Bug 611927

Summary: freetype: write to non-mapped memory in base/ftojbs.c:1563
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED INSUFFICIENT_DATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: behdad, bressers, fonts-bugs, kevin, mkasik, osoukup
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-07 17:45:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2010-07-06 21:08:03 UTC 
Robert Swiecki reported a possibly exploitable write to non-mapped memory in the way freetype handles certain font [1].

The original report has two sample font files that caused the tested version to crash with a SIGSEGV (sigsegv16.pfb) and SIGABRT (sigabrt24.ttf).  When reproducing, observed behaviour was:

RHEL3 (freetype 2.1.4): pass on both files
RHEL4 (freetype 2.1.9): crashes (segfault) on both files
RHEL5 (freetype 2.2.1): crashes (segfault) on sigsegv16.pfb only
Fedora (freetype 2.3.11): crashes (segfault) on sigsegv16.pfb only

The upstream bug report claims this may be potentially exploitable for more than just a crash.  A patch was posted to correct the issue [2].  This needs to be looked at to determine whether or not this can be exploited to execute arbitrary code.

[1] http://savannah.nongnu.org/bugs/index.php?30248
[2] http://savannah.nongnu.org/bugs/download.php?file_id=20815
Comment 1 Vincent Danen 2010-07-06 21:36:47 UTC 
There is actually 21 crashes reported upstream:

http://savannah.nongnu.org/bugs/index.php?go_report=Apply&group=freetype&func=browse&set=custom&msort=0&report_id=100&advsrch=0&status_id=0&resolution_id=0&assigned_to=0&bug_group_id=0&history_search=0&history_field=0&history_event=modified&history_date_dayfd=2&history_date_monthfd=7&history_date_yearfd=2010&chunksz=50&spamscore=5&boxoptionwanted=1#options

Roughly half of these are NULL pointer derefs or stack exhaustion.  This bug, and bug 30083, were noted as being higher risk.
Comment 4 Josh Bressers 2010-07-07 17:45:18 UTC 
I'm going to close this bug and file individual bugs for each freetype flaw found (there are several)