Bug 611927 - freetype: write to non-mapped memory in base/ftojbs.c:1563
Summary: freetype: write to non-mapped memory in base/ftojbs.c:1563
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20100624,reported=20100702,sou...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-06 21:08 UTC by Vincent Danen
Modified: 2010-07-07 17:45 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-07 17:45:18 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Vincent Danen 2010-07-06 21:08:03 UTC
Robert Swiecki reported a possibly exploitable write to non-mapped memory in the way freetype handles certain font [1].

The original report has two sample font files that caused the tested version to crash with a SIGSEGV (sigsegv16.pfb) and SIGABRT (sigabrt24.ttf).  When reproducing, observed behaviour was:

RHEL3 (freetype 2.1.4): pass on both files
RHEL4 (freetype 2.1.9): crashes (segfault) on both files
RHEL5 (freetype 2.2.1): crashes (segfault) on sigsegv16.pfb only
Fedora (freetype 2.3.11): crashes (segfault) on sigsegv16.pfb only

The upstream bug report claims this may be potentially exploitable for more than just a crash.  A patch was posted to correct the issue [2].  This needs to be looked at to determine whether or not this can be exploited to execute arbitrary code.

[1] http://savannah.nongnu.org/bugs/index.php?30248
[2] http://savannah.nongnu.org/bugs/download.php?file_id=20815

Comment 4 Josh Bressers 2010-07-07 17:45:18 UTC
I'm going to close this bug and file individual bugs for each freetype flaw found (there are several)


Note You need to log in before you can comment on or make changes to this bug.