Bug 1790041 (CVE-2020-5395) - CVE-2020-5395 fontforge: out-of-bounds write in SFD_GetFontMetaData function in sfd.c
Summary: CVE-2020-5395 fontforge: out-of-bounds write in SFD_GetFontMetaData function ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-5395
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1790973 1821664 1790042 1790974
Blocks: 1790043
TreeView+ depends on / blocked
 
Reported: 2020-01-11 14:24 UTC by Pedro Sampaio
Modified: 2020-04-28 16:35 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write was discovered in fontforge while parsing SFD files containing very large LayerCount tokens. The flaw allows an attacker to overwrite data before a buffer allocated on the heap, thus causing the application to crash or execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2020-04-28 16:35:22 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1921 None None None 2020-04-28 16:09:34 UTC

Description Pedro Sampaio 2020-01-11 14:24:52 UTC
FontForge 20190801 has a out-of-bounds write in SFD_GetFontMetaData in sfd.c.

Upstream issue:

https://github.com/fontforge/fontforge/issues/4084

Comment 1 Pedro Sampaio 2020-01-11 14:25:10 UTC
Created fontforge tracking bugs for this issue:

Affects: fedora-all [bug 1790042]

Comment 3 Riccardo Schirone 2020-01-14 14:29:19 UTC
Vulnerable versions of fontforge allows to set the layer_cnt field of the SplineFont parser to a very big number, which is parsed as a negative number, through the usage of the LayerCount token. This bypass the reallocation of the layers array and subsequently, during the parsing of the Layer token, it writes starting one byte before the beginning of the array. The out-of-bounds write overwrites heap metadata which may be abused to crash the program or possibly execute code.

Comment 4 Riccardo Schirone 2020-01-14 14:41:23 UTC
Impact of the flaw set to Moderate even if the CVSSv3.1 score is 8.8, since we don't consider a network-facing application that accepts untrusted font files as a reasonable use of fontforge tool/library, as also explained upstream in https://github.com/fontforge/fontforge/issues/4086#issuecomment-570772533 .

Comment 7 Riccardo Schirone 2020-01-14 16:18:45 UTC
Statement:

Impact of the flaw set to Moderate since upstream does not consider a network-facing application that accepts untrusted font files as a reasonable use of fontforge tool/library, making the impact of a possible exploitation of this flaw smaller.

Comment 11 Parag Nemade 2020-02-18 05:17:51 UTC
Upstream of fontforge made it clear not to cherry pick upstream commits and patch in Fedora. See https://github.com/fontforge/fontforge/issues/4164#issuecomment-586589395

Comment 12 errata-xmlrpc 2020-04-28 16:09:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1921 https://access.redhat.com/errata/RHSA-2020:1921

Comment 13 Product Security DevOps Team 2020-04-28 16:35:22 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-5395


Note You need to log in before you can comment on or make changes to this bug.