| Summary: | freetype2 new security issue CVE-2016-10244 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, lewyssmith, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5-64-OK advisory MGA5-32-OK | ||
| Source RPM: | freetype2-2.5.4-2.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-03-13 11:21:00 CET
Assigning to package maintainer. I may have a look at it myself in the evening if Shlomi doesn't beat me to it. Assignee:
bugsquad =>
shlomif Submitted freetype2-2.5.4-2.1.mga5 to {core,tainted}/updates_testing with the upstream patch.
Advisory:
=========
Updated freetype2 packages fix security vulnerability
The parse_charstrings function in type1/t1load.c in FreeType 2 did not ensure
that a font contains a glyph name, which could allow remote attackers to cause
a denial of service (heap-based buffer over-read) or possibly have unspecified
other impact via a crafted file (CVE-2016-10244).
References:
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36
- http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/type1/t1load.c?h=VER-2-7&id=a660e3de422731b94d4a134d27555430cbb6fb39
RPMs in {core,tainted}/updates_testing:
=======================================
lib{,64}freetype6-2.5.4-2.1.mga5{,.tainted}
lib{,64}freetype6-devel-2.5.4-2.1.mga5{,.tainted}
lib{,64}freetype6-static-devel-2.5.4-2.1.mga5{,.tainted}
freetype2-demos-2.5.4-2.1.mga5{,.tainted}
SRPMs:
======
core/updates_testing:
freetype2-2.5.4-2.1.mga5
tainted/updates_testing:
freetype2-2.5.4-2.1.mga5.tainted
Rémi Verschelde
2017-03-13 22:21:50 CET
Assignee:
shlomif =>
qa-bugs Prior to testing ---------------- Testing ideas: https://bugs.mageia.org/show_bug.cgi?id=16739 freetype2-demos: "The demos package includes a set of useful small utilities showing various capabilities of the FreeType library:" /usr/bin/ftbench run FreeType benchmarks â /usr/bin/ftdiff compare font hinting modes â/usr/bin/ftdump simple font dumper â /usr/bin/ftgamma ? â /usr/bin/ftgrid simple glyph grid viewer â /usr/bin/ftlint simple font tester â /usr/bin/ftmulti multiple masters font viewer â /usr/bin/ftstring string viewer â /usr/bin/ftvalid layout table validator â /usr/bin/ftview simple glyph viewer Fonts are in /usr/share/fonts/... A few likely subdirectories from many more:- âââ default â  âââ ghostscript â  âââ Type1 âââ gnu-free [ttf] âââ ttf â  âââ western âââ Type1 x64: Too late for me to test this now, will return tomorrow morning. CC:
(none) =>
lewyssmith Testing M5_84
I could not get some commands to work (notably ftlint), not sure whether they are Type1/ttf specific, or what exact paramater to give. Where fonts have 2-3 component files, you have to find the correct one to give to commands. Some commands require a 'points' parameter, suggested 72.
BEFORE update:
1. $ ftbench default/ghostscript/bchb.pfa
ftbench results for font `default/ghostscript/bchb.pfa'
-------------------------------------------------------
family: Bitstream Charter
style: Bold
number of seconds for each test: 2.000000
...
executing tests:
Load 39.436 us/op
...
Get_BBox 3.984 us/op
2. $ ftdump default/Type1/z003034l.pfb
There is 1 face in this file.
----- Face number: 0 -----
font name entries
family: URW Chancery L
style: Medium Italic
postscript: URWChanceryL-MediItal
font type entries
FreeType driver: type1
...
glyph count: 503
charmaps
0: platform 3, encoding 1 language 0 (active)
1: platform 7, encoding 0 language 0
3. $ ftgrid 72 gnu-free/FreeMono.ttf
ptsize =72
Execution completed successfully.
This opens a window with a detailed graphic view of each glyph, advance with arrow keys.
4. $ ftvalid ttf/western/Adventure.ttf
FT_OpenType_Validate is disabled! Recompile FreeType 2 with otvalid module enabled.
error = 0x0007
5. $ ftstring 72 Type1/c0419bt_.pfb
Execution completed successfully.
This displays the "quick brown fox..." string in a window, which you can rotate and resize with the arrow keys.
6. $ ftview 72 ttf/western/Adventure.ttf
Execution completed successfully.
Fails = 0
Displays a complete character set in a window; use arrow keys to advance and change the font size.
AFTER the update:
freetype2-demos-2.5.4-2.1.mga5.tainted
lib64freetype6-2.5.4-2.1.mga5.tainted
lib64freetype6-devel-2.5.4-2.1.mga5.tainted
Confused by the presence also of 'lib64freetype2-1.3.1-45.mga5.tainted', but strace of a test showed:
open("/usr/lib64/libfreetype.so.6", O_RDONLY|O_CLOEXEC) = 3
[and 'not found' for other paths: /usr/lib64/tls/x86_64/, /usr/lib64/tls/,
/usr/lib64/x86_64].
Unsure of the validity of just the 'tainted' version employed. Assuming this OK.
Ran the 6 tests noted above, with identical results to previously.
Additionally viewed several PDF documents with different viewers; and a sizeable ODT document with LibreOffice Writer, changing fonts & font size. All looks OK.Whiteboard:
(none) =>
MGA5-64-OK
Lewis Smith
2017-03-15 10:13:18 CET
Whiteboard:
MGA5-64-OK =>
MGA5-64-OK advisory On i586, just testing that the update installs cleanly, and ftview 18 /usr/share/fonts/Type1/l049036t.pfa works. Validating the update. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0085.html Status:
NEW =>
RESOLVED |