Bug 30395 - freetype2 new security issues CVE-2022-2740[4-6]
Summary: freetype2 new security issues CVE-2022-2740[4-6]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-05-07 22:12 CEST by David Walser
Modified: 2022-05-15 12:08 CEST (History)
6 users (show)

See Also:
Source RPM: freetype2-2.10.4-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-05-07 22:12:28 CEST
Fedora has issued an advisory today (May 7):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FDU2FOEMCEF6WVR6ZBIH5MT5O7FAK6UP/

The issues are fixed upstream in 2.12.0.
David Walser 2022-05-07 22:12:44 CEST

Status comment: (none) => Fixed upstream in 2.12.0
CC: (none) => nicolas.salguero

Comment 1 Nicolas Salguero 2022-05-09 13:30:54 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face. (CVE-2022-27404)

FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request. (CVE-2022-27405)

FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size. (CVE-2022-27406)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27405
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27406
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FDU2FOEMCEF6WVR6ZBIH5MT5O7FAK6UP/
========================

Updated packages in core/updates_testing:
========================
freetype2-demos-2.10.4-1.1.mga8
lib(64)freetype6-2.10.4-1.1.mga8
lib(64)freetype2-devel-2.10.4-1.1.mga8

from SRPM:
freetype2-2.10.4-1.1.mga8.src.rpm

Updated packages in tainted/updates_testing:
========================
freetype2-demos-2.10.4-1.1.mga8.tainted
lib(64)freetype6-2.10.4-1.1.mga8.tainted
lib(64)freetype2-devel-2.10.4-1.1.mga8.tainted

from SRPM:
freetype2-2.10.4-1.1.mga8.tainted.src.rpm

Status: NEW => ASSIGNED
Status comment: Fixed upstream in 2.12.0 => (none)
Assignee: bugsquad => qa-bugs
Source RPM: freetype2-2.9.1-4.1.mga7.src.rpm => freetype2-2.10.4-1.mga8.src.rpm

Comment 2 Herman Viaene 2022-05-10 14:52:45 CEST
Hmmmm,
On lib64freetype2-devel-2.10.4-1.1.mga8.tainted I get "Cannot be selected"
And
lib64freetype6-2.10.4-1.1.mga8.tainted is not there, I see only a regular 2.10.4-2

CC: (none) => herman.viaene

Comment 3 Dave Hodgins 2022-05-10 16:42:17 CEST
It's on both kernel.org and princeton, but not listed in the hdlist file.

Adding sysadmins to the cc list and adding the feedback tag till they can fix it.

Keywords: (none) => feedback
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Thomas Backlund 2022-05-10 19:32:36 CEST
No.

the bug is that no-one caught the fact at mga8 release time that core/release has:

lib(64)freetype6-2.10.4-2.mga8

but tainted/release have:

lib(64)freetype6-2.10.4-1.mga8.tainted 



 and svn branching was apparently done on "-1.mga8"


so the fix is to set

 %mkrel 2

(and keep the subrel at 1)

and submit new builds to core and tainted

Keywords: feedback => (none)

Comment 5 Nicolas Salguero 2022-05-11 09:14:52 CEST
Updated packages in core/updates_testing:
========================
freetype2-demos-2.10.4-2.1.mga8
lib(64)freetype6-2.10.4-2.1.mga8
lib(64)freetype2-devel-2.10.4-2.1.mga8

from SRPM:
freetype2-2.10.4-2.1.mga8.src.rpm

Updated packages in tainted/updates_testing:
========================
freetype2-demos-2.10.4-2.1.mga8.tainted
lib(64)freetype6-2.10.4-2.1.mga8.tainted
lib(64)freetype2-devel-2.10.4-2.1.mga8.tainted

from SRPM:
freetype2-2.10.4-2.1.mga8.tainted.src.rpm
Comment 6 Len Lawrence 2022-05-11 19:58:57 CEST
mga8, x64

Made sure that the  core packages were already installed.
Development tools/utilities:
$ ls /usr/bin/ft*
/usr/bin/ftbench*  /usr/bin/ftgamma*  /usr/bin/ftmulti*   /usr/bin/ftvalid*
/usr/bin/ftdiff*   /usr/bin/ftgrid*   /usr/bin/ftp*       /usr/bin/ftview*
/usr/bin/ftdump*   /usr/bin/ftlint*   /usr/bin/ftstring*

Used ftview to examine a couple of installed TTF fonts.
That produces a gui including a bitmapped image of a repeated sequence of symbols at pointsize 10 on this display.  According to the documentation the displayed size is dependent on the resolution of the display.
Using something like
$ ftview -d 1280x960 font <font.ttf>
only doubles the size of the axes, showing four times the number of characters.

