Bug 1763609 (CVE-2015-9382)

Summary: CVE-2015-9382 freetype: mishandling ps_parser_skip_PS_token in an FT_New_Memory_Face operation in skip_comment, psaux/psobjs.c, leads to a buffer over-read
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ajax, caillon+fedoraproject, erack, fonts-bugs, gecko-bugs-nobody, gnome-sig, jhorak, john.j5live, kevin, mclasen, mkasik, rhughes, rstrode, sandmann, stransky, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freetype 2.6.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-17 14:09:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1763616, 1767863, 1767978, 1768021, 1768022    
Bug Blocks: 1763611    

Description Marian Rehak 2019-10-21 07:52:25 UTC
FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation. This may lead to a DoS.

Comment 1 Marian Rehak 2019-10-21 07:53:06 UTC
Upstream Issue:

https://savannah.nongnu.org/bugs/?45922

Comment 3 Marian Rehak 2019-10-21 08:00:48 UTC
Created freetype tracking bugs for this issue:

Affects: fedora-all [bug 1763616]

Comment 8 Marco Benatto 2019-11-05 15:42:35 UTC
The freetype library is able to handle PostScript created fonts, however there's an issue when handling PostScript balanced expressions. On ps_parser_skip_PS_token() a lack of proper validation may lead the reading cursor holding the current position being processed to go beyond the end of the text content. This further causes an out of bounds read o skip_comment() function. An attacker may leverage this bug by creating a crafted input file causing low confidentiality impact as unexpected data may be exposed as a result of the over-read.

Comment 9 errata-xmlrpc 2019-12-17 11:05:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:4254 https://access.redhat.com/errata/RHSA-2019:4254

Comment 10 Product Security DevOps Team 2019-12-17 14:09:26 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-9382