Bug 1172633

Summary: freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240).
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: behdad, carnil, erik-fedora, fedora-mingw, fonts-bugs, kevin, mkasik, rjones
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freetype 2.5.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:37:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1172634, 1172635, 1172636    
Bug Blocks:    

Description Vasyl Kaigorodov 2014-12-10 13:37:19 UTC
It was reported [1] that Freetype before 2.5.4 suffers from an out-of-bounds
stack-based read/write flaw in cf2_hintmap_build() in the CFF rasterizing
code, which could lead to a buffer overflow.  This is due to an incomplete
fix for CVE-2014-2240.

Upstream patch is at [2]
Upstream bug with some additional info is at [3].


This new CFF handling code was introduced in Freetype 2.4.12 (new Type 2 interpreter and hinter); earlier versions are not affected.  This is fixed in 2.5.4 [4].

[1]: https://bugs.mageia.org/show_bug.cgi?id=14771
[2]: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0eae6eb0645264c98812f0095e0f5df4541830e6
[3]: http://savannah.nongnu.org/bugs/?43661
[4]: http://sourceforge.net/projects/freetype/files/freetype2/2.5.4/

Statement:

Not vulnerable. This issue did not affect the versions of freetype as shipped with Red Hat Enterprise Linux 5, 6 and 7.

Comment 1 Vasyl Kaigorodov 2014-12-10 13:37:56 UTC
Created freetype tracking bugs for this issue:

Affects: fedora-20 [bug 1172634]

Comment 2 Vasyl Kaigorodov 2014-12-10 13:37:59 UTC
Created mingw-freetype tracking bugs for this issue:

Affects: fedora-20 [bug 1172635]
Affects: fedora-19 [bug 1172636]

Comment 3 Marek Kašík 2014-12-10 14:09:28 UTC
Shouldn't we use the patch from http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=2cdc4562f873237f1c77d43540537c7a721d3fd8 instead of the [2]?
Also, according to the mentioned versions, we should probably fix it in Fedora 21 too.

Comment 4 David Walser 2014-12-10 22:55:50 UTC
(In reply to Marek Kašík from comment #3)
> Shouldn't we use the patch from
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/
> ?id=2cdc4562f873237f1c77d43540537c7a721d3fd8 instead of the [2]?
> Also, according to the mentioned versions, we should probably fix it in
> Fedora 21 too.

As well as this one, yes:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f89396cb6284954ff98b5dcbfc38e144deccdc83

The one linked in [2] is the original incomplete fix from before.

Comment 5 Marek Kašík 2014-12-11 11:05:18 UTC
(In reply to David Walser from comment #4)
> (In reply to Marek Kašík from comment #3)
> > Shouldn't we use the patch from
> > http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/
> > ?id=2cdc4562f873237f1c77d43540537c7a721d3fd8 instead of the [2]?
> > Also, according to the mentioned versions, we should probably fix it in
> > Fedora 21 too.
> 
> As well as this one, yes:
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/
> ?id=f89396cb6284954ff98b5dcbfc38e144deccdc83

Thank you for pointing me to this commit. I've updated the update.

> The one linked in [2] is the original incomplete fix from before.

Comment 6 David Walser 2014-12-17 00:58:15 UTC
You're welcome.  Just FYI, you meant to add a link to Bug 1172634 in the SPEC file, but you accidentally put bugs.gnome.org instead of bugzilla.redhat.com.

Comment 7 Marek Kašík 2014-12-17 10:15:51 UTC
(In reply to David Walser from comment #6)
> You're welcome.  Just FYI, you meant to add a link to Bug 1172634 in the
> SPEC file, but you accidentally put bugs.gnome.org instead of
> bugzilla.redhat.com.

Thanks, fixed.

Comment 8 Fedora Update System 2014-12-23 18:31:34 UTC
freetype-2.5.3-13.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2015-01-03 19:05:37 UTC
freetype-2.5.0-7.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.