Bug 611927 - freetype: write to non-mapped memory in base/ftojbs.c:1563
freetype: write to non-mapped memory in base/ftojbs.c:1563
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2010-07-06 17:08 EDT by Vincent Danen
Modified: 2010-07-07 13:45 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-07-07 13:45:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-07-06 17:08:03 EDT
Robert Swiecki reported a possibly exploitable write to non-mapped memory in the way freetype handles certain font [1].

The original report has two sample font files that caused the tested version to crash with a SIGSEGV (sigsegv16.pfb) and SIGABRT (sigabrt24.ttf).  When reproducing, observed behaviour was:

RHEL3 (freetype 2.1.4): pass on both files
RHEL4 (freetype 2.1.9): crashes (segfault) on both files
RHEL5 (freetype 2.2.1): crashes (segfault) on sigsegv16.pfb only
Fedora (freetype 2.3.11): crashes (segfault) on sigsegv16.pfb only

The upstream bug report claims this may be potentially exploitable for more than just a crash.  A patch was posted to correct the issue [2].  This needs to be looked at to determine whether or not this can be exploited to execute arbitrary code.

[1] http://savannah.nongnu.org/bugs/index.php?30248
[2] http://savannah.nongnu.org/bugs/download.php?file_id=20815
Comment 4 Josh Bressers 2010-07-07 13:45:18 EDT
I'm going to close this bug and file individual bugs for each freetype flaw found (there are several)

Note You need to log in before you can comment on or make changes to this bug.