Bug 15332

Summary: freetype2 several security issues fixed upstream in 2.5.4
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: cmrisolde, herman.viaene, olchal, ottoleipala1, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/634231/
Whiteboard: has_procedure advisory mga4-32-ok MGA4-64-OK
Source RPM: freetype2-2.5.0.1-3.2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-02-20 23:06:24 CET 
Fedora has issued an advisory on February 18:
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150162.html

We already have 2.5.4 in Cauldron.

Note that CVE-2014-9665 and CVE-2014-9668 don't affect 2.5.0.1.

Patched package uploaded for Mageia 4.

Note that there are core and tainted builds for this package.

Advisory:
========================

Updated freetype2 packages fix security vulnerabilities:

The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before
2.5.4 does not properly check for an integer overflow, which allows remote
attackers to cause a denial of service (out-of-bounds read) or possibly have
unspecified other impact via a crafted OpenType font (CVE-2014-9656).

The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4
does not establish a minimum record size, which allows remote attackers to cause
a denial of service (out-of-bounds read) or possibly have unspecified other
impact via a crafted TrueType font (CVE-2014-9657).

The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4
enforces an incorrect minimum table length, which allows remote attackers to
cause a denial of service (out-of-bounds read) or possibly have unspecified
other impact via a crafted TrueType font (CVE-2014-9658).

The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5.4 does not
properly handle a missing ENDCHAR record, which allows remote attackers to cause
a denial of service (NULL pointer dereference) or possibly have unspecified
other impact via a crafted BDF font (CVE-2014-9660).

type42/t42parse.c in FreeType before 2.5.4 does not consider that scanning can
be incomplete without triggering an error, which allows remote attackers to
cause a denial of service (use-after-free) or possibly have unspecified other
impact via a crafted Type42 font (CVE-2014-9661).

cff/cf2ft.c in FreeType before 2.5.4 does not validate the return values of
point-allocation functions, which allows remote attackers to cause a denial of
service (heap-based buffer overflow) or possibly have unspecified other impact
via a crafted OTF font (CVE-2014-9662).

The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5.4
validates a certain length field before that field's value is completely
calculated, which allows remote attackers to cause a denial of service
(out-of-bounds read) or possibly have unspecified other impact via a crafted
cmap SFNT table (CVE-2014-9663).

FreeType before 2.5.4 does not check for the end of the data during certain
parsing actions, which allows remote attackers to cause a denial of service
(out-of-bounds read) or possibly have unspecified other impact via a crafted
Type42 font, related to type42/t42parse.c and type1/t1load.c (CVE-2014-9664).

The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4
proceeds with a count-to-size association without restricting the count value,
which allows remote attackers to cause a denial of service (integer overflow and
out-of-bounds read) or possibly have unspecified other impact via a crafted
embedded bitmap (CVE-2014-9666).

sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length calculations
without restricting the values, which allows remote attackers to cause a denial
of service (integer overflow and out-of-bounds read) or possibly have
unspecified other impact via a crafted SFNT table (CVE-2014-9667).

Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 allow
remote attackers to cause a denial of service (out-of-bounds read or memory
corruption) or possibly have unspecified other impact via a crafted cmap SFNT
table (CVE-2014-9669).

Multiple integer signedness errors in the pcf_get_encodings function in
pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to cause a denial
of service (integer overflow, NULL pointer dereference, and application crash)
via a crafted PCF file that specifies negative values for the first column and
first row (CVE-2014-9670).

Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in FreeType
before 2.5.4 allows remote attackers to cause a denial of service (NULL pointer
dereference and application crash) via a crafted PCF file with a 0xffffffff size
value that is improperly incremented (CVE-2014-9671).

Array index error in the parse_fond function in base/ftmac.c in FreeType before
2.5.4 allows remote attackers to cause a denial of service (out-of-bounds read)
or obtain sensitive information from process memory via a crafted FOND resource
in a Mac font file (CVE-2014-9672).

Integer signedness error in the Mac_Read_POST_Resource function in base/ftobjs.c
in FreeType before 2.5.4 allows remote attackers to cause a denial of service
(heap-based buffer overflow) or possibly have unspecified other impact via a
crafted Mac font (CVE-2014-9673).

