Ulrik Persson reported a stack-based buffer overflow
flaw in the way FontForge font editor processed certain
Bitmap Distribution Format (BDF) font files, with
specially-crafted value of the CHARSET_REGISTRY header.
A remote attacker could create a specially-crafted BDF
font file and trick a local, unsuspecting user into
opening it in FontForge, which could lead to fontforge
executable crash or, potentially, arbitrary code execution
with the privileges of the user running the executable.
Flaw severity note:
On systems with compile time buffer checks (FORTIFY_SOURCE)
feature enabled, the impact of this flaw is mitigated to
be only crash.
This issue affects the version of the fontforge package, as shipped
with Red Hat Enterprise Linux 6.
This issue affects the versions of the fontforge package, as shipped
with Fedora release of 13 and 14.
This issue affects the versions of the fontforge package, as present
within EPEL-4 and EPEL-5 repositories.
Please schedule the updates.
Created attachment 464292 [details]
Local copy of public PoC provided by Ulrik Persson
This issue affects the version of the fontforge package as shipped with
Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated
this issue as having low security impact, a future update may address
Created fontforge tracking bugs for this issue
Affects: fedora-all [bug 659365]
I'll note that the upstream devel list hasn't been notified about this and there is no patch or fix that I can see yet.
The CVE identifier of CVE-2010-4259 has been assigned to this issue.
Created attachment 464658 [details]
fix for CVE-2010-4259 crash
Attached is a unified format patch which should copy strings correctly within their allocated buffers, for many fields in the BDF file format, including CHARSET_REGISTRY.
I have tested FontForge before and after the patch; it does not crash predictably anymore.
Thanks very much for the patch!
Updates should roll out soon.
(and similar f13 update) fixed this long ago.
Can we just close this now?
This issue has been addressed in the following versions:
1) fontforge-20100501-5.fc14 for Fedora-14,
2) fontforge-20090923-4.fc13 for Fedora-13,
3) fontforge-20061025-3.el5 for EPEL-5 and
4) fontforge-20061025-3.el4 for EPEL-4.
Kevin, to your question,
(In reply to comment #9)
> (and similar f13 update) fixed this long ago.
> Can we just close this now?
No, this issue still affects fontforge package, as shipped with Red Hat Enterprise Linux 6. This bug will be closed only at the moment, it has been addressed there too.
Though you are not responsible for this bug. It will be closed by Red Hat Security Response Team once the issue has been solved in all affected packages.
You are / have been responsible only for BZ#659365 which is solved now.
Hope this helps.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team