Bug 1074646 (CVE-2014-2240, CVE-2014-2241)

Summary: CVE-2014-2240 CVE-2014-2241 freetype: OOB stack-based read/write in cf2_hintmap_build()
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: behdad, carnil, erik-fedora, fedora-mingw, fonts-bugs, jkurik, jrusnack, kevin, lfarkas, mkasik, pfrields, rjones
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freetype 2.5.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 18:54:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1074647, 1074648, 1074649    
Bug Blocks:    

Description Vincent Danen 2014-03-10 18:12:34 UTC 
It was reported [1] that Freetype suffers from an out-of-bounds stack-based read/write flaw in cf2_hintmap_build().

This new CFF handling code was introduced in Freetype 2.4.12 (new Type 2 interpreter and hinter); earlier versions are not affected.  This is fixed in 2.5.3 [2].

Two CVEs were noted in the upstream bug [3], and according the oss-security post they correlate to commits as follows:

CVE-2014-2240: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0eae6eb0645264c98812f0095e0f5df4541830e6
CVE-2014-2241: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=135c3faebb96f8f550bd4f318716f2e1e095a969

(there seems to be some possibility that CVE-2014-2241 was unncessarily filed, however)


[1] http://openwall.com/lists/oss-security/2014/03/10/2
[2] http://sourceforge.net/projects/freetype/files/freetype2/2.5.3/
[3] https://savannah.nongnu.org/bugs/?41697


Statement:

Not vulnerable. This issue did not affect the versions of freetype as shipped with Red Hat Enterprise Linux 5, 6 and 7.
Comment 1 Vincent Danen 2014-03-10 18:14:20 UTC 
Created freetype tracking bugs for this issue:

Affects: fedora-20 [bug 1074647]
Comment 2 Vincent Danen 2014-03-10 18:14:24 UTC 
Created mingw-freetype tracking bugs for this issue:

Affects: fedora-20 [bug 1074648]
Affects: fedora-19 [bug 1074649]
Comment 4 Vincent Danen 2014-06-13 18:54:17 UTC 
This is currently fixed in:

mingw-freetype-2.5.0.1-2.fc20
mingw-freetype-2.4.12-3.fc19
freetype-2.5.0-5.fc20
Comment 5 Kevin Kofler 2014-06-14 01:11:53 UTC 
And for anybody who might want to know, this is also fixed in:
freetype-freeworld-2.5.0.1-4.fc20
in that well-known third-party repository.