Bug 1074646 - (CVE-2014-2240, CVE-2014-2241) CVE-2014-2240 CVE-2014-2241 freetype: OOB stack-based read/write in cf2_hintmap_build()
CVE-2014-2240 CVE-2014-2241 freetype: OOB stack-based read/write in cf2_hintm...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20140307,repo...
: Security
Depends On: 1074647 1074648 1074649
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-10 14:12 EDT by Vincent Danen
Modified: 2015-01-29 06:43 EST (History)
12 users (show)

See Also:
Fixed In Version: freetype 2.5.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 14:54:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2014-03-10 14:12:34 EDT
It was reported [1] that Freetype suffers from an out-of-bounds stack-based read/write flaw in cf2_hintmap_build().

This new CFF handling code was introduced in Freetype 2.4.12 (new Type 2 interpreter and hinter); earlier versions are not affected.  This is fixed in 2.5.3 [2].

Two CVEs were noted in the upstream bug [3], and according the oss-security post they correlate to commits as follows:

CVE-2014-2240: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0eae6eb0645264c98812f0095e0f5df4541830e6
CVE-2014-2241: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=135c3faebb96f8f550bd4f318716f2e1e095a969

(there seems to be some possibility that CVE-2014-2241 was unncessarily filed, however)


[1] http://openwall.com/lists/oss-security/2014/03/10/2
[2] http://sourceforge.net/projects/freetype/files/freetype2/2.5.3/
[3] https://savannah.nongnu.org/bugs/?41697


Statement:

Not vulnerable. This issue did not affect the versions of freetype as shipped with Red Hat Enterprise Linux 5, 6 and 7.
Comment 1 Vincent Danen 2014-03-10 14:14:20 EDT
Created freetype tracking bugs for this issue:

Affects: fedora-20 [bug 1074647]
Comment 2 Vincent Danen 2014-03-10 14:14:24 EDT
Created mingw-freetype tracking bugs for this issue:

Affects: fedora-20 [bug 1074648]
Affects: fedora-19 [bug 1074649]
Comment 4 Vincent Danen 2014-06-13 14:54:17 EDT
This is currently fixed in:

mingw-freetype-2.5.0.1-2.fc20
mingw-freetype-2.4.12-3.fc19
freetype-2.5.0-5.fc20
Comment 5 Kevin Kofler 2014-06-13 21:11:53 EDT
And for anybody who might want to know, this is also fixed in:
freetype-freeworld-2.5.0.1-4.fc20
in that well-known third-party repository.

Note You need to log in before you can comment on or make changes to this bug.