Bug 1350891 (CVE-2016-5384)

Summary: CVE-2016-5384 fontconfig: Possible double free due to insufficiently validated cache files
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alonbl, bmcclain, carnil, cfergeau, dblechte, lsurette, mgoldboi, michal.skrivanek, sardella, security-response-team, slawomir, spam.bugzillaredhat, srevivo, tagoh, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that cache files were insufficiently validated in fontconfig. A local attacker could create a specially crafted cache file to trigger arbitrary free() calls, which in turn could lead to arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:55:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1355930, 1364439, 1364440, 1364442    
Bug Blocks: 1323912, 1350892    

Description Adam Mariš 2016-06-28 15:34:11 UTC 
It was reported that offsets contained in cache files aren't checked if they're in legal ranges or are pointers at all. The lack of validation allows an attacker to trigger arbitrary free() calls, which in turn allows double free attacks and therefore arbitrary code execution. When used with setuid binaries using crafted cachefiles, privilege escalation is possible.
Comment 2 Adam Mariš 2016-06-30 15:10:59 UTC 
Acknowledgments:

Name: Tobias Stoeckmann
Comment 7 Akira TAGOH 2016-08-05 08:34:37 UTC 
The fix has been pushed to the upstream git:
https://lists.freedesktop.org/archives/fontconfig/2016-August/005792.html
Comment 8 Dhiru Kholia 2016-08-05 09:20:01 UTC 
Public via https://lists.freedesktop.org/archives/fontconfig/2016-August/005792.html
Comment 9 Akira TAGOH 2016-08-05 09:51:04 UTC 
BTW no bugs for Fedora?
Comment 10 Dhiru Kholia 2016-08-05 11:04:42 UTC 
Created mingw-fontconfig tracking bugs for this issue:

Affects: fedora-all [bug 1364440]
Comment 11 Dhiru Kholia 2016-08-05 11:04:54 UTC 
Created fontconfig tracking bugs for this issue:

Affects: fedora-all [bug 1364439]
Comment 12 Dhiru Kholia 2016-08-05 11:06:40 UTC 
Created mingw-fontconfig tracking bugs for this issue:

Affects: epel-7 [bug 1364442]
Comment 13 Fedora Update System 2016-08-08 20:22:05 UTC 
fontconfig-2.11.94-7.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2016-08-18 00:50:30 UTC 
fontconfig-2.11.94-5.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Dhiru Kholia 2016-09-07 07:41:08 UTC 
Our CVSS scoring reflects the fact that RHEL 7 and RHEL 6 contains no setuid root binaries which are linked to fontconfig.
Comment 16 errata-xmlrpc 2016-11-03 21:18:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2601 https://rhn.redhat.com/errata/RHSA-2016-2601.html
Comment 18 Marcel 2016-11-13 11:25:01 UTC 
Great job, now fontconfig doesn't use cache at all, causing every process to regenerate cache when started, and completely freezing my system at boot because I've had 2000+ fonts installed.