Bug 623625 (CVE-2010-3311)
Summary: | CVE-2010-3311 freetype: Input stream position error by processing Compact Font Format (CFF) font files | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | bressers, huzaifas, jrusnack, kem, mkasik, security-response-team, yang.jie | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-06-05 06:35:33 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 638139, 638140, 638141, 638142, 638143, 638522, 638838, 638839, 806284 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Jan Lieskovsky
2010-08-12 10:44:13 UTC
Created freetype tracking bugs for this issue Affects: fedora-all [bug 638522] This issue has been addressed in following products: Red Hat Enterprise Linux 3 Via RHSA-2010:0736 https://rhn.redhat.com/errata/RHSA-2010-0736.html This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0737 https://rhn.redhat.com/errata/RHSA-2010-0737.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0864 https://rhn.redhat.com/errata/RHSA-2010-0864.html (In reply to comment #0) > Marc Schoenefeld found an input stream position error in the > way FreeType font rendering engine processed input file streams. > If a user loaded a specially-crafted font file with an application > linked against FreeType and relevant font glyphs were subsequently > rendered with the X FreeType library (libXft), it could cause the > application to crash or, possibly execute arbitrary code (integer > overflow leading to heap-based buffer overflow in the libXft library) > with the privileges of the user running the application. Different > vulnerability than CVE-2010-1797. > > Affected versions: freetype-2.3 and before that. > Latest upstream version (2.4) is not affected as patch file (don't seek behind stream (1.07 KB, patch) 2010-08-16 09:52 EDT, Marek Kašík ), version 2.4.x(x=1~4) should also be affected, Jan Lieskovsky, do you think so? Hi, (In reply to comment #38) > as patch file (don't seek behind stream (1.07 KB, patch) 2010-08-16 09:52 EDT, > Marek Kašík ), version 2.4.x(x=1~4) should also be affected, Jan Lieskovsky, do > you think so? The following upstream commit fixes this problem in freetype 2.4.x: commit 75787c19eab20874c5d588842c52e59cfbd9302a Author: Werner Lemberg <wl> Date: Sat Jun 26 09:24:08 2010 +0200 Add some memory checks (mainly for debugging). * src/base/ftstream.c (FT_Stream_EnterFrame): Exit with error if the frame size is larger than the stream size. * src/base/ftsystem.c (ft_ansi_stream_io): Exit with error if seeking a position larger than the stream size. (In reply to comment #39) > Hi, > (In reply to comment #38) > > as patch file (don't seek behind stream (1.07 KB, patch) 2010-08-16 09:52 EDT, > > Marek Kašík ), version 2.4.x(x=1~4) should also be affected, Jan Lieskovsky, do > > you think so? > The following upstream commit fixes this problem in freetype 2.4.x: > commit 75787c19eab20874c5d588842c52e59cfbd9302a > Author: Werner Lemberg <wl> > Date: Sat Jun 26 09:24:08 2010 +0200 > Add some memory checks (mainly for debugging). > * src/base/ftstream.c (FT_Stream_EnterFrame): Exit with error > if the frame size is larger than the stream size. > * src/base/ftsystem.c (ft_ansi_stream_io): Exit with error if > seeking a position larger than the stream size. thanks, Huzaifa. |