Bug 1074646 (CVE-2014-2240, CVE-2014-2241) - CVE-2014-2240 CVE-2014-2241 freetype: OOB stack-based read/write in cf2_hintmap_build()
Summary: CVE-2014-2240 CVE-2014-2241 freetype: OOB stack-based read/write in cf2_hintm...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-2240, CVE-2014-2241
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1074647 1074648 1074649
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-10 18:12 UTC by Vincent Danen
Modified: 2019-09-29 13:14 UTC (History)
12 users (show)

Fixed In Version: freetype 2.5.3
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 18:54:17 UTC


Attachments (Terms of Use)

Description Vincent Danen 2014-03-10 18:12:34 UTC
It was reported [1] that Freetype suffers from an out-of-bounds stack-based read/write flaw in cf2_hintmap_build().

This new CFF handling code was introduced in Freetype 2.4.12 (new Type 2 interpreter and hinter); earlier versions are not affected.  This is fixed in 2.5.3 [2].

Two CVEs were noted in the upstream bug [3], and according the oss-security post they correlate to commits as follows:

CVE-2014-2240: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0eae6eb0645264c98812f0095e0f5df4541830e6
CVE-2014-2241: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=135c3faebb96f8f550bd4f318716f2e1e095a969

(there seems to be some possibility that CVE-2014-2241 was unncessarily filed, however)


[1] http://openwall.com/lists/oss-security/2014/03/10/2
[2] http://sourceforge.net/projects/freetype/files/freetype2/2.5.3/
[3] https://savannah.nongnu.org/bugs/?41697


Statement:

Not vulnerable. This issue did not affect the versions of freetype as shipped with Red Hat Enterprise Linux 5, 6 and 7.

Comment 1 Vincent Danen 2014-03-10 18:14:20 UTC
Created freetype tracking bugs for this issue:

Affects: fedora-20 [bug 1074647]

Comment 2 Vincent Danen 2014-03-10 18:14:24 UTC
Created mingw-freetype tracking bugs for this issue:

Affects: fedora-20 [bug 1074648]
Affects: fedora-19 [bug 1074649]

Comment 4 Vincent Danen 2014-06-13 18:54:17 UTC
This is currently fixed in:

mingw-freetype-2.5.0.1-2.fc20
mingw-freetype-2.4.12-3.fc19
freetype-2.5.0-5.fc20

Comment 5 Kevin Kofler 2014-06-14 01:11:53 UTC
And for anybody who might want to know, this is also fixed in:
freetype-freeworld-2.5.0.1-4.fc20
in that well-known third-party repository.


Note You need to log in before you can comment on or make changes to this bug.