004_aspartam.otf 
Load                      : 15.055 us/op
Load_Advances (Normal)    : 3.701 us/op
Load_Advances (Fast)      : 3.603 us/op
Render                    : 20.554 us/op
Get_Glyph                 : 0.757 us/op
Get_CBox                  : 0.263 us/op
Get_Char_Index            : 0.014 us/op
Iterate CMap              : 1.852 us/op
New_Face                  : 49.574 us/op
Embolden                  : 0.145 us/op
Get_BBox                  : 1.228 us/op
[shlomif@localhost ~]$ ftbench Downloads/asan_stac
asan_stack-oob_703c16_2728_cov_367593004_aspartam.otf
asan_stack-oob_703c16_5479_cov_4290077649_elsewher.otf
[shlomif@localhost ~]$ ftbench Downloads/asan_stack-oob_703c16_5479_cov_4290077649_elsewher.otf 
Load                      : 25.850 us/op
Load_Advances (Normal)    : 2.449 us/op
Load_Advances (Fast)      : 2.300 us/op
Render                    : 29.591 us/op
Get_Glyph                 : 2.044 us/op
Get_CBox                  : 1.525 us/op
Get_Char_Index            : 0.015 us/op
Iterate CMap              : 1.987 us/op
New_Face                  : 48.291 us/op
Embolden                  : 1.477 us/op
Get_BBox                  : 2.823 us/op
[shlomif@localhost ~]$ rpm -q lib64freetype6
lib64freetype6-2.5.0.1-3.1.mga4.tainted
[shlomif@localhost ~]$ 

</QUOTE>

CC: (none) => shlomif

Comment 2 claire robinson 2014-12-10 12:25:38 CET 
Testing mga4 32

Before
------
Reproduce the crash with PoC from http://savannah.nongnu.org/bugs/?43661

$ ftbench asan_stack-oob_703c16_5479_cov_4290077649_elsewher.otf 
Load                      : *** stack smashing detected ***: ftbench terminated
======= Backtrace: =========
/lib/i686/libc.so.6(+0x6b8f3)[0xb75768f3]
/lib/i686/libc.so.6(__fortify_fail+0x45)[0xb7610175]
/lib/i686/libc.so.6(+0x10512a)[0xb761012a]
/lib/libfreetype.so.6(_fini+0x0)[0xb7728824]
/lib/libfreetype.so.6(+0x3089e)[0xb76f389e]
/lib/libfreetype.so.6(+0x32387)[0xb76f5387]
/lib/libfreetype.so.6(+0x32408)[0xb76f5408]
/lib/libfreetype.so.6(+0x327e2)[0xb76f57e2]
/lib/libfreetype.so.6(+0x3416b)[0xb76f716b]
/lib/libfreetype.so.6(+0x3522a)[0xb76f822a]
/lib/libfreetype.so.6(+0x35b07)[0xb76f8b07]
/lib/libfreetype.so.6(FT_Load_Glyph+0x1a8)[0xb76d5758]
ftbench[0x804986d]
ftbench[0x804a054]
ftbench[0x804962e]
/lib/i686/libc.so.6(__libc_start_main+0xf3)[0xb7524b33]
ftbench[0x804971b]
...etc

After
-----
Updating to version from Core Updates Testing..

$ ftbench asan_stack-oob_703c16_5479_cov_4290077649_elsewher.otf 
Load                      : 44.192 us/op
Load_Advances (Normal)    : 5.152 us/op
Load_Advances (Fast)      : 4.911 us/op
Render                    : 45.726 us/op
Get_Glyph                 : 7.030 us/op
Get_CBox                  : 5.662 us/op
Get_Char_Index            : 0.108 us/op
Iterate CMap              : 9.843 us/op
New_Face                  : 234.214 us/op
Embolden                  : 4.814 us/op
Get_BBox                  : 7.468 us/op

Other two PoC files also OK.

Updating to version from Tainted Updates Testing..
All OK.

Whiteboard: (none) => has_procedure mga4-32-ok

Comment 3 claire robinson 2014-12-10 12:27:13 CET 
Happy to add the OK for 64bit Shlomi?
Comment 4 Shlomi Fish 2014-12-10 13:53:57 CET 
(In reply to claire robinson from comment #3)
> Happy to add the OK for 64bit Shlomi?

I don't know - I was unable to reproduce the crash on my Mga4-x86-64-VM, but I'm fine that you OK it.
Comment 5 Herman Viaene 2014-12-10 14:59:23 CET 
MGA-4-64 on HP Probook 6555b
I ran the command on one of the existing files
>ftbench /usr/share/fonts/75dpi/helvBO08-ISO8859-15.pcf.gz 
Load                      : 0.755 us/op
Load_Advances (Normal)    : 0.757 us/op
Load_Advances (Fast)      : 0.758 us/op
Render                    : 0.092 us/op
Get_Glyph                 : 0.209 us/op
Get_CBox                  : 0.096 us/op
Get_Char_Index            :   inf us/op
Iterate CMap              : 0.089 us/op
New_Face                  : 192.562 us/op
Embolden                  : 0.085 us/op
Get_BBox                  : 0.091 us/op
That demonstrates that it does not crash.

CC: (none) => herman.viaene
Whiteboard: has_procedure mga4-32-ok => has_procedure MGA4-32-OK MGA4-64-OK

Comment 6 David Walser 2014-12-10 16:40:54 CET 
CVE request:
http://openwall.com/lists/oss-security/2014/12/10/6
Comment 7 claire robinson 2014-12-10 17:20:05 CET 
David may need to add more patches, adding feedback for now.

Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure feedback MGA4-32-OK MGA4-64-OK

Comment 8 claire robinson 2014-12-12 00:43:50 CET 
After discussion in QA meeting it was decided to push this one and update again later.

Validating. Advisory uploaded (including tainted srpm)

Please push to updates

Thanks

Whiteboard: has_procedure feedback MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2014-12-13 21:16:39 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0526.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2014-12-24 18:46:44 CET 
Fedora has issued an advisory for this on December 13:
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146933.html

URL: (none) => http://lwn.net/Vulnerabilities/627590/

Comment 11 David Walser 2015-02-20 22:55:55 CET 
This appears to be CVE-2014-9659:
https://bugzilla.redhat.com/show_bug.cgi?id=1191081

Summary: freetype2 new security issue fixed upstream in 2.5.4 (similar to CVE-2014-2240) => freetype2 new security issue fixed upstream in 2.5.4 (CVE-2014-9659)