Bug 2475 - Updated freetype2 package to fix CVE-2011-0226
Summary: Updated freetype2 package to fix CVE-2011-0226
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:
Keywords: Security, validated_update
Depends on: 3081
Blocks:
  Show dependency treegraph
 
Reported: 2011-08-20 19:29 CEST by Funda Wang
Modified: 2011-10-19 20:58 CEST (History)
7 users (show)

See Also:
Source RPM: freetype2-2.4.6-0.1.mga1.src.rpm
CVE:
Status comment:


Attachments

Description Funda Wang 2011-08-20 19:29:44 CEST
Advisory text:

A vulnerability was discovered and corrected in freetype2:

 Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6,
 allows remote attackers to execute arbitrary code or cause a denial
 of service (memory corruption and application crash) via a crafted
 Type 1 font in a PDF document, as exploited in the wild in July 2011
 (CVE-2011-0226).

The updated packages have been updated to latest stable version to correct this issue.

==========================
@qa-bugs, please note that freetype2 package exists in both core and tainted.
Comment 1 Dave Hodgins 2011-08-21 04:19:07 CEST
Am I correct it's the libfreetype6 rpm package that should be the target
of testing?

I've confirmed I can view pdf files using xpdf, which uses libfreetype.so.6
with both the Core Updates Testing, and Tainted Updates Testing versions
on my i586 system.

CC: (none) => davidwhodgins

Comment 2 Funda Wang 2011-08-21 09:35:31 CEST
(In reply to comment #1)
> Am I correct it's the libfreetype6 rpm package that should be the target
> of testing?
Yes.
Comment 3 D Morgan 2011-08-24 01:06:40 CEST
as discussed on irc with misc and Motoko, we will revert to previous freetype and only fix the CVE by patching see http://pkgs.fedoraproject.org/gitweb/?p=freetype.git;a=blob;f=freetype-2.4.5-CVE-2011-0226.patch;h=f0afa216d1b839d9d8fcad405f978b161d3e4d0a;hb=36cb801677cebff0a144ced7a9314e0ea7c484f5


i will do this tomorow.

CC: (none) => dmorganec

Comment 4 Samuel Verschelde 2011-09-01 12:17:59 CEST
The update has been pushed by dmorgan. Please test 2.4.4-5.1.mga1 and 2.4.4-5.1.mga1.tainted

CC: (none) => stormi

Comment 5 Dave Hodgins 2011-09-01 20:36:24 CEST
I had to manually uninstall libfreetype6-2.4.6.

I then installed libfreetype6 from Core Updates Testing.
Confirmed xpdf worked.
Used mgaapplet to install the tainted version.
Confirmed xpdf still worked.

Testing of the srpms
freetype2-2.4.4-5.1.mga1.src.rpm
freetype2-2.4.4-5.1.mga1.tainted.src.rpm
complete on i586.
Comment 6 Florian Hubold 2011-09-03 20:18:22 CEST
(In reply to comment #1)
> I've confirmed I can view pdf files using xpdf, which uses libfreetype.so.6
> with both the Core Updates Testing, and Tainted Updates Testing versions
> on my i586 system.

Can you give a link to a PDF with a crafted Type 1 font, as mentioned in the CVE? I'd like to test this on x86_64, and i've found only "exploited via JailBreakMe" so far.
Would the opening of the PDF with xpdf (linked here:
http://lists.nongnu.org/archive/html/freetype-devel/2011-07/msg00014.html )
be enough to ensure the CVE is definitely fixed?

CC: (none) => doktor5000

Comment 7 Dave Hodgins 2011-09-06 04:05:09 CEST
No. I tried that with xpdf before installing the update, and it didn't
fail, so we don't seem to have a working poc.

Without a working poc, all we can test, is that the program appears
to be working ok.
Comment 8 Samuel Verschelde 2011-09-10 02:13:29 CEST
This update still needs testing on x86_64.

Please make sure the tested packages are :
libfreetype6-2.4.4-5.1.mga1
libfreetype6-2.4.4-5.1.mga1.tainted

Without a working exploit available outside iOS, we can only test that it works correctly. IINM freetype is used everywhere when a font is printed so it should be easy to check that it works. Also maybe open a PDF with xpdf like Dave Hodgins did. You will probably need to reboot after switching from the core package to the tainted one.
Comment 9 Samuel Verschelde 2011-09-10 02:40:32 CEST
There's a problem with this update : freetype2-2.4.4-5.1.mga1.tainted.src.rpm is in both Tainted Updates Testing and Tainted Updates, and the 2 packages are different !

I think that dmorgan forgot to increase the subrel when reverting to the 2.4.4 version, am I right ?

CC: (none) => qa-bugs
Assignee: qa-bugs => dmorganec

Samuel Verschelde 2011-09-12 14:33:20 CEST

Keywords: (none) => Security

Comment 10 D Morgan 2011-09-12 14:44:51 CEST
i will look this then.

thank you.
Comment 11 Dave Hodgins 2011-10-05 10:13:56 CEST
Ping.
Comment 12 claire robinson 2011-10-15 11:41:48 CEST
What is the status of this update please?
Comment 13 D Morgan 2011-10-17 08:46:12 CEST
should be available for tests now

Assignee: dmorganec => qa-bugs

Manuel Hiebel 2011-10-17 12:36:17 CEST

Depends on: (none) => 3081

Comment 14 claire robinson 2011-10-17 13:20:47 CEST
Tested OK i586
Comment 15 claire robinson 2011-10-18 14:18:22 CEST
x86_64:

Should there be a 64 bit build of libfreetype6?

I notice the i586 version is installed and nothing in x86_64 Updates Testing.


i586 version tested OK on x86_64 if that is correct?
Comment 16 claire robinson 2011-10-19 14:00:06 CEST
So, there is a 64bit build of libfreetype6 but for some reason the i586 version is installed on an x86_64 system and not the x86_64 version. A tainted x86_64 version was installed however beside the i586 core version.

Oct 18 13:00:11 mega perl: [RPM] libfreetype6-2.4.4-5.2.mga1.i586 installed
Oct 18 13:00:11 mega perl: [RPM] libfreetype6-2.4.4-4.mga1.i586 removed

Today..

Oct 19 12:21:59 mega urpmi: called with: --media Core Updates Testing (distrib5) lib64freetype6
Oct 19 12:22:00 mega perl: [RPM] lib64freetype6-2.4.4-5.2.mga1.x86_64 installed
Oct 19 12:22:01 mega perl: [RPM] lib64freetype6-2.4.4-5.1.mga1.tainted.x86_64 removed

Oct 19 12:30:47 mega rpmdrake[30650]: [RPM] lib64freetype6-devel-2.4.4-5.2.mga1.x86_64 installed
Oct 19 12:30:48 mega rpmdrake[30650]: [RPM] lib64freetype6-devel-2.4.4-5.1.mga1.tainted.x86_64 removed

This is a little odd!



Testing with xpdf.

Confirmed it was using the 64 bit libfreetype6 using strace and tested OK

Installed x86_64 tainted version and checked again.

All appears OK.


Validating the update

Advisory
--------------------
A vulnerability was discovered and corrected in freetype2:

 Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6,
 allows remote attackers to execute arbitrary code or cause a denial
 of service (memory corruption and application crash) via a crafted
 Type 1 font in a PDF document, as exploited in the wild in July 2011
 (CVE-2011-0226).

The updated packages have been patched to correct this issue.
---------------------

SRPMs: 
freetype2-2.4.4-5.2.mga1.src.rpm
freetype2-2.4.4-5.2.mga1.tainted.src.rpm 

Could sysadmin please push to updates, thankyou.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 17 Thomas Backlund 2011-10-19 20:58:46 CEST
Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.