Ulrik Persson reported a stack-based buffer overflow flaw in the way FontForge font editor processed certain Bitmap Distribution Format (BDF) font files, with specially-crafted value of the CHARSET_REGISTRY header. A remote attacker could create a specially-crafted BDF font file and trick a local, unsuspecting user into opening it in FontForge, which could lead to fontforge executable crash or, potentially, arbitrary code execution with the privileges of the user running the executable. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605537 Public PoC: [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=fontforge-overflow.txt;att=1;bug=605537 Flaw severity note: On systems with compile time buffer checks (FORTIFY_SOURCE) feature enabled, the impact of this flaw is mitigated to be only crash.
This issue affects the version of the fontforge package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the fontforge package, as shipped with Fedora release of 13 and 14. This issue affects the versions of the fontforge package, as present within EPEL-4 and EPEL-5 repositories. Please schedule the updates.
Created attachment 464292 [details] Local copy of public PoC provided by Ulrik Persson
Statement: This issue affects the version of the fontforge package as shipped with Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.
Created fontforge tracking bugs for this issue Affects: fedora-all [bug 659365]
I'll note that the upstream devel list hasn't been notified about this and there is no patch or fix that I can see yet. Will investigate.
The CVE identifier of CVE-2010-4259 has been assigned to this issue.
Created attachment 464658 [details] fix for CVE-2010-4259 crash Attached is a unified format patch which should copy strings correctly within their allocated buffers, for many fields in the BDF file format, including CHARSET_REGISTRY. I have tested FontForge before and after the patch; it does not crash predictably anymore.
Thanks very much for the patch! Updates should roll out soon.
https://admin.fedoraproject.org/updates/fontforge-20100501-5.fc14 (and similar f13 update) fixed this long ago. Can we just close this now?
This issue has been addressed in the following versions: 1) fontforge-20100501-5.fc14 for Fedora-14, 2) fontforge-20090923-4.fc13 for Fedora-13, 3) fontforge-20061025-3.el5 for EPEL-5 and 4) fontforge-20061025-3.el4 for EPEL-4.
Kevin, to your question, (In reply to comment #9) > https://admin.fedoraproject.org/updates/fontforge-20100501-5.fc14 > (and similar f13 update) fixed this long ago. > > Can we just close this now? No, this issue still affects fontforge package, as shipped with Red Hat Enterprise Linux 6. This bug will be closed only at the moment, it has been addressed there too. Though you are not responsible for this bug. It will be closed by Red Hat Security Response Team once the issue has been solved in all affected packages. You are / have been responsible only for BZ#659365 which is solved now. Hope this helps. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team