Bug 190593
| Summary: | CVE-2006-1861 freetype multiple integer overflows (CVE-2006-3467) | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Josh Bressers <bressers> | ||||||||||||
| Component: | freetype | Assignee: | Carl Worth (Ampere) <cworth> | ||||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Brock Organ <borgan> | ||||||||||||
| Severity: | high | Docs Contact: | |||||||||||||
| Priority: | high | ||||||||||||||
| Version: | 4.0 | CC: | eric.eisenhart, mbarnes, rstrode | ||||||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||||||
| Target Release: | --- | ||||||||||||||
| Hardware: | All | ||||||||||||||
| OS: | Linux | ||||||||||||||
| Whiteboard: | source=vendorsec,reported=20060305,impact=moderate,embargo=yes | ||||||||||||||
| Fixed In Version: | RHSA-2006-0500 | Doc Type: | Bug Fix | ||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||
| Clone Of: | Environment: | ||||||||||||||
| Last Closed: | 2006-07-18 10:05:19 UTC | Type: | --- | ||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||
| Documentation: | --- | CRM: | |||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
| Embargoed: | |||||||||||||||
| Attachments: |
|
||||||||||||||
Created attachment 128558 [details]
Patch for issue #2
Created attachment 128559 [details]
Patch for issue #3
Created attachment 128561 [details]
Patch for issue #4
Created attachment 128562 [details]
Fix for issue #6
These issues should also affect RHEL3 and RHEL2.1 Created attachment 128565 [details]
Fix for a minor DoS issue
Here is a patch for a minor DoS issue as well. It doesn't have a CVE id (it
may get one, but probably doesn't deserve one). Please fix it when applying
the above patches.
*** Bug 190693 has been marked as a duplicate of this bug. *** Bug 190693 has been marked a duplicate of this bug as it contains the patch for additional integer overflows which are covered by CVE-2006-1861. Upstream has fixed a number of potential integer overflows when allocating memory by modifying how memory is now allocated. The patch take from CVS, then clean up is very large. I don't know the source well enough to determine how much of this is needed for our packages. Attachment 128606 [details] is a patch extracted from upstream CVS RHEL 3 and RHEL 4 packages are built, will do RHEL 2.1 next week. RHEL 2.1 packages are built. Lifting embargo I am eagerly waiting for an advisory and rpm pakets for this (and other) sever issue with freetype. Is there a reason to delay the release? Tobias; updated packages are likely to be pushed this week this week once QA is completed. They were delayed whilst we dealt with other issues that were of a higher security severity. Our maintainer whilst building the packages for CVE-2006-1861 noticed that the upstream patch seemed to be insufficient to correct bad1.pcf from the test suite. He corrected it. Since other vendors have already released updates we need a new CVE name for this issue, CVE-2006-3467. vendor-sec notified yesterday. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0500.html |
Several integer overflow bugs in freetype have been fixed in CVS. The details are below. The descriptions are the CVS commit messages. That patch for each particular comment is keyed off it's # identifier. * Integer overflow #2 * src/bdf/bdflib.c (ERRMSG4): New macro. (_bdf_parse_glyphs): Handle invalid BBX values. * include/freetype/fterrdef.h (FT_Err_Bbx_Too_Big): New error macro. #3 * src/sfnt/ttcmap.c (tt_face_build_cmaps): Handle invalid offset correctly. #4 * src/cff/cfftypes.h (CFF_CharsetRec): Add `max_cid' member. * src/cff/cffload.c (cff_charset_load): Set `charset->max_cid'. * src/cff/cffgload.c (cff_slot_load): Change type of third parameter to `FT_UInt'. Check range of `glyph_index'. * src/cff/cffgload.h: Updated. #6 * src/bdf/bdflib.c: fixed a problem with large encodings. Again, this patch comes from Debian libfreetype6 for 2.1.10 !