Fedora has issued an advisory on February 18: https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150162.html We already have 2.5.4 in Cauldron. Note that CVE-2014-9665 and CVE-2014-9668 don't affect 2.5.0.1. Patched package uploaded for Mageia 4. Note that there are core and tainted builds for this package. Advisory: ======================== Updated freetype2 packages fix security vulnerabilities: The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before 2.5.4 does not properly check for an integer overflow, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted OpenType font (CVE-2014-9656). The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4 does not establish a minimum record size, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font (CVE-2014-9657). The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4 enforces an incorrect minimum table length, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font (CVE-2014-9658). The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5.4 does not properly handle a missing ENDCHAR record, which allows remote attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted BDF font (CVE-2014-9660). type42/t42parse.c in FreeType before 2.5.4 does not consider that scanning can be incomplete without triggering an error, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted Type42 font (CVE-2014-9661). cff/cf2ft.c in FreeType before 2.5.4 does not validate the return values of point-allocation functions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted OTF font (CVE-2014-9662). The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5.4 validates a certain length field before that field's value is completely calculated, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted cmap SFNT table (CVE-2014-9663). FreeType before 2.5.4 does not check for the end of the data during certain parsing actions, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted Type42 font, related to type42/t42parse.c and type1/t1load.c (CVE-2014-9664). The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4 proceeds with a count-to-size association without restricting the count value, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted embedded bitmap (CVE-2014-9666). sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting the values, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted SFNT table (CVE-2014-9667). Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (out-of-bounds read or memory corruption) or possibly have unspecified other impact via a crafted cmap SFNT table (CVE-2014-9669). Multiple integer signedness errors in the pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (integer overflow, NULL pointer dereference, and application crash) via a crafted PCF file that specifies negative values for the first column and first row (CVE-2014-9670). Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PCF file with a 0xffffffff size value that is improperly incremented (CVE-2014-9671). Array index error in the parse_fond function in base/ftmac.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information from process memory via a crafted FOND resource in a Mac font file (CVE-2014-9672). Integer signedness error in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font (CVE-2014-9673). The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without validating the original values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font (CVE-2014-9674). bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allows remote attackers to discover heap pointer values and bypass the ASLR protection mechanism via a crafted BDF font (CVE-2014-9675). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9656 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9657 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9658 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9660 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9661 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9662 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9663 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9666 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9667 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9669 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9671 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9672 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9673 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9674 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9675 https://bugzilla.redhat.com/show_bug.cgi?id=1191095 https://bugzilla.redhat.com/show_bug.cgi?id=1191096 https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150162.html ======================== Updated packages in {core,tainted}/updates_testing: ======================== libfreetype6-2.5.0.1-3.3.mga4 libfreetype6-devel-2.5.0.1-3.3.mga4 libfreetype6-static-devel-2.5.0.1-3.3.mga4 freetype2-demos-2.5.0.1-3.3.mga4 from freetype2-2.5.0.1-3.3.mga4.src.rpm Reproducible: Steps to Reproduce:
Details on these were supposed to be posted on oss-security, but I guess the guy forgot: http://openwall.com/lists/oss-security/2014/12/10/7 I had forgotten I had mentioned this in our last update: https://bugs.mageia.org/show_bug.cgi?id=14771#c6 until I was looking into this one. I'm not sure where RedHat finally ended up getting the details from. Maybe they dug them up themselves. Anyway, there's PoCs for some of these CVEs. Some of the upstream (GNU Savannah) bugs are closed, but here's links for the ones that are open, and Google bugs (which I got from the RedHat bugs) for the upstream ones that are closed. The Google bugs I linked, and the ones I indicated that don't have a PoC, don't have one. The others do. CVE-2014-9675: https://savannah.nongnu.org/bugs/?43535 CVE-2014-9673: (s43539) https://code.google.com/p/google-security-research/issues/detail?id=154 CVE-2014-9674: (s43538) https://code.google.com/p/google-security-research/issues/detail?id=153 CVE-2014-9672: (s43540) https://code.google.com/p/google-security-research/issues/detail?id=155 CVE-2014-9671: https://savannah.nongnu.org/bugs/?43547 CVE-2014-9670: https://savannah.nongnu.org/bugs/?43548 CVE-2014-9669: https://savannah.nongnu.org/bugs/?43588 (no PoC) CVE-2014-9667: https://savannah.nongnu.org/bugs/?43590 (no PoC) CVE-2014-9666: https://savannah.nongnu.org/bugs/?43591 (no PoC) CVE-2014-9664: https://savannah.nongnu.org/bugs/?43655 CVE-2014-9663: https://savannah.nongnu.org/bugs/?43656 CVE-2014-9662: https://savannah.nongnu.org/bugs/?43658 CVE-2014-9661: https://savannah.nongnu.org/bugs/?43659 CVE-2014-9660: https://savannah.nongnu.org/bugs/?43660 CVE-2014-9658: https://savannah.nongnu.org/bugs/?43672 CVE-2014-9657: https://savannah.nongnu.org/bugs/?43679 CVE-2014-9656: https://savannah.nongnu.org/bugs/?43680
Also note that two of the CVEs are rated as high severity, so we could play with the CVEs, but checking for obvious regressions and getting the update out are more important. I used the same patches Fedora used for the Fedora 20 update. I can confirm that things look fine in applications that use libfreetype6, like Firefox, LibreOffice, xpdf, and okular.
