Bug 613198 - (CVE-2010-2520) CVE-2010-2520 freetype: heap buffer overflow vulnerability in truetype bytecode support
CVE-2010-2520 freetype: heap buffer overflow vulnerability in truetype byteco...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20100609,reported=20100702,sou...
: Reopened, Security
Depends On: 613298 613299
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-09 20:26 EDT by Vincent Danen
Modified: 2015-08-19 04:49 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-09 20:28:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-07-09 20:26:18 EDT
Robert Swiecki reported a heap buffer overflow vulnerability in freetype's truetype bytecode support.  This could cause applications linked against freetype to crash or, possibly, lead to the execution of arbitrary code if an attacker were able to get a victim to load a malicious font file.

The affected functionality (truetype bytecode) is not compiled in Red Hat Enterprise Linux or Fedora by default.

This issue has been given the name CVE-2010-2520.

Upstream bug reports:

http://savannah.nongnu.org/bugs/index.php?30361

Upstream commit that fixes the issue:

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=888cd1843e935fe675cf2ac303116d4ed5b9d54b


Statement:

Not vulnerable. This issue did not affect the versions of freetype as shipped with Red Hat Enterprise Linux 3, 4, or 5.
Comment 1 Vincent Danen 2010-07-09 20:28:20 EDT
Provided we never enable truetype bytecode support (doubtful since it's patented) this won't affect any version of freetype we ship.

Users that have rebuilt freetype with truetype bytecode support enabled will probably want to patch this and rebuild again to get the fix, or revert to the (supported) version of freetype as provided (with truetype bytecode support disabled).
Comment 2 Kevin Kofler 2010-07-10 06:42:04 EDT
Is there a Freetype security update in the works for the other CVEs or should I patch freetype-freeworld for just this CVE while waiting on a decision for the others?
Comment 3 Vincent Danen 2010-07-10 11:59:17 EDT
Referring to Fedora updates?  I'm not sure.  There is no new upstream version as of yet (probably sometime next week).  I was going to create a tracking bug for all of these flaws (well, excluding this one -- you can certainly include the patch for it if you like).  I'll do that in a minute.
Comment 4 Vincent Danen 2010-07-10 12:09:02 EDT
Actually, I'm going to open this so that we can get the fixes into Fedora.
Comment 6 Nicolas Mailhot 2010-07-13 08:27:15 EDT
(In reply to comment #1)
> Provided we never enable truetype bytecode support (doubtful since it's
> patented) this won't affect any version of freetype we ship.

The patents have expired and it was enabled (briefly) in Fedora

It's disabled again for non-legal reasons (enabling it disables the autohinter, we'd like it to be enabled for glyphs with hints, and autohint the rest)

Therefore, it would be a good idea to fix it preventively before it is enabled again
Comment 7 Vincent Danen 2010-07-15 16:43:28 EDT
Upstream has released 2.4.0 to correct this issue:

http://lists.nongnu.org/archive/html/freetype/2010-07/msg00001.html

Note You need to log in before you can comment on or make changes to this bug.