Bug 890088 (CVE-2012-5669)

Summary: CVE-2012-5669 freetype: heap buffer over-read in BDF parsing _bdf_parse_glyphs() (#37906)
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: ASSIGNED --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: behdad, erik-fedora, fedora-mingw, fonts-bugs, kevin, mkasik, rjones, sardella
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-03 05:20:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 903539, 903541, 903542, 903543, 903554, 903555    
Bug Blocks: 890078    

Description Huzaifa S. Sidhpurwala 2012-12-25 04:07:01 UTC 
An out-of heap-based buffer read flaw was found in the way FreeType font rendering engine performed parsing of glyph information and relevant bitmaps for glyph bitmap distribution format (BDF). A remote attacker could provide a specially-crafted BDF font file, which once opened in an application linked against FreeType would lead to that application crash.

Upstream bug:
https://savannah.nongnu.org/bugs/?37906
Patch: 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=07bdb6e289c7954e2a533039dc93c1c136099d2d

External References:

http://seclists.org/oss-sec/2012/q4/511
Comment 12 Huzaifa S. Sidhpurwala 2013-01-24 09:36:50 UTC 
This issue affects the version of freetype as shipped with Fedora-17 and Fedora-18.

This issue affects the version of mingw-freetype as shipped with Fedora-17 and Fedora-18.
Comment 13 Huzaifa S. Sidhpurwala 2013-01-24 09:44:28 UTC 
Further analyzing this issue, there seems to be an OOB write here. This flaw also affects Red Hat Enterprise Linux 5 and 6.
Comment 14 Huzaifa S. Sidhpurwala 2013-01-24 09:47:06 UTC 
Created freetype tracking bugs for this issue

Affects: fedora-all [bug 903554]
Comment 15 Huzaifa S. Sidhpurwala 2013-01-24 09:47:10 UTC 
Created mingw-freetype tracking bugs for this issue

Affects: fedora-all [bug 903555]
Comment 17 errata-xmlrpc 2013-01-31 21:37:30 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0216 https://rhn.redhat.com/errata/RHSA-2013-0216.html
Comment 18 Fedora Update System 2013-02-05 02:57:35 UTC 
freetype-2.4.10-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2013-02-12 05:13:57 UTC 
freetype-2.4.8-4.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.