I'll test a few applications on my 64-bit machine. Carolyn
CC: (none) => cmrisolde
Actually, does this only affect 32-bit packages and not the lib64freetype... ones? Carolyn
Update is only to 32bit freetype package not 64bit.
CC: (none) => ozkyster
Both arch's should have been updated. There are also core updates testing and tainted updates testing versions to test. General tests: https://bugs.mageia.org/show_bug.cgi?id=8497#c7 https://bugs.mageia.org/show_bug.cgi?id=14771
Whiteboard: (none) => has_procedure
Yes sorry need to correct that was just mirror didn't get synced yet 64bit.
OK, I'll try amd have a look tomorrow.
On my 64-bit laptop with the Core updates, installation proceeded smoothly, no regressions noticed in Firefox, LibreOffice or Okular. Running "ftbench /usr/share/fonts/75dpi/helvBO08-ISO8859-15.pcf.gz" worked fine before and after update. Will have a look at the Tainted ones shortly.
On my 64-bit laptop with the Core updates, installation proceeded smoothly, no regressions noticed in Firefox, LibreOffice or Okular. Running "ftbench /usr/share/fonts/75dpi/helvBO08-ISO8859-15.pcf.gz" worked fine before and after update. Same again with the Tainted packages, no problems noticed.
Testing on Mageia4x64, real hardware From current packages : --------------------- lib64freetype6-2.5.0.1-3.2.mga4 core and tainted $ ftbench asan_stack-oob_703c16_2728_cov_367593004_aspartam.otf $ ftbench asan_stack-oob_703c16_5479_cov_4290077649_elsewher.otf $ ftbench asan_stack-oob_703c16_3507_cov_3211953920_ccapshad.otf Updated to testing packages : --------------------------- - freetype2-demos-2.5.0.1-3.3.mga4.x86_64 - lib64freetype6-2.5.0.1-3.3.mga4.x86_64 - lib64freetype6-devel-2.5.0.1-3.3.mga4.x86_64 - lib64freetype6-static-devel-2.5.0.1-3.3.mga4.x86_64 Ran same ftbenchs = OK $ ftgamma asan_stack-oob_703c16_3507_cov_3211953920_ccapshad.otf =OK $ ftdump asan_stack-oob_703c16_3507_cov_3211953920_ccapshad.otf =OK $ ftdiff asan_stack-oob_703c16_3507_cov_3211953920_ccapshad.otf =OK updated to same version 2.5.0.1-3.3.mga4. in tainted Ran same fttests= OK
CC: (none) => olchalWhiteboard: has_procedure => has_procedure MGA4-64-OK
MGA4-32 on Acer D620 Xfce Installed from Core Updatzq, no installation issues. $ ftbench asan_stack-oob_703c16_2728_cov_367593004_aspartam.otf couldn't load font resource Only otf files on my system: $ locate *.otf /usr/share/fonts/abattis-cantarell-fonts/Cantarell-Bold.otf /usr/share/fonts/abattis-cantarell-fonts/Cantarell-Regular.otf So??????
CC: (none) => herman.viaene
(In reply to Herman Viaene from comment #12) > MGA4-32 on Acer D620 Xfce > Installed from Core Updatzq, no installation issues. > $ ftbench asan_stack-oob_703c16_2728_cov_367593004_aspartam.otf > couldn't load font resource > Only otf files on my system: > $ locate *.otf > /usr/share/fonts/abattis-cantarell-fonts/Cantarell-Bold.otf > /usr/share/fonts/abattis-cantarell-fonts/Cantarell-Regular.otf > So?????? Hi Herman, In comment 11, I used open type fonts downloaded in the FreeType Project site but you can use any fonts located in you /usr/share/fonts folder I think.
Testing complete mga4 32, core and tainted. ftbench and general use, many applications use this library. urpmq --whatrequires libfreetype6
Whiteboard: has_procedure MGA4-64-OK => has_procedure mga4-32-ok MGA4-64-OK
Validating. Advisory uploaded, added the tainted srpm. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok MGA4-64-OK => has_procedure advisory mga4-32-ok MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0083.html
Status: NEW => RESOLVEDResolution: (none) => FIXED