Bug 1661454 (CVE-2018-19876)

Summary: CVE-2018-19876 cairo: Invalid free in cairo_ft_apply_variations() resulting in a denial of service
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, dbaker, jokerman, mcatanza, otte, sthangav, trankin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Cairo due to a flaw in the cairo_ft_apply_variations function within cairo-ft-font.c, where an attacker could exploit this vulnerability by persuading a victim to open a specially crafted file, leading to a denial of service condition and causing the application to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 03:20:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1661455, 1661456, 1661457, 1663110    
Bug Blocks: 1661458    

Description Andrej Nemec 2018-12-21 10:04:15 UTC 
cairo 1.16.0, in cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a free function incompatible with WebKit's fastMalloc, leading to an application crash with a "free(): invalid pointer" error.

Upstream issue:

https://bugs.webkit.org/show_bug.cgi?id=191595

Upstream MR:

https://gitlab.freedesktop.org/cairo/cairo/merge_requests/5
Comment 1 Andrej Nemec 2018-12-21 10:04:31 UTC 
Created cairo tracking bugs for this issue:

Affects: fedora-all [bug 1661456]


Created mingw-cairo tracking bugs for this issue:

Affects: epel-7 [bug 1661455]
Affects: fedora-all [bug 1661457]
Comment 2 Huzaifa S. Sidhpurwala 2019-01-03 08:19:27 UTC 
Analysis:

This is essentially a bug in which cairo tries to free a FT_MM_Var data structure using system free() rather than using FT_Done_MM_Var() when freetype 2.9 is used. This bug is triggered when WebKit tries to use its internal fastMalloc() for allocating and free'ing cairo data structures. This is really cairo and freetype version specific and the trigger factor is how WebKit deals with these data structures.

Based on the complexity of the overall problem and the trigger factor, it is safe to call this low impact.