Bug 22611

Summary: freetype2 new security issue CVE-2018-6942
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, jim, mageia, shlomif, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: freetype2-2.7.1-2.1.mga6.src.rpm CVE:
Status comment: Upstream patch is available

Description David Walser 2018-02-16 21:04:44 CET 
Ubuntu has issued an advisory on February 14:
https://usn.ubuntu.com/usn/usn-3572-1/

Ubuntu has a link to the upstream commit that fixed the issue:
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6942.html

Mageia 6 is also affected.
David Walser 2018-02-16 21:04:51 CET

Whiteboard: (none) => MGA6TOO

David Walser 2018-02-16 21:09:30 CET

Status comment: (none) => Upstream patch is available

Comment 1 Shlomi Fish 2018-02-17 11:51:37 CET 
Updated in Cauldron and 2.7.1-2.2 submitted to tainted and core updates_testing for MGA6.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 2 David Walser 2018-02-17 17:00:22 CET 
Thanks Shlomi!

Advisory:
========================

Updated freetype2 packages fix security vulnerability:

An issue was discovered in FreeType 2 through 2.9. A NULL pointer dereference in
the Ins_GETVARIATION() function within ttinterp.c could lead to DoS via a
crafted font file (CVE-2018-6942).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6942
https://usn.ubuntu.com/usn/usn-3572-1
========================

Updated packages in {core,tainted}/updates_testing:
========================
libfreetype6-2.7.1-2.2.mga6
libfreetype6-devel-2.7.1-2.2.mga6
libfreetype6-static-devel-2.7.1-2.2.mga6
freetype2-demos-2.7.1-2.2.mga6

from freetype2-2.7.1-2.2.mga6.src.rpm

Assignee: shlomif => qa-bugs
CC: (none) => shlomif

Comment 3 PC LX 2018-02-18 16:02:51 CET 
What is the difference between the core and tainted packages?

CC: (none) => mageia

Comment 4 Dave Hodgins 2018-02-18 17:38:35 CET 
(In reply to PC LX from comment #3)
> What is the difference between the core and tainted packages?

$ rpm -q -i lib64freetype6|tail -n 2
This package is in the "tainted" section because it has subpixel hinting
enabled which is covered by software patents.

CC: (none) => davidwhodgins

Comment 5 Len Lawrence 2018-02-19 11:23:29 CET 
Installed the tainted packages and ran strace on drakfont while installing a ttf font.  Gunplay3D appeared in the font list in LibreOffice writer and was applied to a paragraph in a document.

$ grep freetype trace
open("/lib64/libfreetype.so.6", O_RDONLY|O_CLOEXEC) = 8
open("/usr/lib64/libfreetype.so.6.13.0", O_RDONLY) = 8

I was unable to backtrack to the free versions without removing the tainted.
Hit a brick wall:
# urpme lib64freetype6-2.7.1-2.2.mga6.tainted.x86_64
Removing the following package will break your system:
  basesystem-6-0.4.mga6.x86_64
   (due to missing bootloader)

Good for tainted anyway.

CC: (none) => tarazed25

Comment 6 James Kerr 2018-02-19 11:54:36 CET 
> I was unable to backtrack to the free versions without removing the tainted.
> Hit a brick wall:
> # urpme lib64freetype6-2.7.1-2.2.mga6.tainted.x86_64
> Removing the following package will break your system:
>   basesystem-6-0.4.mga6.x86_64
>    (due to missing bootloader)

The following should work (I haven't tried it):

enable core/updates/testing
disable tainted/updates/testing

urpmi --downgrade lib64freetype6

CC: (none) => jim

Comment 7 PC LX 2018-02-19 16:39:34 CET 
Installed and tested without issues.

Tested using firefox, okular, calibre, gimp and chromium browser.

I tested both the core and tainted packages. Didn't notice any difference in font rendering.

System: Mageia 6, x86_64, Plasma DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.

$ uname -a
Linux marte 4.14.20-desktop-1.mga6 #1 SMP Sun Feb 18 01:22:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep freetype6 | sort
lib64freetype6-2.7.1-2.2.mga6.tainted
lib64freetype6-devel-2.7.1-2.2.mga6.tainted
libfreetype6-2.7.1-2.2.mga6.tainted
Comment 8 Len Lawrence 2018-02-19 20:30:43 CET 
@James Kerr, comment 6:
Ah!  Did not think of that.  Thanks.

Looks like it is well tested anyway for x86_64.
Len Lawrence 2018-02-20 02:22:38 CET

Whiteboard: (none) => MGA6-64-OK

Comment 9 Dave Hodgins 2018-02-24 20:41:01 CET 
Advisory committed to svn. Validating the update based on above tests.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2018-02-25 00:26:25 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0140.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED