Two off-by-one flaws were found in the way FreeType parses PFB and TTF fonts.
The advisory states:
The first vulnerability occurs when parsing Printer Font Binary (PFB)
format font files. PFB files contain various data structures, some of
which are stored in a tabular format. When parsing tables, the code
doesn't correctly validate a value used as an array index into a heap
buffer. The calculation contains an off-by-one error, which can result in
a heap overflow.
The second vulnerability occurs when parsing TrueType Font (TTF) font
files. TrueType font files contain "font programs" that are executed in a
TrueType virtual machine. One of the instructions in the instruction set
is 'SHC', which is used to shift a contour in the font by a specified
value. When parsing this instruction, the code doesn't correctly validate
an array index, which leads to an off-by-one heap overflow.
attachment 308965 [details] is the patch extracted from upstream CVS
This patch contains the fixes for CVE-2008-1806, CVE-2008-1807, and
freetype-2.3.5-4.fc8 has been submitted as an update for Fedora 8
freetype-2.3.5-6.fc9 has been submitted as an update for Fedora 9
The TTF issue affects TTF virtual machine byte code interpreter (BCI). This
interpreter is disabled by default on freetype 2.x (libtruetype) due to a patent
issues as described on the upstream web page:
All Red Hat Enterprise Linux and Fedora freetype 2.x versions have BCI disabled
and are not affected by the TTF part of CVE-2008-1808. Only custom rebuilds
with BCI enabled may possibly be affected.
Freetype 1.x (libttf) does enable BCI by default, but is explicitly disabled in
freetype packages on Red Hat Enterprise Linux 3 and 4 and in freetype1 packages
in all Fedora versions (via freetype-1.4-disable-ft1-bci.patch).
Red Hat Enterprise Linux 5 does not ship freetype 1.x library. Freetype 1.x on
Red Hat Enterprise Linux 2.1 is built with BCI enabled.
On the other hand, freetype-freeworld in a popular third-party repository is
also affected by the BCI issue, in addition to the issues also affecting the
Fedora freetype package. A fixed freetype-freeworld will be built in that
repository as soon as possible.
The patch applied to Fedora packages does include TTF BCI part of the fix, so
rebuilds with BCI enabled should be safe.
freetype-2.3.5-6.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
freetype-2.3.5-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
In reply to https://bugzilla.redhat.com/show_bug.cgi?id=450773#c12 :
The only part of the upstream patch that should be related to .ttf issue covered
by this CVE id is:
- if ( last_point > CUR.zp2.n_points )
+ if ( BOUNDS ( last_point , CUR.zp2.n_points ) )
maxTwilightPoints check does not seem directly related and was probably added as
additional sanity check.
As the .pfb is not supported by freetype1 we should ideally try to avoid
mentioning CVE-2008-1806 and CVE-2008-1807 in the freetype1 RPM changelog.
As for bodhi update request, we do not need to submit updated freetype1 packages
as security update, as (binary) Fedora packages were not affected by this
problem. But I'm ok with pushing it as security update anyway, provided that we
clearly mention in the notes that only users rebuilding freetype1 with bci were
affected by the problem. Update request should only refer to this bug, not to
the bugs for other CVEs.
(In reply to comment #13)
> In reply to https://bugzilla.redhat.com/show_bug.cgi?id=450773#c12 :
> maxTwilightPoints check does not seem directly related and was probably added as
> additional sanity check.
> As the .pfb is not supported by freetype1 we should ideally try to avoid
> mentioning CVE-2008-1806 and CVE-2008-1807 in the freetype1 RPM changelog.
Its a little too late for that, as a freetype1 with those in the ChangeLog is
already in rawhide. I did add "(where applicable)" to the changelog to indicate
not all of the mentioned issues where relevant for freetype1.
> As for bodhi update request, we do not need to submit updated freetype1 packages
> as security update, as (binary) Fedora packages were not affected by this
> But I'm ok with pushing it as security update anyway, provided that we
> clearly mention in the notes that only users rebuilding freetype1 with bci were
> affected by the problem. Update request should only refer to this bug, not to
> the bugs for other CVEs.
I don't believe anyone is offering rebuild freetype1 packages with BCI enabled,
so I considered this issue closed then. If you want I can still do an update,
esp. since the new freetype1 is already build in bodhi for F-8 and F-9.
This issue was addressed in:
Red Hat Enterprise Linux:
Created attachment 339880 [details]
patch for freetype1
This issue has been addressed in following products:
Red Hat Enterprise Linux 3
Red Hat Enterprise Linux 4
Via RHSA-2009:0329 https://rhn.redhat.com/errata/RHSA-2009-0329.html