Bug 20720

Summary: freetype2 new security issues CVE-2016-10328, CVE-2017-8105, and CVE-2017-8287
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs, zombie_ryushu
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: freetype2-2.5.4-2.1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-04-22 21:14:20 CEST 
Ubuntu has issued an advisory on April 20:
https://www.ubuntu.com/usn/usn-3263-1/

The issue was fixed upstream in 2.7.1, which is already in Cauldron.

Patched packages uploaded for Mageia 5.

Note that this package exists in both core and tainted.

Advisory:
========================

Updated freetype2 packages fix security vulnerability:

It was discovered that a heap-based buffer overflow existed in the FreeType
library. If a user were tricked into using a specially crafted font file, a
remote attacker could cause FreeType to crash, resulting in a denial of
service, or possibly execute arbitrary code (CVE-2016-10328).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10328
https://www.ubuntu.com/usn/usn-3263-1/
========================

Updated packages in core/updates_testing:
========================
libfreetype6-2.5.4-2.2.mga5
libfreetype6-devel-2.5.4-2.2.mga5
libfreetype6-static-devel-2.5.4-2.2.mga5
freetype2-demos-2.5.4-2.2.mga5

from freetype2-2.5.4-2.2.mga5.src.rpm
Dave Hodgins 2017-04-24 02:17:11 CEST

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 1 David Walser 2017-04-29 23:24:10 CEST 
Debian has issued an advisory on April 28:
https://www.debian.org/security/2017/dsa-3839

It fixes two additional issues that we hadn't yet fixed, which were recently fixed upstream.

Advisory:
========================

Updated freetype2 packages fix security vulnerability:

It was discovered that a heap-based buffer overflow existed in the FreeType
library. If a user were tricked into using a specially crafted font file, a
remote attacker could cause FreeType to crash, resulting in a denial of
service, or possibly execute arbitrary code (CVE-2016-10328).

FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based
buffer overflow related to the t1_decoder_parse_charstrings function in
psaux/t1decode.c (CVE-2017-8105).

FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based
buffer overflow related to the t1_builder_close_contour function in
psaux/psobjs.c (CVE-2017-8287).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10328
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8287
https://www.ubuntu.com/usn/usn-3263-1/
https://www.debian.org/security/2017/dsa-3839
========================

Updated packages in core/updates_testing:
========================
libfreetype6-2.5.4-2.3.mga5
libfreetype6-devel-2.5.4-2.3.mga5
libfreetype6-static-devel-2.5.4-2.3.mga5
freetype2-demos-2.5.4-2.3.mga5

from freetype2-2.5.4-2.3.mga5.src.rpm

Summary: freetype2 new security issue CVE-2016-10328 => freetype2 new security issues CVE-2016-10328, CVE-2017-8105, and CVE-2017-8287
Whiteboard: advisory => (none)

Comment 2 Herman Viaene 2017-05-01 14:13:14 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Did the 6 tests as per bug20465 Comment 4 and got the same results.
Used atril and epdfviewer for a pfd file, all displays OK. Used LibreOffice for an 48-page doc (including pictures) and played around with font types and sizes. All OK.

Whiteboard: (none) => MGA5-32-OK
CC: (none) => herman.viaene

Comment 3 Dave Hodgins 2017-05-02 04:13:27 CEST 
Mageia 5 x86_64 ok with similar testing to comment 2.

Advisory updated in svn based on comment 1.

Validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2017-05-02 08:49:20 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0124.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 5 Marja Van Waes 2017-05-28 07:03:24 CEST 
*** Bug 20940 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu