Bug 450774 - (CVE-2008-1808) CVE-2008-1808 FreeType off-by-one flaws
CVE-2008-1808 FreeType off-by-one flaws
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://labs.idefense.com/intelligence...
source=internet,public=20080610,repor...
:
Depends On: 450905 450906 450908 450909 450910 450911 451212 451213 484442 484443 484444 806288
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-10 17:15 EDT by Josh Bressers
Modified: 2016-03-04 06:50 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-21 05:32:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch for freetype1 (2.53 KB, patch)
2009-04-16 13:20 EDT, Vincent Danen
no flags Details | Diff

  None (edit)
Description Josh Bressers 2008-06-10 17:15:43 EDT
Two off-by-one flaws were found in the way FreeType parses PFB and TTF fonts.

The advisory states:
    The first vulnerability occurs when parsing Printer Font Binary (PFB)
    format font files. PFB files contain various data structures, some of
    which are stored in a tabular format. When parsing tables, the code
    doesn't correctly validate a value used as an array index into a heap
    buffer.  The calculation contains an off-by-one error, which can result in
    a heap overflow.

    The second vulnerability occurs when parsing TrueType Font (TTF) font
    files. TrueType font files contain "font programs" that are executed in a
    TrueType virtual machine. One of the instructions in the instruction set
    is 'SHC', which is used to shift a contour in the font by a specified
    value.  When parsing this instruction, the code doesn't correctly validate
    an array index, which leads to an off-by-one heap overflow.
Comment 1 Josh Bressers 2008-06-11 13:26:14 EDT
attachment 308965 [details] is the patch extracted from upstream CVS

This patch contains the fixes for CVE-2008-1806, CVE-2008-1807, and
CVE-2008-1808
Comment 5 Fedora Update System 2008-06-17 05:43:43 EDT
freetype-2.3.5-4.fc8 has been submitted as an update for Fedora 8
Comment 6 Fedora Update System 2008-06-17 05:44:16 EDT
freetype-2.3.5-6.fc9 has been submitted as an update for Fedora 9
Comment 7 Tomas Hoger 2008-06-17 06:01:25 EDT
The TTF issue affects TTF virtual machine byte code interpreter (BCI).  This
interpreter is disabled by default on freetype 2.x (libtruetype) due to a patent
issues as described on the upstream web page:

  http://www.freetype.org/patents.html

All Red Hat Enterprise Linux and Fedora freetype 2.x versions have BCI disabled
and are not affected by the TTF part of CVE-2008-1808.  Only custom rebuilds
with BCI enabled may possibly be affected.

Freetype 1.x (libttf) does enable BCI by default, but is explicitly disabled in
freetype packages on Red Hat Enterprise Linux 3 and 4 and in freetype1 packages
in all Fedora versions (via freetype-1.4-disable-ft1-bci.patch).

Red Hat Enterprise Linux 5 does not ship freetype 1.x library.  Freetype 1.x on
Red Hat Enterprise Linux 2.1 is built with BCI enabled.
Comment 8 Kevin Kofler 2008-06-17 12:47:59 EDT
On the other hand, freetype-freeworld in a popular third-party repository is 
also affected by the BCI issue, in addition to the issues also affecting the 
Fedora freetype package. A fixed freetype-freeworld will be built in that 
repository as soon as possible.
Comment 9 Tomas Hoger 2008-06-17 13:00:59 EDT
The patch applied to Fedora packages does include TTF BCI part of the fix, so
rebuilds with BCI enabled should be safe.
Comment 11 Fedora Update System 2008-06-17 23:15:11 EDT
freetype-2.3.5-6.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2008-06-17 23:15:31 EDT
freetype-2.3.5-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Tomas Hoger 2008-06-18 03:19:44 EDT
In reply to https://bugzilla.redhat.com/show_bug.cgi?id=450773#c12 :

The only part of the upstream patch that should be related to .ttf issue covered
by this CVE id is:

-    if ( last_point > CUR.zp2.n_points )
+    if ( BOUNDS ( last_point , CUR.zp2.n_points ) )

maxTwilightPoints check does not seem directly related and was probably added as
additional sanity check.

As the .pfb is not supported by freetype1 we should ideally try to avoid
mentioning CVE-2008-1806 and CVE-2008-1807 in the freetype1 RPM changelog.

As for bodhi update request, we do not need to submit updated freetype1 packages
as security update, as (binary) Fedora packages were not affected by this
problem.  But I'm ok with pushing it as security update anyway, provided that we
clearly mention in the notes that only users rebuilding freetype1 with bci were
affected by the problem.  Update request should only refer to this bug, not to
the bugs for other CVEs.
Comment 14 Hans de Goede 2008-06-18 04:11:14 EDT
(In reply to comment #13)
> In reply to https://bugzilla.redhat.com/show_bug.cgi?id=450773#c12 :
> 
> maxTwilightPoints check does not seem directly related and was probably added as
> additional sanity check.
> 
> As the .pfb is not supported by freetype1 we should ideally try to avoid
> mentioning CVE-2008-1806 and CVE-2008-1807 in the freetype1 RPM changelog.
> 

Its a little too late for that, as a freetype1 with those in the ChangeLog is
already in rawhide. I did add "(where applicable)" to the changelog to indicate
not all of the mentioned issues where relevant for freetype1.

> As for bodhi update request, we do not need to submit updated freetype1 packages
> as security update, as (binary) Fedora packages were not affected by this
> problem.

Ok.

> But I'm ok with pushing it as security update anyway, provided that we
> clearly mention in the notes that only users rebuilding freetype1 with bci were
> affected by the problem.  Update request should only refer to this bug, not to
> the bugs for other CVEs.

I don't believe anyone is offering rebuild freetype1 packages with BCI enabled,
so I considered this issue closed then. If you want I can still do an update,
esp. since the new freetype1 is already build in bodhi for F-8 and F-9.
Comment 18 Vincent Danen 2009-04-16 13:20:01 EDT
Created attachment 339880 [details]
patch for freetype1
Comment 20 errata-xmlrpc 2009-05-22 08:22:22 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4

Via RHSA-2009:0329 https://rhn.redhat.com/errata/RHSA-2009-0329.html

Note You need to log in before you can comment on or make changes to this bug.