On 12/24/2012 06:58 PM, Huzaifa Sidhpurwala wrote: > Merry Christmas! > > Multiple security issues were reported by Mateusz Jurczyk of > Google security team. These have been fixed in freetype 2.4.11 > Details are as follows. > > * NULL Pointer Dereference in bdf_free_font Bug: > https://savannah.nongnu.org/bugs/?37905 Patch: > http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=9b6b5754b57c12b820e01305eb69b8863a161e5a Please > use CVE-2012-5668 for this issue. > * Out-of-bounds read in _bdf_parse_glyphs Bug: > https://savannah.nongnu.org/bugs/?37906 Patch: > http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=07bdb6e289c7954e2a533039dc93c1c136099d2d Please > use CVE-2012-5669 for this issue. > * Out-of-bounds write in _bdf_parse_glyphs Bug: > https://savannah.nongnu.org/bugs/?37907 Patch: > http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=7f2e4f4f553f6836be7683f66226afac3fa979b8 Please > use CVE-2012-5670 for this issue. > Can CVEs be please assigned to these issues? > > Thanks! >
Fixes added in r334917 (mga2, updates_testing, freetype2-2.4.9-1.1.mga2). Cauldron is unaffected.
Summary: multiple security issues in freetype2 => multiple security issues in freetype2 (CVE-2012-5668, CVE-2012-5669, CVE-2012-5670)
Assignee: bugsquad => qa-bugsSource RPM: (none) => freetype2-2.4.9-1.1
where is the usual tainted testing updates for this? (I use the sub pixel rendering in the tainted build)
CC: (none) => lemonzest
Hardware: i586 => AllAssignee: qa-bugs => bugsquadWhiteboard: (none) => feedback
(oups)
Assignee: bugsquad => qa-bugs
Oden, we still need an actual advisory for the update. I just submitted to tainted, so that'll be taken care of soon. The command to submit that is: mgarepo submit 2/freetype2 --define section=tainted/updates_testing -t 2 Sysadmins, I accidentally also submitted the "freetype" SRPM to tainted/updates_testing, please remove this.
CC: (none) => luigiwalser, sysadmin-bugsWhiteboard: feedback => (none)
The packages list for this update is: libfreetype6-2.4.9-1.1.mga2 libfreetype6-devel-2.4.9-1.1.mga2 libfreetype6-static-devel-2.4.9-1.1.mga2 freetype2-demos-2.4.9-1.1.mga2 from freetype2-2.4.9-1.1.mga2.src.rpm
Proposed advisory: A Null pointer de-reference flaw was found in the way Freetype font rendering engine handled Glyph bitmap distribution format (BDF) fonts. A remote attacker could provide a specially-crafted BDF font file, which once processed in an application linked against FreeType would lead to that application crash (CVE-2012-5668). An out-of heap-based buffer read flaw was found in the way FreeType font rendering engine performed parsing of glyph information and relevant bitmaps for glyph bitmap distribution format (BDF). A remote attacker could provide a specially-crafted BDF font file, which once opened in an application linked against FreeType would lead to that application crash (CVE-2012-5669). An out-of heap-based buffer write flaw was found in the way FreeType font rendering engine performed parsing of glyph information and relevant bitmaps for glyph bitmap distribution format (BDF). A remote attacker could provide a specially-crafted font file, which once opened in an application linked against FreeType would lead to that application crash, or, potentially, arbitrary code execution with the privileges of the user running the application (CVE-2012-5670). References: http://www.openwall.com/lists/oss-security/2012/12/25/2 https://bugzilla.redhat.com/show_bug.cgi?id=890087 https://bugzilla.redhat.com/show_bug.cgi?id=890088 https://bugzilla.redhat.com/show_bug.cgi?id=890094
Testing complete mga2 64 No PoC's so just checking xpdf displays ok with the updated packages and a few commands from 'urpmf freetype2-demos'. There are actually 2 srpms with tainted so the package list is.. libfreetype6-2.4.9-1.1.mga2 libfreetype6-devel-2.4.9-1.1.mga2 libfreetype6-static-devel-2.4.9-1.1.mga2 freetype2-demos-2.4.9-1.1.mga2 from freetype2-2.4.9-1.1.mga2.src.rpm and the same again from freetype2-2.4.9-1.1.mga2.tainted.src.rpm in tainted updates testing.
Whiteboard: (none) => has_procedure mga2-64-OK
PoCs are in the upstream bugreports.
On Mageia 2 i586, and "ftbench zgraphics_r400-12.bdf.SIGSEGV.dbf.2501" using either the core release or tainted release versions cause ftbench to segfault while ftbench zevv-peep-iso8859-15-07x14.bdf.asan.70.2494 just gets the message couldn't load font resource. With the Core Updates Testing or the Tainted Updates Testing version, "ftbench sym8.bdf.asan.39.2321" works, while both of the others get the message couldn't load font resource. Also testing with xpdf, etc, doesn't show any regressions. I'll test Mageia 2 x86-64 shortly.
CC: (none) => davidwhodgins
Testing complete on Mageia 2 x86-64. With Core/Tainted Release verions, all three files cause segfaults. With Core/Tainted Updates Testing versions, results are the same as with the i586 Updates Testing versions. Could someone from the sysadmin team push the srpm freetype2-2.4.9-1.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm freetype2-2.4.9-1.1.mga2.tainted.src.rpm from Mageia 2 Tainted Updates Testing to Tainted Updates. Advisory: A Null pointer de-reference flaw was found in the way Freetype font rendering engine handled Glyph bitmap distribution format (BDF) fonts. A remote attacker could provide a specially-crafted BDF font file, which once processed in an application linked against FreeType would lead to that application crash (CVE-2012-5668). An out-of heap-based buffer read flaw was found in the way FreeType font rendering engine performed parsing of glyph information and relevant bitmaps for glyph bitmap distribution format (BDF). A remote attacker could provide a specially-crafted BDF font file, which once opened in an application linked against FreeType would lead to that application crash (CVE-2012-5669). An out-of heap-based buffer write flaw was found in the way FreeType font rendering engine performed parsing of glyph information and relevant bitmaps for glyph bitmap distribution format (BDF). A remote attacker could provide a specially-crafted font file, which once opened in an application linked against FreeType would lead to that application crash, or, potentially, arbitrary code execution with the privileges of the user running the application (CVE-2012-5670). References: http://www.openwall.com/lists/oss-security/2012/12/25/2 https://bugzilla.redhat.com/show_bug.cgi?id=890087 https://bugzilla.redhat.com/show_bug.cgi?id=890088 https://bugzilla.redhat.com/show_bug.cgi?id=890094 https://bugs.mageia.org/show_bug.cgi?id=8497
Keywords: (none) => validated_updateWhiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK mga2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0369
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/530907/
Patches now checked into Mageia 1 SVN.