Bug 450773 - (CVE-2008-1807) CVE-2008-1807 FreeType invalid free() flaw
CVE-2008-1807 FreeType invalid free() flaw
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://labs.idefense.com/intelligence...
source=internet,public=20080610,repor...
:
Depends On: 450905 450906 450908 450909 450910 450911 451212 451213 806288
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-10 17:07 EDT by Josh Bressers
Modified: 2012-03-23 07:39 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-21 05:32:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
freetype2 security fixes backported to freetype1 (2.53 KB, patch)
2008-06-18 02:56 EDT, Hans de Goede
no flags Details | Diff

  None (edit)
Description Josh Bressers 2008-06-10 17:07:21 EDT
An invalid free() flaw was found in the way FreeType processes PFB font files.

The advisory states:
    The vulnerability exists within the code responsible for parsing Printer Font 
    Binary (PFB) format font files. By providing an invalid 'number of axes' in 
    the file, it is possible to cause the code to call the free() function on 
    areas of memory that were not dynamically allocated. This can lead to memory 
    corruption, which can allow for the execution of arbitrary code.
Comment 1 Josh Bressers 2008-06-11 13:26:16 EDT
attachment 308965 [details] is the patch extracted from upstream CVS

This patch contains the fixes for CVE-2008-1806, CVE-2008-1807, and
CVE-2008-1808
Comment 4 Hans de Goede 2008-06-14 05:27:40 EDT
(In reply to comment #1)
> attachment 308965 [details] [edit] is the patch extracted from upstream CVS
> 
> This patch contains the fixes for CVE-2008-1806, CVE-2008-1807, and
> CVE-2008-1808

Thanks, I've backported the applicable parts to freetype1 (they didn't all apply
as freetype2 supports more fontfile formats then freetype1).

I've build a new freetype1 with these fixes in for F-8 F-9 and devel. I don't
know what to exactly put in bodhi for this with regards too bug references,
CVE's etc. So I could use some help getting this in bodhi. Here are the F-8 and
F-9 builds:
http://koji.fedoraproject.org/koji/buildinfo?buildID=52635
http://koji.fedoraproject.org/koji/buildinfo?buildID=52634
Comment 5 Tomas Hoger 2008-06-16 11:55:00 EDT
(In reply to comment #4)
> I've build a new freetype1 with these fixes in for F-8 F-9 and devel. I don't
> know what to exactly put in bodhi for this with regards too bug references,
> CVE's etc. So I could use some help getting this in bodhi.

Does freetype 1.x support PFB font format?  I tried some utils from
freetype1-utils and none of them seemed to be will to read good .pfb files I
managed to find on my system.

Comment 6 Hans de Goede 2008-06-16 13:55:48 EDT
(In reply to comment #5)
> (In reply to comment #4)
> > I've build a new freetype1 with these fixes in for F-8 F-9 and devel. I don't
> > know what to exactly put in bodhi for this with regards too bug references,
> > CVE's etc. So I could use some help getting this in bodhi.
> 
> Does freetype 1.x support PFB font format?  I tried some utils from
> freetype1-utils and none of them seemed to be will to read good .pfb files I
> managed to find on my system.

freetype1 does not support the PFB font format, nor the type1 format, I only
backported the generic / truetype parts of the patch given here, as there is
nothing to backport the rest too.

Comment 8 Fedora Update System 2008-06-17 05:43:49 EDT
freetype-2.3.5-4.fc8 has been submitted as an update for Fedora 8
Comment 9 Fedora Update System 2008-06-17 05:44:19 EDT
freetype-2.3.5-6.fc9 has been submitted as an update for Fedora 9
Comment 10 Fedora Update System 2008-06-17 23:15:16 EDT
freetype-2.3.5-6.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-06-17 23:15:41 EDT
freetype-2.3.5-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Hans de Goede 2008-06-18 02:55:28 EDT
Hi All,

I see that an update for this for freetype2 has been released, good! I still
need to push the freetype1 builds fixing some of the same issues through bodhi.

But I needs some help to know what (and which CVE's) to put in bodhi.

I know that not all issues apply to freetype1 due to it not having support for
bdf and type1 fonts, still some parts of the patch provided here did apply to
freetype1 (and more then just the BCI fix).

I'll attach the backported patch here, and hope that some of you can shed some
light on this. I cannot find out what to put in the advisory myself, as the
parts of the patch that have been backported do not seem to match any of the CVE
descriptions.
Comment 13 Hans de Goede 2008-06-18 02:56:49 EDT
Created attachment 309698 [details]
freetype2 security fixes backported to freetype1
Comment 14 Behdad Esfahbod 2008-06-18 03:13:19 EDT
Hans,

The only CVE that applies to FreeType 1 only matters if compiling with patented
byte-code interpreter.  Your backported patch fixes that.  I already used your
patch (got it from CVS) for RHEL2.1 freetype 1 and RH security team was happy.
Comment 15 Tomas Hoger 2008-06-18 03:21:26 EDT
Hans, moving this discussion to the bug for CVE-2008-1808, as it better fits
there.  For reply, see:

https://bugzilla.redhat.com/show_bug.cgi?id=450774#c13

Note You need to log in before you can comment on or make changes to this bug.