Upstream has released version 2.5.4 on December 6: http://sourceforge.net/projects/freetype/files/freetype2/2.5.4/ It fixes a security issue similar to CVE-2014-2240, which we fixed in Bug 12986. The upstream bug for this new issue is here: http://savannah.nongnu.org/bugs/?43661 There is PoC information in the upstream bug, including attached files and instructions (using ftbench). Funda has requested a freeze push for Cauldron. Patched packages uploaded for Mageia 4. Note that there are core and tainted builds for this package. I have not seen a CVE request for this new issue. Advisory: ======================== Updated freetype2 packages fix security vulnerability: It was reported that Freetype before 2.5.4 suffers from an out-of-bounds stack-based read/write flaw in cf2_hintmap_build() in the CFF rasterizing code, which could lead to a buffer overflow. This is due to an incomplete fix for CVE-2014-2240. References: http://sourceforge.net/projects/freetype/files/freetype2/2.5.4/ http://advisories.mageia.org/MGASA-2014-0130.html ======================== Updated packages in {core,tainted}/updates_testing: ======================== libfreetype6-2.5.0.1-3.2.mga4 libfreetype6-devel-2.5.0.1-3.2.mga4 libfreetype6-static-devel-2.5.0.1-3.2.mga4 freetype2-demos-2.5.0.1-3.2.mga4 from freetype2-2.5.0.1-3.2.mga4.src.rpm Reproducible: Steps to Reproduce:
ftbench runs fine on my Mageia 4 x86-64 VM with the first two files of the proof-of-concept before the upgrade - no crashes here: <QUOTE> [shlomif@localhost ~]$ ftbench Downloads/asan_stack-oob_703c16_2728_cov_367593004_aspartam.otf Load : 15.055 us/op Load_Advances (Normal) : 3.701 us/op Load_Advances (Fast) : 3.603 us/op Render : 20.554 us/op Get_Glyph : 0.757 us/op Get_CBox : 0.263 us/op Get_Char_Index : 0.014 us/op Iterate CMap : 1.852 us/op New_Face : 49.574 us/op Embolden : 0.145 us/op Get_BBox : 1.228 us/op [shlomif@localhost ~]$ ftbench Downloads/asan_stac asan_stack-oob_703c16_2728_cov_367593004_aspartam.otf asan_stack-oob_703c16_5479_cov_4290077649_elsewher.otf [shlomif@localhost ~]$ ftbench Downloads/asan_stack-oob_703c16_5479_cov_4290077649_elsewher.otf Load : 25.850 us/op Load_Advances (Normal) : 2.449 us/op Load_Advances (Fast) : 2.300 us/op Render : 29.591 us/op Get_Glyph : 2.044 us/op Get_CBox : 1.525 us/op Get_Char_Index : 0.015 us/op Iterate CMap : 1.987 us/op New_Face : 48.291 us/op Embolden : 1.477 us/op Get_BBox : 2.823 us/op [shlomif@localhost ~]$ rpm -q lib64freetype6 lib64freetype6-2.5.0.1-3.1.mga4.tainted [shlomif@localhost ~]$ </QUOTE>
CC: (none) => shlomif
Testing mga4 32 Before ------ Reproduce the crash with PoC from http://savannah.nongnu.org/bugs/?43661 $ ftbench asan_stack-oob_703c16_5479_cov_4290077649_elsewher.otf Load : *** stack smashing detected ***: ftbench terminated ======= Backtrace: ========= /lib/i686/libc.so.6(+0x6b8f3)[0xb75768f3] /lib/i686/libc.so.6(__fortify_fail+0x45)[0xb7610175] /lib/i686/libc.so.6(+0x10512a)[0xb761012a] /lib/libfreetype.so.6(_fini+0x0)[0xb7728824] /lib/libfreetype.so.6(+0x3089e)[0xb76f389e] /lib/libfreetype.so.6(+0x32387)[0xb76f5387] /lib/libfreetype.so.6(+0x32408)[0xb76f5408] /lib/libfreetype.so.6(+0x327e2)[0xb76f57e2] /lib/libfreetype.so.6(+0x3416b)[0xb76f716b] /lib/libfreetype.so.6(+0x3522a)[0xb76f822a] /lib/libfreetype.so.6(+0x35b07)[0xb76f8b07] /lib/libfreetype.so.6(FT_Load_Glyph+0x1a8)[0xb76d5758] ftbench[0x804986d] ftbench[0x804a054] ftbench[0x804962e] /lib/i686/libc.so.6(__libc_start_main+0xf3)[0xb7524b33] ftbench[0x804971b] ...etc After ----- Updating to version from Core Updates Testing.. $ ftbench asan_stack-oob_703c16_5479_cov_4290077649_elsewher.otf Load : 44.192 us/op Load_Advances (Normal) : 5.152 us/op Load_Advances (Fast) : 4.911 us/op Render : 45.726 us/op Get_Glyph : 7.030 us/op Get_CBox : 5.662 us/op Get_Char_Index : 0.108 us/op Iterate CMap : 9.843 us/op New_Face : 234.214 us/op Embolden : 4.814 us/op Get_BBox : 7.468 us/op Other two PoC files also OK. Updating to version from Tainted Updates Testing.. All OK.
Whiteboard: (none) => has_procedure mga4-32-ok
Happy to add the OK for 64bit Shlomi?
(In reply to claire robinson from comment #3) > Happy to add the OK for 64bit Shlomi? I don't know - I was unable to reproduce the crash on my Mga4-x86-64-VM, but I'm fine that you OK it.
MGA-4-64 on HP Probook 6555b I ran the command on one of the existing files >ftbench /usr/share/fonts/75dpi/helvBO08-ISO8859-15.pcf.gz Load : 0.755 us/op Load_Advances (Normal) : 0.757 us/op Load_Advances (Fast) : 0.758 us/op Render : 0.092 us/op Get_Glyph : 0.209 us/op Get_CBox : 0.096 us/op Get_Char_Index : inf us/op Iterate CMap : 0.089 us/op New_Face : 192.562 us/op Embolden : 0.085 us/op Get_BBox : 0.091 us/op That demonstrates that it does not crash.
CC: (none) => herman.viaeneWhiteboard: has_procedure mga4-32-ok => has_procedure MGA4-32-OK MGA4-64-OK
CVE request: http://openwall.com/lists/oss-security/2014/12/10/6
David may need to add more patches, adding feedback for now.
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure feedback MGA4-32-OK MGA4-64-OK
After discussion in QA meeting it was decided to push this one and update again later. Validating. Advisory uploaded (including tainted srpm) Please push to updates Thanks
Whiteboard: has_procedure feedback MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0526.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Fedora has issued an advisory for this on December 13: https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146933.html
URL: (none) => http://lwn.net/Vulnerabilities/627590/
This appears to be CVE-2014-9659: https://bugzilla.redhat.com/show_bug.cgi?id=1191081
Summary: freetype2 new security issue fixed upstream in 2.5.4 (similar to CVE-2014-2240) => freetype2 new security issue fixed upstream in 2.5.4 (CVE-2014-9659)