The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4
proceeds with adding to length values without validating the original values,
which allows remote attackers to cause a denial of service (integer overflow and
heap-based buffer overflow) or possibly have unspecified other impact via a
crafted Mac font (CVE-2014-9674).

bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only
verifying that an initial substring is present, which allows remote attackers to
discover heap pointer values and bypass the ASLR protection mechanism via a
crafted BDF font (CVE-2014-9675).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9656
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9657
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9658
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9660
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9661
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9662
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9663
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9664
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9666
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9667
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9669
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9671
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9672
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9673
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9674
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9675
https://bugzilla.redhat.com/show_bug.cgi?id=1191095
https://bugzilla.redhat.com/show_bug.cgi?id=1191096
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150162.html
========================

Updated packages in {core,tainted}/updates_testing:
========================
libfreetype6-2.5.0.1-3.3.mga4
libfreetype6-devel-2.5.0.1-3.3.mga4
libfreetype6-static-devel-2.5.0.1-3.3.mga4
freetype2-demos-2.5.0.1-3.3.mga4

from freetype2-2.5.0.1-3.3.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-02-21 03:56:27 CET 
Details on these were supposed to be posted on oss-security, but I guess the guy forgot:
http://openwall.com/lists/oss-security/2014/12/10/7

I had forgotten I had mentioned this in our last update:
https://bugs.mageia.org/show_bug.cgi?id=14771#c6

until I was looking into this one.  I'm not sure where RedHat finally ended up getting the details from.  Maybe they dug them up themselves.  Anyway, there's PoCs for some of these CVEs.  Some of the upstream (GNU Savannah) bugs are closed, but here's links for the ones that are open, and Google bugs (which I got from the RedHat bugs) for the upstream ones that are closed.  The Google bugs I linked, and the ones I indicated that don't have a PoC, don't have one.  The others do.

CVE-2014-9675:
https://savannah.nongnu.org/bugs/?43535

CVE-2014-9673: (s43539)
https://code.google.com/p/google-security-research/issues/detail?id=154

CVE-2014-9674: (s43538)
https://code.google.com/p/google-security-research/issues/detail?id=153

CVE-2014-9672: (s43540)
https://code.google.com/p/google-security-research/issues/detail?id=155

CVE-2014-9671:
https://savannah.nongnu.org/bugs/?43547

CVE-2014-9670:
https://savannah.nongnu.org/bugs/?43548

CVE-2014-9669:
https://savannah.nongnu.org/bugs/?43588 (no PoC)

CVE-2014-9667:
https://savannah.nongnu.org/bugs/?43590 (no PoC)

CVE-2014-9666:
https://savannah.nongnu.org/bugs/?43591 (no PoC)

CVE-2014-9664:
https://savannah.nongnu.org/bugs/?43655

CVE-2014-9663:
https://savannah.nongnu.org/bugs/?43656

CVE-2014-9662:
https://savannah.nongnu.org/bugs/?43658

CVE-2014-9661:
https://savannah.nongnu.org/bugs/?43659

CVE-2014-9660:
https://savannah.nongnu.org/bugs/?43660

CVE-2014-9658:
https://savannah.nongnu.org/bugs/?43672

CVE-2014-9657:
https://savannah.nongnu.org/bugs/?43679

CVE-2014-9656:
https://savannah.nongnu.org/bugs/?43680
Comment 2 David Walser 2015-02-21 04:06:23 CET 
Also note that two of the CVEs are rated as high severity, so we could play with the CVEs, but checking for obvious regressions and getting the update out are more important.  I used the same patches Fedora used for the Fedora 20 update.

I can confirm that things look fine in applications that use libfreetype6, like Firefox, LibreOffice, xpdf, and okular.
Comment 3 Carolyn Rowse 2015-02-21 10:30:46 CET 
I'll test a few applications on my 64-bit machine.

Carolyn

CC: (none) => cmrisolde

Comment 4 Carolyn Rowse 2015-02-21 10:37:06 CET 
Actually, does this only affect 32-bit packages and not the lib64freetype... ones?

Carolyn
Comment 5 Otto Leipälä 2015-02-21 13:37:23 CET 
Update is only to 32bit freetype package not 64bit.

CC: (none) => ozkyster

Comment 6 claire robinson 2015-02-21 14:38:33 CET 
Both arch's should have been updated. 

There are also core updates testing and tainted updates testing versions to test.

