Bug 8497

Summary: multiple security issues in freetype2 (CVE-2012-5668, CVE-2012-5669, CVE-2012-5670)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, lemonzest, luigiwalser, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/530907/
Whiteboard: has_procedure mga2-64-OK mga2-32-OK
Source RPM: freetype2-2.4.9-1.1 CVE:
Status comment:

Description Oden Eriksson 2012-12-25 13:04:12 CET 
On 12/24/2012 06:58 PM, Huzaifa Sidhpurwala wrote:
> Merry Christmas!
>
> Multiple security issues were reported by Mateusz Jurczyk of
> Google security team. These have been fixed in freetype 2.4.11
> Details are as follows.
>
> * NULL Pointer Dereference in bdf_free_font Bug:
> https://savannah.nongnu.org/bugs/?37905 Patch:
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=9b6b5754b57c12b820e01305eb69b8863a161e5a

Please
>
use CVE-2012-5668 for this issue.

> * Out-of-bounds read in _bdf_parse_glyphs Bug:
> https://savannah.nongnu.org/bugs/?37906 Patch:
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=07bdb6e289c7954e2a533039dc93c1c136099d2d

Please
>
use CVE-2012-5669 for this issue.

> * Out-of-bounds write in _bdf_parse_glyphs Bug:
> https://savannah.nongnu.org/bugs/?37907 Patch:
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=7f2e4f4f553f6836be7683f66226afac3fa979b8

Please
>
use CVE-2012-5670 for this issue.


> Can CVEs be please assigned to these issues?
>
> Thanks!
>
Comment 1 Oden Eriksson 2012-12-25 13:06:49 CET 
Fixes added in r334917 (mga2, updates_testing, freetype2-2.4.9-1.1.mga2). Cauldron is unaffected.
Oden Eriksson 2012-12-25 13:07:29 CET

Summary: multiple security issues in freetype2 => multiple security issues in freetype2 (CVE-2012-5668, CVE-2012-5669, CVE-2012-5670)

Manuel Hiebel 2012-12-25 14:13:14 CET

Assignee: bugsquad => qa-bugs
Source RPM: (none) => freetype2-2.4.9-1.1

Comment 2 Simon Putt 2012-12-25 22:19:24 CET 
where is the usual tainted testing updates for this? (I use the sub pixel rendering in the tainted build)

CC: (none) => lemonzest

Manuel Hiebel 2012-12-25 22:23:53 CET

Hardware: i586 => All
Assignee: qa-bugs => bugsquad
Whiteboard: (none) => feedback

Comment 3 Manuel Hiebel 2012-12-25 22:27:27 CET 
(oups)

Assignee: bugsquad => qa-bugs

Comment 4 David Walser 2012-12-25 23:22:51 CET 
Oden, we still need an actual advisory for the update.

I just submitted to tainted, so that'll be taken care of soon.

The command to submit that is:
mgarepo submit 2/freetype2 --define section=tainted/updates_testing -t 2

Sysadmins, I accidentally also submitted the "freetype" SRPM to tainted/updates_testing, please remove this.

CC: (none) => luigiwalser, sysadmin-bugs
Whiteboard: feedback => (none)

Comment 5 David Walser 2012-12-26 01:58:37 CET 
The packages list for this update is:
libfreetype6-2.4.9-1.1.mga2
libfreetype6-devel-2.4.9-1.1.mga2
libfreetype6-static-devel-2.4.9-1.1.mga2
freetype2-demos-2.4.9-1.1.mga2

from freetype2-2.4.9-1.1.mga2.src.rpm
Comment 6 Oden Eriksson 2012-12-26 09:57:18 CET 
Proposed advisory:

A Null pointer de-reference flaw was found in the way Freetype font rendering engine handled Glyph bitmap distribution format (BDF) fonts. A remote attacker could provide a specially-crafted BDF font file, which once processed in an application linked against FreeType would lead to that application crash (CVE-2012-5668).

An out-of heap-based buffer read flaw was found in the way FreeType font rendering engine performed parsing of glyph information and relevant bitmaps for glyph bitmap distribution format (BDF). A remote attacker could provide a specially-crafted BDF font file, which once opened in an application linked against FreeType would lead to that application crash (CVE-2012-5669).