Updated the core version successfully.
$ ftview pt -e unic font arial.ttf
<This showed the whole character set and reported pointsize 10.
$ ftview -e unic -m 'Rumpelstiltskin' font cowboys.ttf
<Supplied string echoed throughout the image in the correct font with Unicode encoding.>
Supplying a larger xdpi value enlarges the displayed characters without enlarging the window.
$ ftview -e 'unic' -r 144 -m 'Abracadabra' font gemelli.ttf

Cannot do much else here.  System supplied and imported fonts are handled fine.
OK for core version.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2022-05-11 20:03:25 CEST
Taking a step back.  Need to test some of the 269 packages which require lib64freetype6.  Later.
Comment 8 Len Lawrence 2022-05-11 21:05:48 CEST
Ran Calibre using existing library.
$ strace -o calibre.trace calibre
Converted a PDF to DOCX format and saved files.
Opened the DOCX version and browsed.
Crashed out - no exit button.
$ ll *.trace
-rw-r--r-- 1 lcl lcl 10033483 May 11 19:54 calibre.trace
$ grep freetype calibre.trace
openat(AT_FDCWD, "/lib64/libfreetype.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libfreetype.so.6.17.4", O_RDONLY) = 13
openat(AT_FDCWD, "/usr/lib64/libfreetype.so.6.17.4", O_RDONLY) = 15
openat(AT_FDCWD, "/usr/lib64/libfreetype.so.6.17.4", O_RDONLY) = 15

$ strace -o stellarium.trace stellarium
Selected the moon to display all the information available and the same for  an Intelsat.
$ grep freetype stellarium.trace
openat(AT_FDCWD, "/lib64/libfreetype.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libfreetype.so.6.17.4", O_RDONLY) = 7
openat(AT_FDCWD, "/usr/lib64/libfreetype.so.6.17.4", O_RDONLY) = 14
openat(AT_FDCWD, "/usr/lib64/libfreetype.so.6.17.4", O_RDONLY) = 14

No complaints on the command line regarding font rendering.
So, this looks good for the core version of freetype2.
Comment 9 Len Lawrence 2022-05-12 10:50:30 CEST
Had no luck with qarepo with tainted updates ticked.
Reverted to the longhand way, enabling tainted updates testing, `urpmi.update -a` and then
$ sudo urpmi --searchmedia "Tainted Updates Testing" freetype2-demos
etc.
$ rpm -q lib64freetype6
lib64freetype6-2.10.4-2.1.mga8.tainted
$ ftview -e 'unic' -r 144 -m 'Abracadabra' font /usr/share/tuxtype/fonts/Loma.ttf
That looks perfectly OK.

$ strace -o calibre.trace calibre
Converted a PDF to EPUB format.  Clicked on EPUB under formats and was able to read the converted book.
$ grep freetype calibre.trace
openat(AT_FDCWD, "/lib64/libfreetype.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libfreetype.so.6.17.4", O_RDONLY) = 13
openat(AT_FDCWD, "/usr/lib64/libfreetype.so.6.17.4", O_RDONLY) = 15
openat(AT_FDCWD, "/usr/lib64/libfreetype.so.6.17.4", O_RDONLY) = 15

Leaving it there.  Good for tainted updates as well.

Whiteboard: (none) => MGA8-64-OK

Comment 10 Thomas Andrews 2022-05-13 14:48:08 CEST
@Len: I have had a time or two when qarepo would not find tainted packages after testing the core updates. I found that if you clear out the QA Testing folder before going after the tainted versions, it will help. Oh, and be sure the "tainted" is included in the package list you are using.

Validating. Advisory in Comment 1, with revised package list in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm

Comment 11 Len Lawrence 2022-05-14 00:09:25 CEST
@TJ, re comment 10.  Thanks for the tip.  I do always clear and update to start with then add the package list, so missing "tainted" in names probably was the reason.  Too much running on auto-pilot.  :-;
Dave Hodgins 2022-05-15 00:35:22 CEST

Keywords: (none) => advisory

Comment 12 Mageia Robot 2022-05-15 12:08:06 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0184.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.