Bug 16739

Summary: freetype2 new DoS security issues (CVE-2014-974[5-7])
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tarazed25
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/657329/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: freetype2-2.5.0.1-3.3.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-09-11 17:19:37 CEST 
Ubuntu has issued an advisory on September 10:
http://www.ubuntu.com/usn/usn-2739-1/

CVE request:
http://openwall.com/lists/oss-security/2015/09/11/4

The issues were fixed upstream early last year, so Mageia 5 is not affected.

Patched package uploaded for Mageia 4.

Note that there are core and tainted builds for this package.

Advisory:
========================

Updated freetype2 packages fix security vulnerabilities:

It was discovered that FreeType did not correctly handle certain malformed
font files. If a user were tricked into using a specially crafted font
file, a remote attacker could cause FreeType to crash or hang, resulting in
a denial of service, or possibly expose uninitialized memory
(Savannah bugs 41309 and 41590).

References:
http://www.ubuntu.com/usn/usn-2739-1/
https://savannah.nongnu.org/bugs/?41309
https://savannah.nongnu.org/bugs/index.php?41590
http://openwall.com/lists/oss-security/2015/09/11/4
========================

Updated packages in {core,tainted}/updates_testing:
========================
libfreetype6-2.5.0.1-3.4.mga4
libfreetype6-devel-2.5.0.1-3.4.mga4
libfreetype6-static-devel-2.5.0.1-3.4.mga4
freetype2-demos-2.5.0.1-3.4.mga4

from freetype2-2.5.0.1-3.4.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-09-11 17:19:50 CEST 
General tests:
https://bugs.mageia.org/show_bug.cgi?id=8497#c7
https://bugs.mageia.org/show_bug.cgi?id=14771

Whiteboard: (none) => has_procedure

Comment 2 Len Lawrence 2015-09-12 19:29:25 CEST 
Trying this in mga4 x86_64 virtualbox.

Could not find the POC files referred to elsewhere so installed the rpms from core updates testing and tried out a few commands involving fonts.

Libreoffice writer and xpdf functioned normally with several changes of font in the former.

Ran ftbench, ftview and ftstring on some system TTF fonts and those behaved normally.

I have no idea if these tests are sufficient.

Tainted updates next then i586....

CC: (none) => tarazed25

Comment 3 Len Lawrence 2015-09-12 20:01:22 CEST 
Installed available packages from tainted updates testing

lib64freetype6-2.5.0.1-3.4.mga4.tainted.x86_64
lib64freetype6-static-devel-2.5.0.1-3.4.mga4.tainted.x86_64
lib64freetype6-devel-2.5.0.1-3.4.mga4.tainted.x86_64
freetype2-demos-2.5.0.1-3.4.mga4.tainted.x86_64

ftbench, ftview, ftstring tested with same TTF font files as in comment 2.  These returned the same results.

xpdf and libreoffice also worked fine.

Will give this a pass if somebody could agree that the tests are sufficient.
Comment 4 claire robinson 2015-09-12 23:25:37 CEST 
Looks good Len
Comment 5 Len Lawrence 2015-09-12 23:41:08 CEST 
64bit OK then.  Leaving 32bit until tomorrow.
Len Lawrence 2015-09-12 23:41:35 CEST

Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 6 Len Lawrence 2015-09-13 11:48:21 CEST 
Testing in mga4 i586 virtualbox

Installed these from core updates testing:
libfreetype6-static-devel-2.5.0.1-3.4.mga4.i586
libfreetype6-devel-2.5.0.1-3.4.mga4.i586
libfreetype6-2.5.0.1-3.4.mga4.i586
freetype2-demos-2.5.0.1-3.4.mga4.i586

[lcl@alcor ~]$ ftbench /usr/share/fonts/ttf/western/Bluehigh.ttf
Load                      : 2.248 us/op
Load_Advances (Normal)    : 2.232 us/op
Load_Advances (Fast)      : 0.018 us/op
Render                    : 1.900 us/op
Get_Glyph                 : 0.541 us/op
Get_CBox                  : 0.241 us/op
Get_Char_Index            : 0.018 us/op
Iterate CMap              : 2.011 us/op
New_Face                  : 10.038 us/op
Embolden                  : 0.145 us/op
Get_BBox                  : 0.486 us/op

[lcl@alcor ~]$ ftview 22 /usr/share/fonts/default/ghostscript/VikingStencil.pfb
This returned detailed information about the font and example text.

[lcl@alcor ~]$ ftstring 19 /usr/share/fonts/default/Type1/n019043l.pfb
produced the "quick brown fox" message in the selected font.
Comment 7 Len Lawrence 2015-09-13 12:13:47 CEST 
mga4 i586 in virtualbox

Enabled tainted updates testing and installed the four packages as before.
All three freetype demos tests matched the previous results.  xpdf worked fine and libreoffice write handled font selections without any trouble.

Looks like this is good to go for Mageia 4.
Len Lawrence 2015-09-13 12:14:03 CEST

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 8 Len Lawrence 2015-09-13 12:16:30 CEST 
Could someone please push this to Mageia 4 updates.  Thanks.
Comment 9 David Walser 2015-09-13 16:46:27 CEST 
(In reply to Len Lawrence from comment #8)
> Could someone please push this to Mageia 4 updates.  Thanks.

Please add the validated_updates keyword Len.  Thanks.
Comment 10 David Walser 2015-09-13 16:46:48 CEST 
(In reply to David Walser from comment #9)
> (In reply to Len Lawrence from comment #8)
> > Could someone please push this to Mageia 4 updates.  Thanks.
> 
> Please add the validated_updates keyword Len.  Thanks.

Oops, validate_update.
Comment 11 RĂ©mi Verschelde 2015-09-13 17:16:41 CEST 
(In reply to David Walser from comment #10)
> (In reply to David Walser from comment #9)
> > Please add the validated_updates keyword Len.  Thanks.
> 
> Oops, validate_update.

validated_update, even :)
Len Lawrence 2015-09-13 19:07:27 CEST

Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK validate-update

Comment 12 Len Lawrence 2015-09-13 19:09:09 CEST 
I must have been sleeping; never seen that one before ;)
Comment 13 David Walser 2015-09-13 19:10:28 CEST 
(In reply to Len Lawrence from comment #12)
> I must have been sleeping; never seen that one before ;)

It's a keyword, not a whiteboard entry.  I did it this time.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK validate-update => has_procedure MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 14 claire robinson 2015-09-13 22:37:26 CEST 
Advisory uploaded. Added tainted srpm.

Please push to 4 updates

Thanks

Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK

Comment 15 Mageia Robot 2015-09-13 23:59:41 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0367.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-09-14 23:53:41 CEST

URL: (none) => http://lwn.net/Vulnerabilities/657329/

Comment 16 David Walser 2015-09-28 16:30:02 CEST 
CVE-2014-9745, CVE-2014-9746, CVE-2014-9747 assigned for this:
http://openwall.com/lists/oss-security/2015/09/25/4

Summary: freetype2 new DoS security issues => freetype2 new DoS security issues (CVE-2014-974[5-7])