Bug 12986 - freetype2 new security issue fixed upstream in 2.5.3 (CVE-2014-2240)
: freetype2 new security issue fixed upstream in 2.5.3 (CVE-2014-2240)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/590903/
: advisory MGA4-32-OK MGA4-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-03-10 17:33 CET by David Walser
Modified: 2014-03-18 17:51 CET (History)
4 users (show)

See Also:
Source RPM: freetype2-2.5.0.1-3.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-03-10 17:33:10 CET
The upstream announcement mentions a security issue fixed in the new CFF driver:
http://sourceforge.net/projects/freetype/files/freetype2/2.5.3/

It appears that the affected source files were added in 2.5.0, so Mageia 3 would not be affected.

Funda has uploaded version 2.5.3 for Cauldron.

We'll need to issue an update for Mageia 4.

The upstream bug is here:
https://savannah.nongnu.org/bugs/?41697#comment0

A quick summary was posted to oss-security here:
http://openwall.com/lists/oss-security/2014/03/10/2

The two patches he linked apply cleanly to the package in Mageia 4.

It's not clear yet whether the second one is needed or if CVE-2014-2241 is a valid identifier.  I'm waiting for further clarification on this before committing anything to SVN.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-03-11 13:47:57 CET
According to RedHat, the code was added in 2.4.12.  We have 2.4.11 in Mageia 3, so still not affected there.  It sounds like the second CVE probably won't be used:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-2240
Comment 2 David Walser 2014-03-11 20:38:32 CET
I've added the two patches for Mageia 4 just as Fedora has done in git for F20.

I don't have an advisory yet, but all the details available about this issue are linked in the previous comments.  Assigning to QA for testing.

Updated packages in core/updates_testing:
========================================
libfreetype6-2.5.0.1-3.1.mga4
libfreetype6-devel-2.5.0.1-3.1.mga4
libfreetype6-static-devel-2.5.0.1-3.1.mga4
freetype2-demos-2.5.0.1-3.1.mga4

from freetype2-2.5.0.1-3.1.mga4.src.rpm
Comment 3 David Walser 2014-03-12 12:57:25 CET
Advisory:
========================

Updated freetype2 packages fix security vulnerabilities:

It was reported that Freetype before 2.5.3 suffers from an out-of-bounds
stack-based read/write flaw in cf2_hintmap_build() in the CFF rasterizing
code, which could lead to a buffer overflow (CVE-2014-2240).

It was also reported that Freetype before 2.5.3 has a denial-of-service
vulnerability in the CFF rasterizing code, due to a reachable assertion
(CVE-2014-2241).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2240
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2241
https://bugzilla.redhat.com/show_bug.cgi?id=1074646
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741299
Comment 4 David Walser 2014-03-13 21:46:10 CET
Apparently there's an ftbench tool (freetype2-demos package) that you can run with the fonts attached to the upstream bug to cause a crash and reproduce this issue.
Comment 5 Marc Lattemann 2014-03-14 22:43:01 CET
test files from original bug report (see Comment #0) are not available anymore. So simply test, that updates will install...

tested succesfully in MGA4 64bit
Comment 6 Marc Lattemann 2014-03-14 22:52:36 CET
installation of updates works as well in MGA4 32bit.

Please upload advisory from Comment #3 and validate the update.

Thanks
Comment 7 Rémi Verschelde 2014-03-14 23:08:23 CET
Validating update, advisory has been uploaded.
Please push to 4 core/updates.
Comment 8 Thomas Backlund 2014-03-15 17:35:56 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0130.html
Comment 9 Marc Lattemann 2014-03-16 10:51:48 CET
Re-open bug-report:

When it was installed on my laptop I figured out, that there is a tainted package available for libfreetype6, which is removed by the update...?

  9/9: libfreetype6          ##############################################################
      1/1: libfreetype6-2.5.0.1-3.mga4.tainted.i586 wird entfernt
                                 ##############################################################

should the tainted version be updated as well?

Sorry, I wasn't aware that there is an tainted packaged while testing it.
Comment 10 David Walser 2014-03-16 12:16:00 CET
Yes, I didn't realize the tainted version still existed, I thought the patents had expired or whatever.  Anyway, the tainted version is now built in updates_testing.
Comment 11 Marc Lattemann 2014-03-16 12:42:46 CET
Removed tags. 

Is there also a need for an updated advisory?
Comment 12 Rémi Verschelde 2014-03-16 12:45:52 CET
I edited the advisory to add the missing package. When pushing the update, the advisory html page should be updated too.
Comment 13 Marc Lattemann 2014-03-16 14:37:46 CET
tested successfully for mga4 32bit and 64bit. Tainted packages will replace core packages.

Advisory already updated, so validating...

sysadmins, please push packages to tainted_updates. Thx
Comment 14 Thomas Backlund 2014-03-16 15:24:13 CET
tainted packages pushed

Note You need to log in before you can comment on or make changes to this bug.