Bug 450774 (CVE-2008-1808) - CVE-2008-1808 FreeType off-by-one flaws
Summary: CVE-2008-1808 FreeType off-by-one flaws
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-1808
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://labs.idefense.com/intelligence...
Whiteboard:
Depends On: 450905 450906 450908 450909 450910 450911 451212 451213 484442 484443 484444 806288
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-10 21:15 UTC by Josh Bressers
Modified: 2019-09-29 12:24 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-21 09:32:39 UTC
Embargoed:


Attachments (Terms of Use)
patch for freetype1 (2.53 KB, patch)
2009-04-16 17:20 UTC, Vincent Danen
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0556 0 normal SHIPPED_LIVE Important: freetype security update 2008-06-25 11:39:47 UTC
Red Hat Product Errata RHSA-2008:0558 0 normal SHIPPED_LIVE Important: freetype security update 2008-06-25 11:24:52 UTC
Red Hat Product Errata RHSA-2009:0329 0 normal SHIPPED_LIVE Important: freetype security update 2009-05-22 12:21:55 UTC

Description Josh Bressers 2008-06-10 21:15:43 UTC
Two off-by-one flaws were found in the way FreeType parses PFB and TTF fonts.

The advisory states:
    The first vulnerability occurs when parsing Printer Font Binary (PFB)
    format font files. PFB files contain various data structures, some of
    which are stored in a tabular format. When parsing tables, the code
    doesn't correctly validate a value used as an array index into a heap
    buffer.  The calculation contains an off-by-one error, which can result in
    a heap overflow.

    The second vulnerability occurs when parsing TrueType Font (TTF) font
    files. TrueType font files contain "font programs" that are executed in a
    TrueType virtual machine. One of the instructions in the instruction set
    is 'SHC', which is used to shift a contour in the font by a specified
    value.  When parsing this instruction, the code doesn't correctly validate
    an array index, which leads to an off-by-one heap overflow.

Comment 1 Josh Bressers 2008-06-11 17:26:14 UTC
attachment 308965 [details] is the patch extracted from upstream CVS

This patch contains the fixes for CVE-2008-1806, CVE-2008-1807, and
CVE-2008-1808

Comment 5 Fedora Update System 2008-06-17 09:43:43 UTC
freetype-2.3.5-4.fc8 has been submitted as an update for Fedora 8

Comment 6 Fedora Update System 2008-06-17 09:44:16 UTC
freetype-2.3.5-6.fc9 has been submitted as an update for Fedora 9

Comment 7 Tomas Hoger 2008-06-17 10:01:25 UTC
The TTF issue affects TTF virtual machine byte code interpreter (BCI).  This
interpreter is disabled by default on freetype 2.x (libtruetype) due to a patent
issues as described on the upstream web page:

  http://www.freetype.org/patents.html

All Red Hat Enterprise Linux and Fedora freetype 2.x versions have BCI disabled
and are not affected by the TTF part of CVE-2008-1808.  Only custom rebuilds
with BCI enabled may possibly be affected.

Freetype 1.x (libttf) does enable BCI by default, but is explicitly disabled in
freetype packages on Red Hat Enterprise Linux 3 and 4 and in freetype1 packages
in all Fedora versions (via freetype-1.4-disable-ft1-bci.patch).

Red Hat Enterprise Linux 5 does not ship freetype 1.x library.  Freetype 1.x on
Red Hat Enterprise Linux 2.1 is built with BCI enabled.


Comment 8 Kevin Kofler 2008-06-17 16:47:59 UTC
On the other hand, freetype-freeworld in a popular third-party repository is 
also affected by the BCI issue, in addition to the issues also affecting the 
Fedora freetype package. A fixed freetype-freeworld will be built in that 
repository as soon as possible.

Comment 9 Tomas Hoger 2008-06-17 17:00:59 UTC
The patch applied to Fedora packages does include TTF BCI part of the fix, so
rebuilds with BCI enabled should be safe.

Comment 11 Fedora Update System 2008-06-18 03:15:11 UTC
freetype-2.3.5-6.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2008-06-18 03:15:31 UTC
freetype-2.3.5-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Tomas Hoger 2008-06-18 07:19:44 UTC
In reply to https://bugzilla.redhat.com/show_bug.cgi?id=450773#c12 :

The only part of the upstream patch that should be related to .ttf issue covered
by this CVE id is:

-    if ( last_point > CUR.zp2.n_points )
+    if ( BOUNDS ( last_point , CUR.zp2.n_points ) )

maxTwilightPoints check does not seem directly related and was probably added as
additional sanity check.

As the .pfb is not supported by freetype1 we should ideally try to avoid
mentioning CVE-2008-1806 and CVE-2008-1807 in the freetype1 RPM changelog.

As for bodhi update request, we do not need to submit updated freetype1 packages
as security update, as (binary) Fedora packages were not affected by this
problem.  But I'm ok with pushing it as security update anyway, provided that we
clearly mention in the notes that only users rebuilding freetype1 with bci were
affected by the problem.  Update request should only refer to this bug, not to
the bugs for other CVEs.

Comment 14 Hans de Goede 2008-06-18 08:11:14 UTC
(In reply to comment #13)
> In reply to https://bugzilla.redhat.com/show_bug.cgi?id=450773#c12 :
> 
> maxTwilightPoints check does not seem directly related and was probably added as
> additional sanity check.
> 
> As the .pfb is not supported by freetype1 we should ideally try to avoid
> mentioning CVE-2008-1806 and CVE-2008-1807 in the freetype1 RPM changelog.
> 

Its a little too late for that, as a freetype1 with those in the ChangeLog is
already in rawhide. I did add "(where applicable)" to the changelog to indicate
not all of the mentioned issues where relevant for freetype1.

> As for bodhi update request, we do not need to submit updated freetype1 packages
> as security update, as (binary) Fedora packages were not affected by this
> problem.

Ok.

> But I'm ok with pushing it as security update anyway, provided that we
> clearly mention in the notes that only users rebuilding freetype1 with bci were
> affected by the problem.  Update request should only refer to this bug, not to
> the bugs for other CVEs.

I don't believe anyone is offering rebuild freetype1 packages with BCI enabled,
so I considered this issue closed then. If you want I can still do an update,
esp. since the new freetype1 is already build in bodhi for F-8 and F-9.


Comment 18 Vincent Danen 2009-04-16 17:20:01 UTC
Created attachment 339880 [details]
patch for freetype1

Comment 20 errata-xmlrpc 2009-05-22 12:22:22 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4

Via RHSA-2009:0329 https://rhn.redhat.com/errata/RHSA-2009-0329.html


Note You need to log in before you can comment on or make changes to this bug.