Bug 1661454 (CVE-2018-19876) - CVE-2018-19876 cairo: Invalid free in cairo_ft_apply_variations() resulting in a denial of service
Summary: CVE-2018-19876 cairo: Invalid free in cairo_ft_apply_variations() resulting i...
Status: NEW
Alias: CVE-2018-19876
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20181113,reported=2...
Keywords: Security
Depends On: 1661455 1661456 1661457 1663110
Blocks: 1661458
TreeView+ depends on / blocked
 
Reported: 2018-12-21 10:04 UTC by Andrej Nemec
Modified: 2019-01-25 04:52 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Andrej Nemec 2018-12-21 10:04:15 UTC
cairo 1.16.0, in cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a free function incompatible with WebKit's fastMalloc, leading to an application crash with a "free(): invalid pointer" error.

Upstream issue:

https://bugs.webkit.org/show_bug.cgi?id=191595

Upstream MR:

https://gitlab.freedesktop.org/cairo/cairo/merge_requests/5

Comment 1 Andrej Nemec 2018-12-21 10:04:31 UTC
Created cairo tracking bugs for this issue:

Affects: fedora-all [bug 1661456]


Created mingw-cairo tracking bugs for this issue:

Affects: epel-7 [bug 1661455]
Affects: fedora-all [bug 1661457]

Comment 2 Huzaifa S. Sidhpurwala 2019-01-03 08:19:27 UTC
Analysis:

This is essentially a bug in which cairo tries to free a FT_MM_Var data structure using system free() rather than using FT_Done_MM_Var() when freetype 2.9 is used. This bug is triggered when WebKit tries to use its internal fastMalloc() for allocating and free'ing cairo data structures. This is really cairo and freetype version specific and the trigger factor is how WebKit deals with these data structures.

Based on the complexity of the overall problem and the trigger factor, it is safe to call this low impact.


Note You need to log in before you can comment on or make changes to this bug.