| Summary: | Updated freetype2 package to fix CVE-2011-0226 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Funda Wang <fundawang> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, dmorganec, doktor5000, qa-bugs, stormi-mageia, sysadmin-bugs, tmb |
| Version: | 1 | Keywords: | Security, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0226 | ||
| Whiteboard: | |||
| Source RPM: | freetype2-2.4.6-0.1.mga1.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 3081 | ||
| Bug Blocks: | |||
|
Description
Funda Wang
2011-08-20 19:29:44 CEST
Am I correct it's the libfreetype6 rpm package that should be the target of testing? I've confirmed I can view pdf files using xpdf, which uses libfreetype.so.6 with both the Core Updates Testing, and Tainted Updates Testing versions on my i586 system. CC:
(none) =>
davidwhodgins (In reply to comment #1) > Am I correct it's the libfreetype6 rpm package that should be the target > of testing? Yes. as discussed on irc with misc and Motoko, we will revert to previous freetype and only fix the CVE by patching see http://pkgs.fedoraproject.org/gitweb/?p=freetype.git;a=blob;f=freetype-2.4.5-CVE-2011-0226.patch;h=f0afa216d1b839d9d8fcad405f978b161d3e4d0a;hb=36cb801677cebff0a144ced7a9314e0ea7c484f5 i will do this tomorow. CC:
(none) =>
dmorganec The update has been pushed by dmorgan. Please test 2.4.4-5.1.mga1 and 2.4.4-5.1.mga1.tainted CC:
(none) =>
stormi I had to manually uninstall libfreetype6-2.4.6. I then installed libfreetype6 from Core Updates Testing. Confirmed xpdf worked. Used mgaapplet to install the tainted version. Confirmed xpdf still worked. Testing of the srpms freetype2-2.4.4-5.1.mga1.src.rpm freetype2-2.4.4-5.1.mga1.tainted.src.rpm complete on i586. (In reply to comment #1) > I've confirmed I can view pdf files using xpdf, which uses libfreetype.so.6 > with both the Core Updates Testing, and Tainted Updates Testing versions > on my i586 system. Can you give a link to a PDF with a crafted Type 1 font, as mentioned in the CVE? I'd like to test this on x86_64, and i've found only "exploited via JailBreakMe" so far. Would the opening of the PDF with xpdf (linked here: http://lists.nongnu.org/archive/html/freetype-devel/2011-07/msg00014.html ) be enough to ensure the CVE is definitely fixed? CC:
(none) =>
doktor5000 No. I tried that with xpdf before installing the update, and it didn't fail, so we don't seem to have a working poc. Without a working poc, all we can test, is that the program appears to be working ok. This update still needs testing on x86_64. Please make sure the tested packages are : libfreetype6-2.4.4-5.1.mga1 libfreetype6-2.4.4-5.1.mga1.tainted Without a working exploit available outside iOS, we can only test that it works correctly. IINM freetype is used everywhere when a font is printed so it should be easy to check that it works. Also maybe open a PDF with xpdf like Dave Hodgins did. You will probably need to reboot after switching from the core package to the tainted one. There's a problem with this update : freetype2-2.4.4-5.1.mga1.tainted.src.rpm is in both Tainted Updates Testing and Tainted Updates, and the 2 packages are different ! I think that dmorgan forgot to increase the subrel when reverting to the 2.4.4 version, am I right ? CC:
(none) =>
qa-bugs
Samuel Verschelde
2011-09-12 14:33:20 CEST
Keywords:
(none) =>
Security i will look this then. thank you. Ping. What is the status of this update please? should be available for tests now Assignee:
dmorganec =>
qa-bugs
Manuel Hiebel
2011-10-17 12:36:17 CEST
Depends on:
(none) =>
3081 Tested OK i586 x86_64: Should there be a 64 bit build of libfreetype6? I notice the i586 version is installed and nothing in x86_64 Updates Testing. i586 version tested OK on x86_64 if that is correct? So, there is a 64bit build of libfreetype6 but for some reason the i586 version is installed on an x86_64 system and not the x86_64 version. A tainted x86_64 version was installed however beside the i586 core version. Oct 18 13:00:11 mega perl: [RPM] libfreetype6-2.4.4-5.2.mga1.i586 installed Oct 18 13:00:11 mega perl: [RPM] libfreetype6-2.4.4-4.mga1.i586 removed Today.. Oct 19 12:21:59 mega urpmi: called with: --media Core Updates Testing (distrib5) lib64freetype6 Oct 19 12:22:00 mega perl: [RPM] lib64freetype6-2.4.4-5.2.mga1.x86_64 installed Oct 19 12:22:01 mega perl: [RPM] lib64freetype6-2.4.4-5.1.mga1.tainted.x86_64 removed Oct 19 12:30:47 mega rpmdrake[30650]: [RPM] lib64freetype6-devel-2.4.4-5.2.mga1.x86_64 installed Oct 19 12:30:48 mega rpmdrake[30650]: [RPM] lib64freetype6-devel-2.4.4-5.1.mga1.tainted.x86_64 removed This is a little odd! Testing with xpdf. Confirmed it was using the 64 bit libfreetype6 using strace and tested OK Installed x86_64 tainted version and checked again. All appears OK. Validating the update Advisory -------------------- A vulnerability was discovered and corrected in freetype2: Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011 (CVE-2011-0226). The updated packages have been patched to correct this issue. --------------------- SRPMs: freetype2-2.4.4-5.2.mga1.src.rpm freetype2-2.4.4-5.2.mga1.tainted.src.rpm Could sysadmin please push to updates, thankyou. Keywords:
(none) =>
validated_update Update pushed. Status:
NEW =>
RESOLVED |