Bug 20465 - freetype2 new security issue CVE-2016-10244
Summary: freetype2 new security issue CVE-2016-10244
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5-64-OK advisory MGA5-32-OK
Keywords: validated_update
Depends on:
Reported: 2017-03-13 11:21 CET by David Walser
Modified: 2017-03-25 17:57 CET (History)
3 users (show)

See Also:
Source RPM: freetype2-2.5.4-2.mga5.src.rpm
Status comment:


Description David Walser 2017-03-13 11:21:00 CET
Fedora has issued an advisory on March 12:

The upstream commit that fixed the issue is linked from the RedHat bug:

The fix was likely included in the 2.7.0 or 2.7.1 release.
Comment 1 Rémi Verschelde 2017-03-13 11:23:21 CET
Assigning to package maintainer. I may have a look at it myself in the evening if Shlomi doesn't beat me to it.

Assignee: bugsquad => shlomif

Comment 2 Rémi Verschelde 2017-03-13 22:20:39 CET
Submitted freetype2-2.5.4-2.1.mga5 to {core,tainted}/updates_testing with the upstream patch.


Updated freetype2 packages fix security vulnerability

  The parse_charstrings function in type1/t1load.c in FreeType 2 did not ensure
  that a font contains a glyph name, which could allow remote attackers to cause
  a denial of service (heap-based buffer over-read) or possibly have unspecified
  other impact via a crafted file (CVE-2016-10244).

 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36
 - http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/type1/t1load.c?h=VER-2-7&id=a660e3de422731b94d4a134d27555430cbb6fb39

RPMs in {core,tainted}/updates_testing:




Rémi Verschelde 2017-03-13 22:21:50 CET

Assignee: shlomif => qa-bugs

Comment 3 Lewis Smith 2017-03-14 21:42:52 CET
Prior to testing
Testing ideas: https://bugs.mageia.org/show_bug.cgi?id=16739

freetype2-demos: "The demos package includes a set of useful small utilities showing various capabilities of the FreeType library:"
 /usr/bin/ftbench      run FreeType benchmarks
â /usr/bin/ftdiff       compare font hinting modes
 â/usr/bin/ftdump       simple font dumper
â /usr/bin/ftgamma      ?
â /usr/bin/ftgrid       simple glyph grid viewer
â /usr/bin/ftlint       simple font tester
â /usr/bin/ftmulti      multiple masters font viewer
â /usr/bin/ftstring     string viewer
â /usr/bin/ftvalid      layout table validator
â /usr/bin/ftview       simple glyph viewer

Fonts are in /usr/share/fonts/...
A few likely subdirectories from many more:-
âââ default
â   âââ ghostscript
â   âââ Type1
âââ gnu-free       [ttf]
âââ ttf
â   âââ western
âââ Type1

x64: Too late for me to test this now, will return tomorrow morning.

CC: (none) => lewyssmith

Comment 4 Lewis Smith 2017-03-15 10:02:58 CET
Testing M5_84

I could not get some commands to work (notably ftlint), not sure whether they are Type1/ttf specific, or what exact paramater to give. Where fonts have 2-3 component files, you have to find the correct one to give to commands. Some commands require a 'points' parameter, suggested 72.

BEFORE update:

1. $ ftbench default/ghostscript/bchb.pfa
ftbench results for font `default/ghostscript/bchb.pfa'
family: Bitstream Charter
 style: Bold
number of seconds for each test: 2.000000
executing tests:
  Load                      39.436 us/op
  Get_BBox                  3.984 us/op

2. $ ftdump default/Type1/z003034l.pfb
There is 1 face in this file.
----- Face number: 0 -----
font name entries
   family:     URW Chancery L
   style:      Medium Italic
   postscript: URWChanceryL-MediItal
font type entries
   FreeType driver: type1
   glyph count:     503
   0: platform 3, encoding  1   language 0 (active)
   1: platform 7, encoding  0   language 0

3. $ ftgrid 72 gnu-free/FreeMono.ttf
 ptsize =72
 Execution completed successfully.
This opens a window with a detailed graphic view of each glyph, advance with arrow keys.

4. $ ftvalid ttf/western/Adventure.ttf
FT_OpenType_Validate is disabled!  Recompile FreeType 2 with otvalid module enabled.
  error = 0x0007

5. $ ftstring 72 Type1/c0419bt_.pfb
 Execution completed successfully.
This displays the "quick brown fox..." string in a window, which you can rotate and resize with the arrow keys. 

6. $ ftview 72 ttf/western/Adventure.ttf
 Execution completed successfully.
 Fails = 0
Displays a complete character set in a window; use arrow keys to advance and change the font size.

AFTER the update:

Confused by the presence also of 'lib64freetype2-1.3.1-45.mga5.tainted', but strace of a test showed:
open("/usr/lib64/libfreetype.so.6", O_RDONLY|O_CLOEXEC) = 3
[and 'not found' for other paths: /usr/lib64/tls/x86_64/, /usr/lib64/tls/,
Unsure of the validity of just the 'tainted' version employed. Assuming this OK.

Ran the 6 tests noted above, with identical results to previously.
Additionally viewed several PDF documents with different viewers; and a sizeable ODT document with LibreOffice Writer, changing fonts & font size. All looks OK.

Whiteboard: (none) => MGA5-64-OK

Lewis Smith 2017-03-15 10:13:18 CET

Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Comment 5 Dave Hodgins 2017-03-25 01:10:57 CET
On i586, just testing that the update installs cleanly, and
ftview 18 /usr/share/fonts/Type1/l049036t.pfa

Validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2017-03-25 17:57:35 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.