Bug 889398 - hedgewars: embedded freetype (2.4.4) vulnerable to many flaws [fedora-all]
hedgewars: embedded freetype (2.4.4) vulnerable to many flaws [fedora-all]
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: hedgewars (Show other bugs)
18
All Linux
high Severity high
: ---
: ---
Assigned To: Hans de Goede
Fedora Extras Quality Assurance
: Security, SecurityTracking
Depends On:
Blocks: CVE-2011-0226 CVE-2011-3256 CVE-2011-3439 CVE-2012-1126 CVE-2012-1127 CVE-2012-1128 CVE-2012-1130 CVE-2012-1131 CVE-2012-1132 CVE-2012-1133 CVE-2012-1134 CVE-2012-1135 CVE-2012-1136 CVE-2012-1137 CVE-2012-1138 CVE-2012-1139 CVE-2012-1140 CVE-2012-1141 CVE-2012-1142 CVE-2012-1143 CVE-2012-1144
  Show dependency treegraph
 
Reported: 2012-12-20 22:26 EST by Vincent Danen
Modified: 2012-12-23 21:28 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: 723469
Environment:
Last Closed: 2012-12-21 16:33:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-12-20 22:26:11 EST
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.

Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please only close it when all
affected versions are fixed.
Comment 2 Vincent Danen 2012-12-20 22:32:39 EST
It would be ideal if hedgewars could link to the system freetype, so that we don't ever have to worry about embedded freetype again.
Comment 3 Bruno Wolff III 2012-12-21 02:57:41 EST
As far as I can tell Hedgewars does use the system version of freetype, not the embedded copy.
The freetype build is commented out in CMakeLists.txt and ldd shows a reference to libfreetype.so.6 => /usr/lib/freetype-freeworld/libfreetype.so.6 (0x4952e000).
While freetype-devel is not an explicit buildrequires, it is brought in by one of the buildrequires. Looking at the root.log of a hedgewars build shows that.
Comment 4 Vincent Danen 2012-12-21 16:33:44 EST
This is really odd:

% rpm -qp --requires /srv/mirror/Fedora/releases/17/Everything/i386/os/Packages/h/hedgewars-0.9.17-3.fc17.i686.rpm|grep free

returns no results.  Yet:

% ldd /usr/bin/hedgewars|grep free
	libfreetype.so.6 => /lib/libfreetype.so.6 (0x49886000)

I guess it is ok.  I wonder why rpm isn't picking up the requirement from that?

I suppose this is NOTABUG (and I'll close it as such), but it explains why my tools didn't pick up that Hedgewars is using the system library.  Perhaps an explicit Requires and BuildRequires would prevent that confusion from other programs that look at the rpm information to determine dependencies.

Thanks, Bruno!
Comment 5 Bruno Wolff III 2012-12-21 17:04:19 EST
There's definitely something odd about how that library gets pulled in. It didn't look like any of the buildrequires should pull in freetype-devel, but yet it gets pulled in. I checked using repoquery --recursive --whatrequires freetype-devel and didn't get any matches.

On the plus side, when looking at this I noticed a minor feature was disabled because libpng-devel wasn't listed in a buildrequires. So I fixed that. And I figured it was time to update to 0.9.18 in f16 and f17 so that people could play network games (as mostly people use the latest version for those).
Comment 6 Vincent Danen 2012-12-21 17:45:02 EST
I suspect that is probably due, perhaps, to freetype-devel already being present?

I see in koji that you pushed a new build, which is great, but I don't see anything in the noted changelog about any changes in the requires/buildrequires.  Wouldn't it have made sense to add them in (and perhaps, not sure if this is done or not, but rm -rf the internal freetype directory to ensure it never accidentally gets pulled in)?

Thanks again for being so responsive.
Comment 7 Bruno Wolff III 2012-12-21 22:43:56 EST
I noted the higher level change, which is letting screen shots produce png images.

From what I could see in the root log was that freetype-devel wasn't in the initial root, but was pulled in by something in the build requires.

It might make sense to rm -r the three libraries that aren't built to catch any change. I wouldn't want to use -f, since I'd wanted to notice a change in the directory names as well. I'll probably do that, but won't do new builds just for that.
Comment 8 Vincent Danen 2012-12-22 01:11:16 EST
That sounds fine to me.  Thank you!
Comment 9 Kevin Kofler 2012-12-23 21:28:14 EST
freetype might be linked only indirectly. ldd doesn't show only directly linked libraries (use nm to see the actual DT_NEEDED entries in the binary), it shows all libraries which somehow end up loaded by the executable.

Note You need to log in before you can comment on or make changes to this bug.