General tests:
https://bugs.mageia.org/show_bug.cgi?id=8497#c7
https://bugs.mageia.org/show_bug.cgi?id=14771

Whiteboard: (none) => has_procedure

Comment 7 Otto Leipälä 2015-02-21 16:43:18 CET 
Yes sorry need to correct that was just mirror didn't get synced yet 64bit.
Comment 8 Carolyn Rowse 2015-02-21 19:06:11 CET 
OK, I'll try amd have a look tomorrow.
Comment 9 Carolyn Rowse 2015-02-22 17:35:28 CET 
On my 64-bit laptop with the Core updates, installation proceeded smoothly, no regressions noticed in Firefox, LibreOffice or Okular.  Running "ftbench /usr/share/fonts/75dpi/helvBO08-ISO8859-15.pcf.gz" worked fine before and after update.

Will have a look at the Tainted ones shortly.
Comment 10 Carolyn Rowse 2015-02-22 18:19:54 CET 
On my 64-bit laptop with the Core updates, installation proceeded smoothly, no regressions noticed in Firefox, LibreOffice or Okular.  Running "ftbench /usr/share/fonts/75dpi/helvBO08-ISO8859-15.pcf.gz" worked fine before and after update.

Same again with the Tainted packages, no problems noticed.
Comment 11 olivier charles 2015-02-23 22:23:03 CET 
Testing on Mageia4x64, real hardware

From current packages :
---------------------

lib64freetype6-2.5.0.1-3.2.mga4
core and tainted

$ ftbench asan_stack-oob_703c16_2728_cov_367593004_aspartam.otf
$ ftbench asan_stack-oob_703c16_5479_cov_4290077649_elsewher.otf
$ ftbench asan_stack-oob_703c16_3507_cov_3211953920_ccapshad.otf

Updated to testing packages :
---------------------------
- freetype2-demos-2.5.0.1-3.3.mga4.x86_64
- lib64freetype6-2.5.0.1-3.3.mga4.x86_64
- lib64freetype6-devel-2.5.0.1-3.3.mga4.x86_64
- lib64freetype6-static-devel-2.5.0.1-3.3.mga4.x86_64

Ran same ftbenchs = OK
$ ftgamma asan_stack-oob_703c16_3507_cov_3211953920_ccapshad.otf =OK
$ ftdump asan_stack-oob_703c16_3507_cov_3211953920_ccapshad.otf =OK
$ ftdiff asan_stack-oob_703c16_3507_cov_3211953920_ccapshad.otf =OK

updated to same version 2.5.0.1-3.3.mga4. in tainted

Ran same fttests= OK

CC: (none) => olchal
Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 12 Herman Viaene 2015-02-24 17:40:10 CET 
MGA4-32 on Acer D620 Xfce
Installed from Core Updatzq, no installation issues.
$ ftbench asan_stack-oob_703c16_2728_cov_367593004_aspartam.otf
couldn't load font resource
Only otf files on my system:
$ locate *.otf
/usr/share/fonts/abattis-cantarell-fonts/Cantarell-Bold.otf
/usr/share/fonts/abattis-cantarell-fonts/Cantarell-Regular.otf
So??????

CC: (none) => herman.viaene

Comment 13 olivier charles 2015-02-24 17:55:03 CET 
(In reply to Herman Viaene from comment #12)
> MGA4-32 on Acer D620 Xfce
> Installed from Core Updatzq, no installation issues.
> $ ftbench asan_stack-oob_703c16_2728_cov_367593004_aspartam.otf
> couldn't load font resource
> Only otf files on my system:
> $ locate *.otf
> /usr/share/fonts/abattis-cantarell-fonts/Cantarell-Bold.otf
> /usr/share/fonts/abattis-cantarell-fonts/Cantarell-Regular.otf
> So??????

Hi Herman,

In comment 11, I used open type fonts downloaded in the FreeType Project site but you can use any fonts located in you /usr/share/fonts folder I think.
Comment 14 claire robinson 2015-02-24 21:51:48 CET 
Testing complete mga4 32, core and tainted.

ftbench and general use, many applications use this library.

urpmq --whatrequires libfreetype6

Whiteboard: has_procedure MGA4-64-OK => has_procedure mga4-32-ok MGA4-64-OK

Comment 15 claire robinson 2015-02-24 22:03:10 CET 
Validating. Advisory uploaded, added the tainted srpm.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok MGA4-64-OK => has_procedure advisory mga4-32-ok MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 16 Mageia Robot 2015-02-24 22:20:46 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0083.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED