Advisory text: A vulnerability was discovered and corrected in freetype2: Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011 (CVE-2011-0226). The updated packages have been updated to latest stable version to correct this issue. ========================== @qa-bugs, please note that freetype2 package exists in both core and tainted.
Am I correct it's the libfreetype6 rpm package that should be the target of testing? I've confirmed I can view pdf files using xpdf, which uses libfreetype.so.6 with both the Core Updates Testing, and Tainted Updates Testing versions on my i586 system.
CC: (none) => davidwhodgins
(In reply to comment #1) > Am I correct it's the libfreetype6 rpm package that should be the target > of testing? Yes.
as discussed on irc with misc and Motoko, we will revert to previous freetype and only fix the CVE by patching see http://pkgs.fedoraproject.org/gitweb/?p=freetype.git;a=blob;f=freetype-2.4.5-CVE-2011-0226.patch;h=f0afa216d1b839d9d8fcad405f978b161d3e4d0a;hb=36cb801677cebff0a144ced7a9314e0ea7c484f5 i will do this tomorow.
CC: (none) => dmorganec
The update has been pushed by dmorgan. Please test 2.4.4-5.1.mga1 and 2.4.4-5.1.mga1.tainted
CC: (none) => stormi
I had to manually uninstall libfreetype6-2.4.6. I then installed libfreetype6 from Core Updates Testing. Confirmed xpdf worked. Used mgaapplet to install the tainted version. Confirmed xpdf still worked. Testing of the srpms freetype2-2.4.4-5.1.mga1.src.rpm freetype2-2.4.4-5.1.mga1.tainted.src.rpm complete on i586.
(In reply to comment #1) > I've confirmed I can view pdf files using xpdf, which uses libfreetype.so.6 > with both the Core Updates Testing, and Tainted Updates Testing versions > on my i586 system. Can you give a link to a PDF with a crafted Type 1 font, as mentioned in the CVE? I'd like to test this on x86_64, and i've found only "exploited via JailBreakMe" so far. Would the opening of the PDF with xpdf (linked here: http://lists.nongnu.org/archive/html/freetype-devel/2011-07/msg00014.html ) be enough to ensure the CVE is definitely fixed?
CC: (none) => doktor5000
No. I tried that with xpdf before installing the update, and it didn't fail, so we don't seem to have a working poc. Without a working poc, all we can test, is that the program appears to be working ok.
This update still needs testing on x86_64. Please make sure the tested packages are : libfreetype6-2.4.4-5.1.mga1 libfreetype6-2.4.4-5.1.mga1.tainted Without a working exploit available outside iOS, we can only test that it works correctly. IINM freetype is used everywhere when a font is printed so it should be easy to check that it works. Also maybe open a PDF with xpdf like Dave Hodgins did. You will probably need to reboot after switching from the core package to the tainted one.
There's a problem with this update : freetype2-2.4.4-5.1.mga1.tainted.src.rpm is in both Tainted Updates Testing and Tainted Updates, and the 2 packages are different ! I think that dmorgan forgot to increase the subrel when reverting to the 2.4.4 version, am I right ?
CC: (none) => qa-bugsAssignee: qa-bugs => dmorganec
Keywords: (none) => Security
i will look this then. thank you.
Ping.
What is the status of this update please?
should be available for tests now
Assignee: dmorganec => qa-bugs
Depends on: (none) => 3081
Tested OK i586
x86_64: Should there be a 64 bit build of libfreetype6? I notice the i586 version is installed and nothing in x86_64 Updates Testing. i586 version tested OK on x86_64 if that is correct?
So, there is a 64bit build of libfreetype6 but for some reason the i586 version is installed on an x86_64 system and not the x86_64 version. A tainted x86_64 version was installed however beside the i586 core version. Oct 18 13:00:11 mega perl: [RPM] libfreetype6-2.4.4-5.2.mga1.i586 installed Oct 18 13:00:11 mega perl: [RPM] libfreetype6-2.4.4-4.mga1.i586 removed Today.. Oct 19 12:21:59 mega urpmi: called with: --media Core Updates Testing (distrib5) lib64freetype6 Oct 19 12:22:00 mega perl: [RPM] lib64freetype6-2.4.4-5.2.mga1.x86_64 installed Oct 19 12:22:01 mega perl: [RPM] lib64freetype6-2.4.4-5.1.mga1.tainted.x86_64 removed Oct 19 12:30:47 mega rpmdrake[30650]: [RPM] lib64freetype6-devel-2.4.4-5.2.mga1.x86_64 installed Oct 19 12:30:48 mega rpmdrake[30650]: [RPM] lib64freetype6-devel-2.4.4-5.1.mga1.tainted.x86_64 removed This is a little odd! Testing with xpdf. Confirmed it was using the 64 bit libfreetype6 using strace and tested OK Installed x86_64 tainted version and checked again. All appears OK. Validating the update Advisory -------------------- A vulnerability was discovered and corrected in freetype2: Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011 (CVE-2011-0226). The updated packages have been patched to correct this issue. --------------------- SRPMs: freetype2-2.4.4-5.2.mga1.src.rpm freetype2-2.4.4-5.2.mga1.tainted.src.rpm Could sysadmin please push to updates, thankyou.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED