Bug 190593 - CVE-2006-1861 freetype multiple integer overflows (CVE-2006-3467)
Summary: CVE-2006-1861 freetype multiple integer overflows (CVE-2006-3467)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: freetype
Version: 4.0
Hardware: All
OS: Linux
high
high
Target Milestone: ---
: ---
Assignee: Carl Worth (Ampere)
QA Contact: Brock Organ
URL:
Whiteboard: source=vendorsec,reported=20060305,im...
: 190693 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-05-03 19:36 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Fixed In Version: RHSA-2006-0500
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-07-18 10:05:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Patch for issue #2 (2.70 KB, patch)
2006-05-03 19:41 UTC, Josh Bressers 		no flags Details | Diff
Patch for issue #3 (908 bytes, patch)
2006-05-03 19:41 UTC, Josh Bressers 		no flags Details | Diff
Patch for issue #4 (4.38 KB, patch)
2006-05-03 19:42 UTC, Josh Bressers 		no flags Details | Diff
Fix for issue #6 (1.19 KB, patch)
2006-05-03 19:43 UTC, Josh Bressers 		no flags Details | Diff
Fix for a minor DoS issue (897 bytes, patch)
2006-05-03 20:22 UTC, Josh Bressers 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0500 0 normal SHIPPED_LIVE Moderate: freetype security update 2006-07-18 04:00:00 UTC

Description Josh Bressers 2006-05-03 19:36:46 UTC 
Several integer overflow bugs in freetype have been fixed in CVS.  The details
are below.

The descriptions are the CVS commit messages.  That patch for each particular
comment is keyed off it's # identifier.

* Integer overflow

    #2
    * src/bdf/bdflib.c (ERRMSG4): New macro.
      (_bdf_parse_glyphs): Handle invalid BBX values.
    * include/freetype/fterrdef.h (FT_Err_Bbx_Too_Big): New error
      macro.

    #3
    * src/sfnt/ttcmap.c (tt_face_build_cmaps): Handle invalid offset
    correctly.

    #4
    * src/cff/cfftypes.h (CFF_CharsetRec): Add `max_cid' member.
    * src/cff/cffload.c (cff_charset_load): Set `charset->max_cid'.
    * src/cff/cffgload.c (cff_slot_load): Change type of third parameter
    to `FT_UInt'.
    Check range of `glyph_index'.
    * src/cff/cffgload.h: Updated.

    #6
    * src/bdf/bdflib.c: fixed a problem with large encodings.
    Again, this patch comes from Debian libfreetype6 for 2.1.10 !
Comment 1 Josh Bressers 2006-05-03 19:41:14 UTC 
Created attachment 128558 [details]
Patch for issue #2
Comment 2 Josh Bressers 2006-05-03 19:41:46 UTC 
Created attachment 128559 [details]
Patch for issue #3
Comment 3 Josh Bressers 2006-05-03 19:42:52 UTC 
Created attachment 128561 [details]
Patch for issue #4
Comment 4 Josh Bressers 2006-05-03 19:43:45 UTC 
Created attachment 128562 [details]
Fix for issue #6
Comment 5 Josh Bressers 2006-05-03 19:48:04 UTC 
These issues should also affect RHEL3 and RHEL2.1
Comment 6 Josh Bressers 2006-05-03 20:22:20 UTC 
Created attachment 128565 [details]
Fix for a minor DoS issue

Here is a patch for a minor DoS issue as well.	It doesn't have a CVE id (it
may get one, but probably doesn't deserve one).  Please fix it when applying
the above patches.
Comment 7 Josh Bressers 2006-05-04 16:42:47 UTC 
*** Bug 190693 has been marked as a duplicate of this bug. ***
Comment 8 Josh Bressers 2006-05-04 16:44:26 UTC 
Bug 190693 has been marked a duplicate of this bug as it contains the patch for
additional integer overflows which are covered by CVE-2006-1861.



Upstream has fixed a number of potential integer overflows when allocating
memory by modifying how memory is now allocated.

The patch take from CVS, then clean up is very large.  I don't know the source
well enough to determine how much of this is needed for our packages.

Attachment 128606 [details] is a patch extracted from upstream CVS
Comment 9 Matthew Barnes 2006-05-05 21:30:33 UTC 
RHEL 3 and RHEL 4 packages are built, will do RHEL 2.1 next week.
Comment 10 Matthew Barnes 2006-05-10 19:19:10 UTC 
RHEL 2.1 packages are built.
Comment 13 Josh Bressers 2006-05-15 17:56:31 UTC 
Lifting embargo
Comment 15 Tobias Sandhaas 2006-07-17 09:16:20 UTC 
I am eagerly waiting for an advisory and rpm pakets for this (and other) sever
issue with freetype.
Is there a reason to delay the release?
Comment 16 Mark J. Cox 2006-07-17 14:55:20 UTC 
Tobias; updated packages are likely to be pushed this week this week once QA is
completed.  They were delayed whilst we dealt with other issues that were of a
higher security severity.
Comment 17 Mark J. Cox 2006-07-18 09:37:29 UTC 
Our maintainer whilst building the packages for CVE-2006-1861 noticed that the
upstream patch seemed to be insufficient to correct bad1.pcf from the test
suite.  He corrected it.  Since other vendors have already released updates we
need a new CVE name for this issue, CVE-2006-3467.  vendor-sec notified yesterday.
Comment 18 Red Hat Bugzilla 2006-07-18 10:05:19 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0500.html
Note You need to log in before you can comment on or make changes to this bug.