The upstream announcement mentions a security issue fixed in the new CFF driver: http://sourceforge.net/projects/freetype/files/freetype2/2.5.3/ It appears that the affected source files were added in 2.5.0, so Mageia 3 would not be affected. Funda has uploaded version 2.5.3 for Cauldron. We'll need to issue an update for Mageia 4. The upstream bug is here: https://savannah.nongnu.org/bugs/?41697#comment0 A quick summary was posted to oss-security here: http://openwall.com/lists/oss-security/2014/03/10/2 The two patches he linked apply cleanly to the package in Mageia 4. It's not clear yet whether the second one is needed or if CVE-2014-2241 is a valid identifier. I'm waiting for further clarification on this before committing anything to SVN. Reproducible: Steps to Reproduce:
According to RedHat, the code was added in 2.4.12. We have 2.4.11 in Mageia 3, so still not affected there. It sounds like the second CVE probably won't be used: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-2240
Severity: normal => critical
I've added the two patches for Mageia 4 just as Fedora has done in git for F20. I don't have an advisory yet, but all the details available about this issue are linked in the previous comments. Assigning to QA for testing. Updated packages in core/updates_testing: ======================================== libfreetype6-2.5.0.1-3.1.mga4 libfreetype6-devel-2.5.0.1-3.1.mga4 libfreetype6-static-devel-2.5.0.1-3.1.mga4 freetype2-demos-2.5.0.1-3.1.mga4 from freetype2-2.5.0.1-3.1.mga4.src.rpm
Assignee: bugsquad => qa-bugs
Advisory: ======================== Updated freetype2 packages fix security vulnerabilities: It was reported that Freetype before 2.5.3 suffers from an out-of-bounds stack-based read/write flaw in cf2_hintmap_build() in the CFF rasterizing code, which could lead to a buffer overflow (CVE-2014-2240). It was also reported that Freetype before 2.5.3 has a denial-of-service vulnerability in the CFF rasterizing code, due to a reachable assertion (CVE-2014-2241). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2240 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2241 https://bugzilla.redhat.com/show_bug.cgi?id=1074646 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741299
Apparently there's an ftbench tool (freetype2-demos package) that you can run with the fonts attached to the upstream bug to cause a crash and reproduce this issue.
test files from original bug report (see Comment #0) are not available anymore. So simply test, that updates will install... tested succesfully in MGA4 64bit
CC: (none) => marc.lattemannWhiteboard: (none) => MGA4-64-OK
installation of updates works as well in MGA4 32bit. Please upload advisory from Comment #3 and validate the update. Thanks
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK
Validating update, advisory has been uploaded. Please push to 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisoryCC: (none) => remi, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0130.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
Re-open bug-report: When it was installed on my laptop I figured out, that there is a tainted package available for libfreetype6, which is removed by the update...? 9/9: libfreetype6 ############################################################## 1/1: libfreetype6-2.5.0.1-3.mga4.tainted.i586 wird entfernt ############################################################## should the tainted version be updated as well? Sorry, I wasn't aware that there is an tainted packaged while testing it.
Status: RESOLVED => REOPENEDResolution: FIXED => (none)
Yes, I didn't realize the tainted version still existed, I thought the patents had expired or whatever. Anyway, the tainted version is now built in updates_testing.
Removed tags. Is there also a need for an updated advisory?
Keywords: validated_update => (none)Whiteboard: MGA4-64-OK MGA4-32-OK advisory => (none)
I edited the advisory to add the missing package. When pushing the update, the advisory html page should be updated too.
Whiteboard: (none) => advisory
tested successfully for mga4 32bit and 64bit. Tainted packages will replace core packages. Advisory already updated, so validating... sysadmins, please push packages to tainted_updates. Thx
Keywords: (none) => validated_updateWhiteboard: advisory => advisory MGA4-32-OK MGA4-64-OK
tainted packages pushed
Status: REOPENED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/590903/