Two off-by-one flaws were found in the way FreeType parses PFB and TTF fonts. The advisory states: The first vulnerability occurs when parsing Printer Font Binary (PFB) format font files. PFB files contain various data structures, some of which are stored in a tabular format. When parsing tables, the code doesn't correctly validate a value used as an array index into a heap buffer. The calculation contains an off-by-one error, which can result in a heap overflow. The second vulnerability occurs when parsing TrueType Font (TTF) font files. TrueType font files contain "font programs" that are executed in a TrueType virtual machine. One of the instructions in the instruction set is 'SHC', which is used to shift a contour in the font by a specified value. When parsing this instruction, the code doesn't correctly validate an array index, which leads to an off-by-one heap overflow.
attachment 308965 [details] is the patch extracted from upstream CVS This patch contains the fixes for CVE-2008-1806, CVE-2008-1807, and CVE-2008-1808
freetype-2.3.5-4.fc8 has been submitted as an update for Fedora 8
freetype-2.3.5-6.fc9 has been submitted as an update for Fedora 9
The TTF issue affects TTF virtual machine byte code interpreter (BCI). This interpreter is disabled by default on freetype 2.x (libtruetype) due to a patent issues as described on the upstream web page: http://www.freetype.org/patents.html All Red Hat Enterprise Linux and Fedora freetype 2.x versions have BCI disabled and are not affected by the TTF part of CVE-2008-1808. Only custom rebuilds with BCI enabled may possibly be affected. Freetype 1.x (libttf) does enable BCI by default, but is explicitly disabled in freetype packages on Red Hat Enterprise Linux 3 and 4 and in freetype1 packages in all Fedora versions (via freetype-1.4-disable-ft1-bci.patch). Red Hat Enterprise Linux 5 does not ship freetype 1.x library. Freetype 1.x on Red Hat Enterprise Linux 2.1 is built with BCI enabled.
On the other hand, freetype-freeworld in a popular third-party repository is also affected by the BCI issue, in addition to the issues also affecting the Fedora freetype package. A fixed freetype-freeworld will be built in that repository as soon as possible.
The patch applied to Fedora packages does include TTF BCI part of the fix, so rebuilds with BCI enabled should be safe.
freetype-2.3.5-6.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
freetype-2.3.5-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
In reply to https://bugzilla.redhat.com/show_bug.cgi?id=450773#c12 : The only part of the upstream patch that should be related to .ttf issue covered by this CVE id is: - if ( last_point > CUR.zp2.n_points ) + if ( BOUNDS ( last_point , CUR.zp2.n_points ) ) maxTwilightPoints check does not seem directly related and was probably added as additional sanity check. As the .pfb is not supported by freetype1 we should ideally try to avoid mentioning CVE-2008-1806 and CVE-2008-1807 in the freetype1 RPM changelog. As for bodhi update request, we do not need to submit updated freetype1 packages as security update, as (binary) Fedora packages were not affected by this problem. But I'm ok with pushing it as security update anyway, provided that we clearly mention in the notes that only users rebuilding freetype1 with bci were affected by the problem. Update request should only refer to this bug, not to the bugs for other CVEs.
(In reply to comment #13) > In reply to https://bugzilla.redhat.com/show_bug.cgi?id=450773#c12 : > > maxTwilightPoints check does not seem directly related and was probably added as > additional sanity check. > > As the .pfb is not supported by freetype1 we should ideally try to avoid > mentioning CVE-2008-1806 and CVE-2008-1807 in the freetype1 RPM changelog. > Its a little too late for that, as a freetype1 with those in the ChangeLog is already in rawhide. I did add "(where applicable)" to the changelog to indicate not all of the mentioned issues where relevant for freetype1. > As for bodhi update request, we do not need to submit updated freetype1 packages > as security update, as (binary) Fedora packages were not affected by this > problem. Ok. > But I'm ok with pushing it as security update anyway, provided that we > clearly mention in the notes that only users rebuilding freetype1 with bci were > affected by the problem. Update request should only refer to this bug, not to > the bugs for other CVEs. I don't believe anyone is offering rebuild freetype1 packages with BCI enabled, so I considered this issue closed then. If you want I can still do an update, esp. since the new freetype1 is already build in bodhi for F-8 and F-9.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0558.html http://rhn.redhat.com/errata/RHSA-2008-0556.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-5430 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-5425
Created attachment 339880 [details] patch for freetype1
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Via RHSA-2009:0329 https://rhn.redhat.com/errata/RHSA-2009-0329.html