Bug 659359 - (CVE-2010-4259) CVE-2010-4259 FontForge: Stack-based buffer overflow by processing specially-crafted CHARSET_REGISTRY font file header
CVE-2010-4259 FontForge: Stack-based buffer overflow by processing specially-...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20101201,reported=20101201,sou...
: Security
Depends On: 659365
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-02 11:11 EST by Jan Lieskovsky
Modified: 2016-03-04 05:49 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-22 11:46:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Local copy of public PoC provided by Ulrik Persson (615 bytes, application/octet-stream)
2010-12-02 11:24 EST, Jan Lieskovsky
no flags Details
fix for CVE-2010-4259 crash (1.98 KB, patch)
2010-12-03 16:27 EST, Louis Simard
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2010-12-02 11:11:48 EST
Ulrik Persson reported a stack-based buffer overflow
flaw in the way FontForge font editor processed certain
Bitmap Distribution Format (BDF) font files, with
specially-crafted value of the CHARSET_REGISTRY header.
A remote attacker could create a specially-crafted BDF
font file and trick a local, unsuspecting user into
opening it in FontForge, which could lead to fontforge
executable crash or, potentially, arbitrary code execution
with the privileges of the user running the executable.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605537

Public PoC:
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=fontforge-overflow.txt;att=1;bug=605537

Flaw severity note:
On systems with compile time buffer checks (FORTIFY_SOURCE)
feature enabled, the impact of this flaw is mitigated to
be only crash.
Comment 1 Jan Lieskovsky 2010-12-02 11:14:53 EST
This issue affects the version of the fontforge package, as shipped
with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the fontforge package, as shipped
with Fedora release of 13 and 14.

This issue affects the versions of the fontforge package, as present
within EPEL-4 and EPEL-5 repositories.

Please schedule the updates.
Comment 2 Jan Lieskovsky 2010-12-02 11:24:16 EST
Created attachment 464292 [details]
Local copy of public PoC provided by Ulrik Persson
Comment 3 Jan Lieskovsky 2010-12-02 11:26:39 EST
Statement:

This issue affects the version of the fontforge package as shipped with
Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated
this issue as having low security impact, a future update may address
this flaw.
Comment 4 Jan Lieskovsky 2010-12-02 11:27:54 EST
Created fontforge tracking bugs for this issue

Affects: fedora-all [bug 659365]
Comment 5 Kevin Fenzi 2010-12-02 12:19:43 EST
I'll note that the upstream devel list hasn't been notified about this and there is no patch or fix that I can see yet. 

Will investigate.
Comment 6 Jan Lieskovsky 2010-12-03 05:25:16 EST
The CVE identifier of CVE-2010-4259 has been assigned to this issue.
Comment 7 Louis Simard 2010-12-03 16:27:28 EST
Created attachment 464658 [details]
fix for CVE-2010-4259 crash

Attached is a unified format patch which should copy strings correctly within their allocated buffers, for many fields in the BDF file format, including CHARSET_REGISTRY.

I have tested FontForge before and after the patch; it does not crash predictably anymore.
Comment 8 Kevin Fenzi 2010-12-04 18:15:30 EST
Thanks very much for the patch!

Updates should roll out soon.
Comment 9 Kevin Fenzi 2011-07-18 13:12:29 EDT
https://admin.fedoraproject.org/updates/fontforge-20100501-5.fc14
(and similar f13 update) fixed this long ago. 

Can we just close this now?
Comment 10 Jan Lieskovsky 2011-07-19 04:11:15 EDT
This issue has been addressed in the following versions:
1) fontforge-20100501-5.fc14 for Fedora-14,
2) fontforge-20090923-4.fc13 for Fedora-13,
3) fontforge-20061025-3.el5 for EPEL-5 and
4) fontforge-20061025-3.el4 for EPEL-4.
Comment 11 Jan Lieskovsky 2011-07-19 04:14:26 EDT
Kevin, to your question,

(In reply to comment #9)
> https://admin.fedoraproject.org/updates/fontforge-20100501-5.fc14
> (and similar f13 update) fixed this long ago. 
> 
> Can we just close this now?

No, this issue still affects fontforge package, as shipped with Red Hat Enterprise Linux 6. This bug will be closed only at the moment, it has been addressed there too.

Though you are not responsible for this bug. It will be closed by Red Hat Security Response Team once the issue has been solved in all affected packages.

You are / have been responsible only for BZ#659365 which is solved now.

Hope this helps.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Note You need to log in before you can comment on or make changes to this bug.