Bug 22563 - freetype2 new security issue CVE-2017-7864
Summary: freetype2 new security issue CVE-2017-7864
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-02-10 21:49 CET by David Walser
Modified: 2018-02-15 22:18 CET (History)
6 users (show)

See Also:
Source RPM: freetype2-2.7.1-2.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-02-10 21:49:03 CET
SUSE has issued an advisory on February 9:
https://lists.opensuse.org/opensuse-security-announce/2018-02/msg00014.html

The SUSE bug with the link to the upstream commit that fixed it is here:
https://bugzilla.suse.com/show_bug.cgi?id=1034178
David Walser 2018-02-10 22:06:30 CET

Status comment: (none) => Upstream patch is available

Comment 1 Marja Van Waes 2018-02-11 17:32:30 CET
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 Shlomi Fish 2018-02-11 18:32:33 CET
See the new freetype2 at http://pkgsubmit.mageia.org/ .
Comment 3 David Walser 2018-02-11 18:38:39 CET
Thanks Shlomi!

Please push to tainted as well once the build system allows you to.

Saving advisory for when we get that pushed.

Advisory:
========================

Updated freetype2 packages fix security vulnerability:

FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a heap-based
buffer overflow related to the tt_size_reset function in truetype/ttobjs.c
(CVE-2017-7864).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7864
https://bugzilla.suse.com/show_bug.cgi?id=1034178
========================

Updated packages in {core,tainted}/updates_testing:
========================
libfreetype6-2.7.1-2.1.mga6
libfreetype6-devel-2.7.1-2.1.mga6
libfreetype6-static-devel-2.7.1-2.1.mga6
freetype2-demos-2.7.1-2.1.mga6

from freetype2-2.7.1-2.1.mga6.src.rpm
Comment 4 Thomas Backlund 2018-02-11 18:43:22 CET
@Shlomi, you seem to keep forgetting the "Cauldron first" when it comes to  bug/security fixes...

We need stuff fixed there first to ensure we keep upgrade path and not regress on bug/security fixes...

2 days ago I had to sync the zlib fix to cauldron as you had forgot that too..

CC: (none) => tmb

Comment 5 David Walser 2018-02-11 18:46:00 CET
Thomas, this bug doesn't apply to Cauldron.  The upstream fix was already included in the 2.8.1 we have there.  But yes in general, when things do apply there they should always be pushed there first.
Comment 6 Thomas Backlund 2018-02-11 18:48:15 CET
Ah, my bad .. I just looked at pkgsubmit for a cauldron build of freetype2 :)
Comment 7 David Walser 2018-02-11 20:43:24 CET
Core and tainted builds are now both available.  Assigning to QA.

Advisory and packages in Comment 3.

Assignee: shlomif => qa-bugs
CC: (none) => shlomif

David Walser 2018-02-11 20:46:26 CET

Status comment: Upstream patch is available => (none)

Comment 8 PC LX 2018-02-13 11:14:44 CET
Installed and tested without issues.

Tested using firefox, okular, calibre, gimp, inkscape and chromium browser.

System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.

$ uname -a
Linux marte 4.14.18-desktop-1.mga6 #1 SMP Wed Feb 7 23:14:33 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep freetype | sort
lib64freetype6-2.7.1-2.1.mga6
lib64freetype6-devel-2.7.1-2.1.mga6
lib64freetype-gir2.0-1.52.1-1.mga6
libfreetype6-2.7.1-2.1.mga6

CC: (none) => mageia

Comment 9 Len Lawrence 2018-02-13 20:19:02 CET
Just a follow-up from comment 8 tests.
Mageia 6 :: x86_64
Updated from Core Updates Testing:
- freetype2-demos-2.7.1-2.1.mga6.x86_64
- lib64freetype-gir2.0-1.54.1-1.mga6.x86_64
- lib64freetype6-2.7.1-2.1.mga6.x86_64
- lib64freetype6-devel-2.7.1-2.1.mga6.x86_64
- lib64freetype6-static-devel-2.7.1-2.1.mga6.x86_64

Ran strace on drakfont while installing a TTF font, Apple_Garamond.
# cat trace0 | grep freetype
open("/lib64/libfreetype.so.6", O_RDONLY|O_CLOEXEC) = 8
open("/usr/lib64/libfreetype.so.6.13.0", O_RDONLY) = 8

[root@belexeuli lib64]# ls *freetype*
libfreetype.a  libfreetype.so@  libfreetype.so.6@  libfreetype.so.6.13.0*

Opened a document in LibreOffice and successfully changed the font of a paragraph to Apple Garamond.

Enabled Tainted Updates Testing and installed:
- freetype2-demos-2.7.1-2.1.mga6.tainted.x86_64
- lib64freetype6-2.7.1-2.1.mga6.tainted.x86_64
- lib64freetype6-devel-2.7.1-2.1.mga6.tainted.x86_64
- lib64freetype6-static-devel-2.7.1-2.1.mga6.tainted.x86_64

Ran a trace on drakfont while installing StandingRoomOnly.ttf.
# cat trace1 | grep freetype
open("/lib64/libfreetype.so.6", O_RDONLY|O_CLOEXEC) = 8
open("/usr/lib64/libfreetype.so.6.13.0", O_RDONLY) = 8
# rpm -qa | grep freetype
lib64freetype-gir2.0-1.54.1-1.mga6
lib64freetype6-static-devel-2.7.1-2.1.mga6.tainted
freetype2-demos-2.7.1-2.1.mga6.tainted
lib64freetype6-2.7.1-2.1.mga6.tainted
lib64freetype6-devel-2.7.1-2.1.mga6.tainted

Opened the previous document in LibreOffice and changed the font of another paragraph to StandingRoomOnly.

This with the tests of comment 8 justify a 64-bit OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 10 PC LX 2018-02-13 21:26:04 CET
I have installed the freetype packages from the core updates testing repository.
Is there any difference between the tainted and non tainted versions?
Comment 11 Len Lawrence 2018-02-14 10:52:31 CET
@PC LX
I would imagine so - probably something to do with accommodating nonfree fonts.
We need an expert.
Comment 12 Len Lawrence 2018-02-14 11:21:05 CET
freetype2 from tainted repository.
Ran another test to see if freetype2 is involved with Type1 font rendering as opposed to TTF, using a local utility to generate labels.

$ strace /home/lcl/bin/paddb 2> trace2
This created a file ~/tmp/abc-0.ps

$ gs abc-0.ps
GPL Ghostscript 9.22 (2017-10-04)
Copyright (C) 2017 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Loading SaddlebagRegularSWFTE font from /usr/share/fonts/default/ghostscript/Saddlebag.pfb... 4447172 2907352 4076224 2765155 3 done.
>>showpage, press <return> to continue<<

$ cat trace2 | grep freetype
open("/lib64/libfreetype.so.6", O_RDONLY|O_CLOEXEC) = 7

This indicates that freetype2 deals with Type1 fonts OK.
Note that the pfb and afm files were generated from an original ttf using ttf2pt1.
Comment 13 claire robinson 2018-02-15 20:33:36 CET
Advisory uploaded

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 14 Mageia Robot 2018-02-15 22:18:39 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0128.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.