Bug 1790041 (CVE-2020-5395)

Summary: CVE-2020-5395 fontforge: out-of-bounds write in SFD_GetFontMetaData function in sfd.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: eng-i18n-bugs, fonts-bugs, kevin, paul, pnemade, rschiron
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write was discovered in fontforge while parsing SFD files containing very large LayerCount tokens. The flaw allows an attacker to overwrite data before a buffer allocated on the heap, thus causing the application to crash or execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:35:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1790042, 1790973, 1790974    
Bug Blocks: 1790043    

Description Pedro Sampaio 2020-01-11 14:24:52 UTC 
FontForge 20190801 has a out-of-bounds write in SFD_GetFontMetaData in sfd.c.

Upstream issue:

https://github.com/fontforge/fontforge/issues/4084
Comment 1 Pedro Sampaio 2020-01-11 14:25:10 UTC 
Created fontforge tracking bugs for this issue:

Affects: fedora-all [bug 1790042]
Comment 2 Riccardo Schirone 2020-01-14 13:51:52 UTC 
Upstream fix:
https://github.com/fontforge/fontforge/commit/048a91e2682c1a8936ae34dbc7bd70291ec05410
Comment 3 Riccardo Schirone 2020-01-14 14:29:19 UTC 
Vulnerable versions of fontforge allows to set the layer_cnt field of the SplineFont parser to a very big number, which is parsed as a negative number, through the usage of the LayerCount token. This bypass the reallocation of the layers array and subsequently, during the parsing of the Layer token, it writes starting one byte before the beginning of the array. The out-of-bounds write overwrites heap metadata which may be abused to crash the program or possibly execute code.
Comment 4 Riccardo Schirone 2020-01-14 14:41:23 UTC 
Impact of the flaw set to Moderate even if the CVSSv3.1 score is 8.8, since we don't consider a network-facing application that accepts untrusted font files as a reasonable use of fontforge tool/library, as also explained upstream in https://github.com/fontforge/fontforge/issues/4086#issuecomment-570772533 .
Comment 7 Riccardo Schirone 2020-01-14 16:18:45 UTC 
Statement:

Impact of the flaw set to Moderate since upstream does not consider a network-facing application that accepts untrusted font files as a reasonable use of fontforge tool/library, making the impact of a possible exploitation of this flaw smaller.
Comment 11 Parag Nemade 2020-02-18 05:17:51 UTC 
Upstream of fontforge made it clear not to cherry pick upstream commits and patch in Fedora. See https://github.com/fontforge/fontforge/issues/4164#issuecomment-586589395
Comment 12 errata-xmlrpc 2020-04-28 16:09:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1921 https://access.redhat.com/errata/RHSA-2020:1921
Comment 13 Product Security DevOps Team 2020-04-28 16:35:22 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-5395
Comment 14 errata-xmlrpc 2020-09-29 20:11:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3966 https://access.redhat.com/errata/RHSA-2020:3966