Bug 890088 (CVE-2012-5669)

Summary: CVE-2012-5669 freetype: heap buffer over-read in BDF parsing _bdf_parse_glyphs() (#37906)
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: ASSIGNED --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: behdad, erik-fedora, fedora-mingw, fonts-bugs, jlieskov, kevin, lfarkas, mkasik, rjones, sardella
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20121215,reported=20121224,source=internet,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,rhel-5/freetype=affected,rhel-6/freetype=affected,fedora-all/freetype=affected,fedora-all/mingw-freetype=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-03 00:20:24 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 903539, 903541, 903542, 903543, 903554, 903555    
Bug Blocks: 890078    

Description Huzaifa S. Sidhpurwala 2012-12-24 23:07:01 EST
An out-of heap-based buffer read flaw was found in the way FreeType font rendering engine performed parsing of glyph information and relevant bitmaps for glyph bitmap distribution format (BDF). A remote attacker could provide a specially-crafted BDF font file, which once opened in an application linked against FreeType would lead to that application crash.

Upstream bug:
https://savannah.nongnu.org/bugs/?37906
Patch: 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=07bdb6e289c7954e2a533039dc93c1c136099d2d

External References:

http://seclists.org/oss-sec/2012/q4/511
Comment 12 Huzaifa S. Sidhpurwala 2013-01-24 04:36:50 EST
This issue affects the version of freetype as shipped with Fedora-17 and Fedora-18.

This issue affects the version of mingw-freetype as shipped with Fedora-17 and Fedora-18.
Comment 13 Huzaifa S. Sidhpurwala 2013-01-24 04:44:28 EST
Further analyzing this issue, there seems to be an OOB write here. This flaw also affects Red Hat Enterprise Linux 5 and 6.
Comment 14 Huzaifa S. Sidhpurwala 2013-01-24 04:47:06 EST
Created freetype tracking bugs for this issue

Affects: fedora-all [bug 903554]
Comment 15 Huzaifa S. Sidhpurwala 2013-01-24 04:47:10 EST
Created mingw-freetype tracking bugs for this issue

Affects: fedora-all [bug 903555]
Comment 17 errata-xmlrpc 2013-01-31 16:37:30 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0216 https://rhn.redhat.com/errata/RHSA-2013-0216.html
Comment 18 Fedora Update System 2013-02-04 21:57:35 EST
freetype-2.4.10-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2013-02-12 00:13:57 EST
freetype-2.4.8-4.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.