Bug 1191094 – CVE-2014-9671 freetype: integer overflow in pcf_get_properties() leading to NULL pointer dereference

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1191094 - (CVE-2014-9671) CVE-2014-9671 freetype: integer overflow in pcf_get_properties() leading to NULL pointer dereference

Summary:	CVE-2014-9671 freetype: integer overflow in pcf_get_properties() leading to N...

Status:	CLOSED ERRATA

Aliases:	CVE-2014-9671

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20141124,reported=2...
Keywords:	Security

Depends On:	1191099 1197737 1197738 1197739 1197740
Blocks:	1191102
	Show dependency tree / graph

Reported:	2015-02-10 07:52 EST by Vasyl Kaigorodov
Modified:	2015-11-25 05:29 EST (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	freetype 2.5.4
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-03-18 03:40:54 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0696	normal	SHIPPED_LIVE	Important: freetype security update	2015-03-17 17:58:07 EDT

Groups: None (edit)

Description Vasyl Kaigorodov 2015-02-10 07:52:36 EST

Common Vulnerabilities and Exposures assigned CVE-2014-9671 to the following issue:

Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in FreeType
before 2.5.4 allows remote attackers to cause a denial of service (NULL pointer
dereference and application crash) via a crafted PCF file with a 0xffffffff size
value that is improperly incremented.

http://code.google.com/p/google-security-research/issues/detail?id=157
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0e2f5d518c60e2978f26400d110eff178fa7e3c3

Comment 1 Tomas Hoger 2015-02-23 09:53:04 EST

Upstream bug is:
https://savannah.nongnu.org/bugs/?43547

Issue was fixed upstream in 2.5.4.

This is an integer overflow issue, rather than off-by-one.  A string_size value is read from input font file.  If value 0xffffffff is used and later 1 is added to it when FT_NEW_ARRAY() is called to allocate strings[] buffer, the addition will overflow (32bit overflow) and leads to attempt to allocate zero sized buffer.  Freetype memory allocation functions return NULL in that case, which leads to crash when the buffer is populated later.

Note that this issue was introduced by the CVE-2012-1130 fix (see bug 800587) in the following commit:

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c776fc17

Comment 4 Tomas Hoger 2015-02-24 09:25:59 EST

The fix for this issue was found to introduce a regression that prevented loading of certain PCF fonts.  Upstream bug and fix:

https://savannah.nongnu.org/bugs/?43774
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=74af85c4b62b35e55b0ce9dec55ee10cbc4962a2
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=06842c7b49c21f13c0ab61201daab6ff5a358fcc

Reported for Fedora in bug 1195652.

Comment 6 errata-xmlrpc 2015-03-17 13:59:14 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2015:0696 https://rhn.redhat.com/errata/RHSA-2015-0696.html

Note You need to log in before you can comment on or make changes to this bug.