It was reported [1] that Freetype before 2.5.4 suffers from an out-of-bounds stack-based read/write flaw in cf2_hintmap_build() in the CFF rasterizing code, which could lead to a buffer overflow. This is due to an incomplete fix for CVE-2014-2240. Upstream patch is at [2] Upstream bug with some additional info is at [3]. This new CFF handling code was introduced in Freetype 2.4.12 (new Type 2 interpreter and hinter); earlier versions are not affected. This is fixed in 2.5.4 [4]. [1]: https://bugs.mageia.org/show_bug.cgi?id=14771 [2]: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0eae6eb0645264c98812f0095e0f5df4541830e6 [3]: http://savannah.nongnu.org/bugs/?43661 [4]: http://sourceforge.net/projects/freetype/files/freetype2/2.5.4/ Statement: Not vulnerable. This issue did not affect the versions of freetype as shipped with Red Hat Enterprise Linux 5, 6 and 7.
Created freetype tracking bugs for this issue: Affects: fedora-20 [bug 1172634]
Created mingw-freetype tracking bugs for this issue: Affects: fedora-20 [bug 1172635] Affects: fedora-19 [bug 1172636]
Shouldn't we use the patch from http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=2cdc4562f873237f1c77d43540537c7a721d3fd8 instead of the [2]? Also, according to the mentioned versions, we should probably fix it in Fedora 21 too.
(In reply to Marek Kašík from comment #3) > Shouldn't we use the patch from > http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/ > ?id=2cdc4562f873237f1c77d43540537c7a721d3fd8 instead of the [2]? > Also, according to the mentioned versions, we should probably fix it in > Fedora 21 too. As well as this one, yes: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f89396cb6284954ff98b5dcbfc38e144deccdc83 The one linked in [2] is the original incomplete fix from before.
(In reply to David Walser from comment #4) > (In reply to Marek Kašík from comment #3) > > Shouldn't we use the patch from > > http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/ > > ?id=2cdc4562f873237f1c77d43540537c7a721d3fd8 instead of the [2]? > > Also, according to the mentioned versions, we should probably fix it in > > Fedora 21 too. > > As well as this one, yes: > http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/ > ?id=f89396cb6284954ff98b5dcbfc38e144deccdc83 Thank you for pointing me to this commit. I've updated the update. > The one linked in [2] is the original incomplete fix from before.
You're welcome. Just FYI, you meant to add a link to Bug 1172634 in the SPEC file, but you accidentally put bugs.gnome.org instead of bugzilla.redhat.com.
(In reply to David Walser from comment #6) > You're welcome. Just FYI, you meant to add a link to Bug 1172634 in the > SPEC file, but you accidentally put bugs.gnome.org instead of > bugzilla.redhat.com. Thanks, fixed.
freetype-2.5.3-13.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
freetype-2.5.0-7.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.