An invalid free() flaw was found in the way FreeType processes PFB font files. The advisory states: The vulnerability exists within the code responsible for parsing Printer Font Binary (PFB) format font files. By providing an invalid 'number of axes' in the file, it is possible to cause the code to call the free() function on areas of memory that were not dynamically allocated. This can lead to memory corruption, which can allow for the execution of arbitrary code.
attachment 308965 [details] is the patch extracted from upstream CVS This patch contains the fixes for CVE-2008-1806, CVE-2008-1807, and CVE-2008-1808
(In reply to comment #1) > attachment 308965 [details] [edit] is the patch extracted from upstream CVS > > This patch contains the fixes for CVE-2008-1806, CVE-2008-1807, and > CVE-2008-1808 Thanks, I've backported the applicable parts to freetype1 (they didn't all apply as freetype2 supports more fontfile formats then freetype1). I've build a new freetype1 with these fixes in for F-8 F-9 and devel. I don't know what to exactly put in bodhi for this with regards too bug references, CVE's etc. So I could use some help getting this in bodhi. Here are the F-8 and F-9 builds: http://koji.fedoraproject.org/koji/buildinfo?buildID=52635 http://koji.fedoraproject.org/koji/buildinfo?buildID=52634
(In reply to comment #4) > I've build a new freetype1 with these fixes in for F-8 F-9 and devel. I don't > know what to exactly put in bodhi for this with regards too bug references, > CVE's etc. So I could use some help getting this in bodhi. Does freetype 1.x support PFB font format? I tried some utils from freetype1-utils and none of them seemed to be will to read good .pfb files I managed to find on my system.
(In reply to comment #5) > (In reply to comment #4) > > I've build a new freetype1 with these fixes in for F-8 F-9 and devel. I don't > > know what to exactly put in bodhi for this with regards too bug references, > > CVE's etc. So I could use some help getting this in bodhi. > > Does freetype 1.x support PFB font format? I tried some utils from > freetype1-utils and none of them seemed to be will to read good .pfb files I > managed to find on my system. freetype1 does not support the PFB font format, nor the type1 format, I only backported the generic / truetype parts of the patch given here, as there is nothing to backport the rest too.
freetype-2.3.5-4.fc8 has been submitted as an update for Fedora 8
freetype-2.3.5-6.fc9 has been submitted as an update for Fedora 9
freetype-2.3.5-6.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
freetype-2.3.5-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Hi All, I see that an update for this for freetype2 has been released, good! I still need to push the freetype1 builds fixing some of the same issues through bodhi. But I needs some help to know what (and which CVE's) to put in bodhi. I know that not all issues apply to freetype1 due to it not having support for bdf and type1 fonts, still some parts of the patch provided here did apply to freetype1 (and more then just the BCI fix). I'll attach the backported patch here, and hope that some of you can shed some light on this. I cannot find out what to put in the advisory myself, as the parts of the patch that have been backported do not seem to match any of the CVE descriptions.
Created attachment 309698 [details] freetype2 security fixes backported to freetype1
Hans, The only CVE that applies to FreeType 1 only matters if compiling with patented byte-code interpreter. Your backported patch fixes that. I already used your patch (got it from CVS) for RHEL2.1 freetype 1 and RH security team was happy.
Hans, moving this discussion to the bug for CVE-2008-1808, as it better fits there. For reply, see: https://bugzilla.redhat.com/show_bug.cgi?id=450774#c13
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0558.html http://rhn.redhat.com/errata/RHSA-2008-0556.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-5430 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-5425