An out-of heap-based buffer write flaw was found in the way FreeType font rendering engine performed parsing of glyph information and relevant bitmaps for glyph bitmap distribution format (BDF). A remote attacker could provide a specially-crafted font file, which once opened in an application linked against FreeType would lead to that application crash, or, potentially, arbitrary code execution with the privileges of the user running the application (CVE-2012-5670).

References:

http://www.openwall.com/lists/oss-security/2012/12/25/2
https://bugzilla.redhat.com/show_bug.cgi?id=890087
https://bugzilla.redhat.com/show_bug.cgi?id=890088
https://bugzilla.redhat.com/show_bug.cgi?id=890094
Comment 7 claire robinson 2012-12-26 11:41:34 CET 
Testing complete mga2 64

No PoC's so just checking xpdf displays ok with the updated packages and a few commands from 'urpmf freetype2-demos'.

There are actually 2 srpms with tainted so the package list is..

libfreetype6-2.4.9-1.1.mga2
libfreetype6-devel-2.4.9-1.1.mga2
libfreetype6-static-devel-2.4.9-1.1.mga2
freetype2-demos-2.4.9-1.1.mga2

from freetype2-2.4.9-1.1.mga2.src.rpm

and the same again from freetype2-2.4.9-1.1.mga2.tainted.src.rpm in tainted updates testing.

Whiteboard: (none) => has_procedure mga2-64-OK

Comment 8 Oden Eriksson 2012-12-26 14:13:45 CET 
PoCs are in the upstream bugreports.
Comment 9 Dave Hodgins 2012-12-27 01:22:46 CET 
On Mageia 2 i586,  and
"ftbench zgraphics_r400-12.bdf.SIGSEGV.dbf.2501" using either the
core release or tainted release versions cause ftbench to segfault
while ftbench zevv-peep-iso8859-15-07x14.bdf.asan.70.2494 just gets the message
couldn't load font resource.

With the Core Updates Testing or the Tainted Updates Testing version,
"ftbench sym8.bdf.asan.39.2321" works, while both of the others get the message
couldn't load font resource.

Also testing with xpdf, etc, doesn't show any regressions.

I'll test Mageia 2 x86-64 shortly.

CC: (none) => davidwhodgins

Comment 10 Dave Hodgins 2012-12-27 01:41:11 CET 
Testing complete on Mageia 2 x86-64.

With Core/Tainted Release verions, all three files cause segfaults.
With Core/Tainted Updates Testing versions, results are the same
as with the i586 Updates Testing versions.

Could someone from the sysadmin team push the srpm
freetype2-2.4.9-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
freetype2-2.4.9-1.1.mga2.tainted.src.rpm
from Mageia 2 Tainted Updates Testing to Tainted Updates.

Advisory: A Null pointer de-reference flaw was found in the way Freetype font rendering
engine handled Glyph bitmap distribution format (BDF) fonts. A remote attacker
could provide a specially-crafted BDF font file, which once processed in an
application linked against FreeType would lead to that application crash
(CVE-2012-5668).

An out-of heap-based buffer read flaw was found in the way FreeType font
rendering engine performed parsing of glyph information and relevant bitmaps
for glyph bitmap distribution format (BDF). A remote attacker could provide a
specially-crafted BDF font file, which once opened in an application linked
against FreeType would lead to that application crash (CVE-2012-5669).

An out-of heap-based buffer write flaw was found in the way FreeType font
rendering engine performed parsing of glyph information and relevant bitmaps
for glyph bitmap distribution format (BDF). A remote attacker could provide a
specially-crafted font file, which once opened in an application linked against
FreeType would lead to that application crash, or, potentially, arbitrary code
execution with the privileges of the user running the application
(CVE-2012-5670).

References:

http://www.openwall.com/lists/oss-security/2012/12/25/2
https://bugzilla.redhat.com/show_bug.cgi?id=890087
https://bugzilla.redhat.com/show_bug.cgi?id=890088
https://bugzilla.redhat.com/show_bug.cgi?id=890094

https://bugs.mageia.org/show_bug.cgi?id=8497

Keywords: (none) => validated_update
Whiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK mga2-32-OK

Comment 11 Thomas Backlund 2012-12-27 23:51:51 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0369

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2012-12-29 03:16:09 CET

URL: (none) => http://lwn.net/Vulnerabilities/530907/

Comment 12 David Walser 2013-01-03 16:44:40 CET 
Patches now checked into Mageia 1 SVN.