Bug 20465 - freetype2 new security issue CVE-2016-10244
: freetype2 new security issue CVE-2016-10244
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 5
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
:
: MGA5-64-OK advisory MGA5-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2017-03-13 11:21 CET by David Walser
Modified: 2017-03-25 17:57 CET (History)
3 users (show)

See Also:
Source RPM: freetype2-2.5.4-2.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-03-13 11:21:00 CET
Fedora has issued an advisory on March 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QNCBS6GMBNC7CEMRVOAYD7YHSVV6OHSU/

The upstream commit that fixed the issue is linked from the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1429965

The fix was likely included in the 2.7.0 or 2.7.1 release.
Comment 1 Rémi Verschelde 2017-03-13 11:23:21 CET
Assigning to package maintainer. I may have a look at it myself in the evening if Shlomi doesn't beat me to it.
Comment 2 Rémi Verschelde 2017-03-13 22:20:39 CET
Submitted freetype2-2.5.4-2.1.mga5 to {core,tainted}/updates_testing with the upstream patch.

Advisory:
=========

Updated freetype2 packages fix security vulnerability

  The parse_charstrings function in type1/t1load.c in FreeType 2 did not ensure
  that a font contains a glyph name, which could allow remote attackers to cause
  a denial of service (heap-based buffer over-read) or possibly have unspecified
  other impact via a crafted file (CVE-2016-10244).

References:
 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36
 - http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/type1/t1load.c?h=VER-2-7&id=a660e3de422731b94d4a134d27555430cbb6fb39


RPMs in {core,tainted}/updates_testing:
=======================================

lib{,64}freetype6-2.5.4-2.1.mga5{,.tainted}
lib{,64}freetype6-devel-2.5.4-2.1.mga5{,.tainted}
lib{,64}freetype6-static-devel-2.5.4-2.1.mga5{,.tainted}
freetype2-demos-2.5.4-2.1.mga5{,.tainted}


SRPMs:
======

core/updates_testing:
   freetype2-2.5.4-2.1.mga5

tainted/updates_testing:
   freetype2-2.5.4-2.1.mga5.tainted
Comment 3 Lewis Smith 2017-03-14 21:42:52 CET
Prior to testing
----------------
Testing ideas: https://bugs.mageia.org/show_bug.cgi?id=16739

freetype2-demos: "The demos package includes a set of useful small utilities showing various capabilities of the FreeType library:"
 /usr/bin/ftbench      run FreeType benchmarks
‎ /usr/bin/ftdiff       compare font hinting modes
 ‎/usr/bin/ftdump       simple font dumper
‎ /usr/bin/ftgamma      ?
‎ /usr/bin/ftgrid       simple glyph grid viewer
‎ /usr/bin/ftlint       simple font tester
‎ /usr/bin/ftmulti      multiple masters font viewer
‎ /usr/bin/ftstring     string viewer
‎ /usr/bin/ftvalid      layout table validator
‎ /usr/bin/ftview       simple glyph viewer

Fonts are in /usr/share/fonts/...
A few likely subdirectories from many more:-
├── default
│   ├── ghostscript
│   └── Type1
├── gnu-free       [ttf]
├── ttf
│   └── western
└── Type1

x64: Too late for me to test this now, will return tomorrow morning.
Comment 4 Lewis Smith 2017-03-15 10:02:58 CET
Testing M5_84

I could not get some commands to work (notably ftlint), not sure whether they are Type1/ttf specific, or what exact paramater to give. Where fonts have 2-3 component files, you have to find the correct one to give to commands. Some commands require a 'points' parameter, suggested 72.

BEFORE update:

1. $ ftbench default/ghostscript/bchb.pfa
ftbench results for font `default/ghostscript/bchb.pfa'
-------------------------------------------------------
family: Bitstream Charter
 style: Bold
number of seconds for each test: 2.000000
...
executing tests:
  Load                      39.436 us/op
...
  Get_BBox                  3.984 us/op

2. $ ftdump default/Type1/z003034l.pfb
There is 1 face in this file.
----- Face number: 0 -----
font name entries
   family:     URW Chancery L
   style:      Medium Italic
   postscript: URWChanceryL-MediItal
font type entries
   FreeType driver: type1
...
   glyph count:     503
charmaps
   0: platform 3, encoding  1   language 0 (active)
   1: platform 7, encoding  0   language 0

3. $ ftgrid 72 gnu-free/FreeMono.ttf
 ptsize =72
 Execution completed successfully.
This opens a window with a detailed graphic view of each glyph, advance with arrow keys.

4. $ ftvalid ttf/western/Adventure.ttf
FT_OpenType_Validate is disabled!  Recompile FreeType 2 with otvalid module enabled.
  error = 0x0007

5. $ ftstring 72 Type1/c0419bt_.pfb
 Execution completed successfully.
This displays the "quick brown fox..." string in a window, which you can rotate and resize with the arrow keys. 

6. $ ftview 72 ttf/western/Adventure.ttf
 Execution completed successfully.
 Fails = 0
Displays a complete character set in a window; use arrow keys to advance and change the font size.

AFTER the update:
freetype2-demos-2.5.4-2.1.mga5.tainted
lib64freetype6-2.5.4-2.1.mga5.tainted
lib64freetype6-devel-2.5.4-2.1.mga5.tainted

Confused by the presence also of 'lib64freetype2-1.3.1-45.mga5.tainted', but strace of a test showed:
open("/usr/lib64/libfreetype.so.6", O_RDONLY|O_CLOEXEC) = 3
[and 'not found' for other paths: /usr/lib64/tls/x86_64/, /usr/lib64/tls/,
/usr/lib64/x86_64].
Unsure of the validity of just the 'tainted' version employed. Assuming this OK.

Ran the 6 tests noted above, with identical results to previously.
Additionally viewed several PDF documents with different viewers; and a sizeable ODT document with LibreOffice Writer, changing fonts & font size. All looks OK.
Comment 5 Dave Hodgins 2017-03-25 01:10:57 CET
On i586, just testing that the update installs cleanly, and
ftview 18 /usr/share/fonts/Type1/l049036t.pfa
works.

Validating the update.
Comment 6 Mageia Robot 2017-03-25 17:57:35 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0085.html

Note You need to log in before you can comment on or make changes to this bug.