Bug 20465 - freetype2 new security issue CVE-2016-10244
Summary: freetype2 new security issue CVE-2016-10244
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5-64-OK advisory MGA5-32-OK
Keywords: validated_update
Depends on:
Reported: 2017-03-13 11:21 CET by David Walser
Modified: 2017-03-25 17:57 CET (History)
3 users (show)

See Also:
Source RPM: freetype2-2.5.4-2.mga5.src.rpm
Status comment:


Description David Walser 2017-03-13 11:21:00 CET
Fedora has issued an advisory on March 12:

The upstream commit that fixed the issue is linked from the RedHat bug:

The fix was likely included in the 2.7.0 or 2.7.1 release.
Comment 1 Rémi Verschelde 2017-03-13 11:23:21 CET
Assigning to package maintainer. I may have a look at it myself in the evening if Shlomi doesn't beat me to it.
Comment 2 Rémi Verschelde 2017-03-13 22:20:39 CET
Submitted freetype2-2.5.4-2.1.mga5 to {core,tainted}/updates_testing with the upstream patch.


Updated freetype2 packages fix security vulnerability

  The parse_charstrings function in type1/t1load.c in FreeType 2 did not ensure
  that a font contains a glyph name, which could allow remote attackers to cause
  a denial of service (heap-based buffer over-read) or possibly have unspecified
  other impact via a crafted file (CVE-2016-10244).

 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36
 - http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/type1/t1load.c?h=VER-2-7&id=a660e3de422731b94d4a134d27555430cbb6fb39

RPMs in {core,tainted}/updates_testing:




Comment 3 Lewis Smith 2017-03-14 21:42:52 CET
Prior to testing
Testing ideas: https://bugs.mageia.org/show_bug.cgi?id=16739

freetype2-demos: "The demos package includes a set of useful small utilities showing various capabilities of the FreeType library:"
 /usr/bin/ftbench      run FreeType benchmarks
â /usr/bin/ftdiff       compare font hinting modes
 â/usr/bin/ftdump       simple font dumper
â /usr/bin/ftgamma      ?
â /usr/bin/ftgrid       simple glyph grid viewer
â /usr/bin/ftlint       simple font tester
â /usr/bin/ftmulti      multiple masters font viewer
â /usr/bin/ftstring     string viewer
â /usr/bin/ftvalid      layout table validator
â /usr/bin/ftview       simple glyph viewer

Fonts are in /usr/share/fonts/...
A few likely subdirectories from many more:-
âââ default
â   âââ ghostscript
â   âââ Type1
âââ gnu-free       [ttf]
âââ ttf
â   âââ western
âââ Type1

x64: Too late for me to test this now, will return tomorrow morning.
Comment 4 Lewis Smith 2017-03-15 10:02:58 CET
Testing M5_84

I could not get some commands to work (notably ftlint), not sure whether they are Type1/ttf specific, or what exact paramater to give. Where fonts have 2-3 component files, you have to find the correct one to give to commands. Some commands require a 'points' parameter, suggested 72.

BEFORE update:

1. $ ftbench default/ghostscript/bchb.pfa
ftbench results for font `default/ghostscript/bchb.pfa'
family: Bitstream Charter
 style: Bold
number of seconds for each test: 2.000000
executing tests:
  Load                      39.436 us/op
  Get_BBox                  3.984 us/op

2. $ ftdump default/Type1/z003034l.pfb
There is 1 face in this file.
----- Face number: 0 -----
font name entries
   family:     URW Chancery L
   style:      Medium Italic
   postscript: URWChanceryL-MediItal
font type entries
   FreeType driver: type1
   glyph count:     503
   0: platform 3, encoding  1   language 0 (active)
   1: platform 7, encoding  0   language 0

3. $ ftgrid 72 gnu-free/FreeMono.ttf
 ptsize =72
 Execution completed successfully.
This opens a window with a detailed graphic view of each glyph, advance with arrow keys.

4. $ ftvalid ttf/western/Adventure.ttf
FT_OpenType_Validate is disabled!  Recompile FreeType 2 with otvalid module enabled.
  error = 0x0007

5. $ ftstring 72 Type1/c0419bt_.pfb
 Execution completed successfully.
This displays the "quick brown fox..." string in a window, which you can rotate and resize with the arrow keys. 

6. $ ftview 72 ttf/western/Adventure.ttf
 Execution completed successfully.
 Fails = 0
Displays a complete character set in a window; use arrow keys to advance and change the font size.

AFTER the update:

Confused by the presence also of 'lib64freetype2-1.3.1-45.mga5.tainted', but strace of a test showed:
open("/usr/lib64/libfreetype.so.6", O_RDONLY|O_CLOEXEC) = 3
[and 'not found' for other paths: /usr/lib64/tls/x86_64/, /usr/lib64/tls/,
Unsure of the validity of just the 'tainted' version employed. Assuming this OK.

Ran the 6 tests noted above, with identical results to previously.
Additionally viewed several PDF documents with different viewers; and a sizeable ODT document with LibreOffice Writer, changing fonts & font size. All looks OK.
Comment 5 Dave Hodgins 2017-03-25 01:10:57 CET
On i586, just testing that the update installs cleanly, and
ftview 18 /usr/share/fonts/Type1/l049036t.pfa

Validating the update.
Comment 6 Mageia Robot 2017-03-25 17:57:35 CET
An update for this issue has been pushed to the Mageia Updates repository.


Note You need to log in before you can comment on or make changes to this bug.