oss-sec mailing list archives

CVE Request -- FreeType: Multiple security flaws to be fixed in v2.4.9

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 06 Mar 2012 20:57:12 +0100

Hello Kurt, Steve, vendors,

  we have been notified by Mateusz Jurczyk of the Google Security Team,
about the following FreeType security flaws, which are going to be fixed
in v2.4.9 version.

Credit: Mateusz Jurczyk, Google Security Team

Note: Though some the issues below might look like related / the same, I have
      checked that each of them exclude themselves (IOW each of them is different
      issue like the another. But was lazy to cross-reference those, which of them
      is different from which another.

      Reproducers are attached to relevant upstream bug reports.

      Have Cc-ed Werner Lemberg of FreeType upstream on this post too, so he could
      collect CVE identifiers prior FreeType v2.4.9 release.

      Yet, requesting CVE identifier even for the NULL ptr dereference and floating
      point exception / integer divide by zero issue below, even if Red Hat would not
      consider these to be security flaws. But other distributions might be doing so,
      thus will let Steve to decide, if these two desire CVE identifiers or not.

      And finally, due the count of the issues, not including full issues description
      under each entry (to shorten the request). Only particular Red Hat Bugzilla entry
      summary is included with relevant links to upstream bugs and commits. Further issue
      description can be found under particular Red Hat Bugzilla entry for each of them
      in initial comment (#c0).

Kurt, Steve, could you allocate CVE identifiers for these?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team




Issue #1:
=========
  freetype: Out-of heap-based buffer read by parsing, adding properties in BDF
  fonts, or validating if property being an atom (FU#35597, FU#35598)

Upstream bug reports:
[1] https://savannah.nongnu.org/bugs/?35597
[2] https://savannah.nongnu.org/bugs/?35598

Upstream patch:

[3]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=320d4976d1d010b5abe9d61a7423d8ca06bc34df


Red Hat Bugzilla entry:
[4] https://bugzilla.redhat.com/show_bug.cgi?id=800581

Issue #2:
=========
  freetype: Out-of heap-based buffer read by parsing glyph information and
  bitmaps for BDF fonts (FU#35599, FU#35600)

Upstream bug reports:
[1] https://savannah.nongnu.org/bugs/?35599
[2] https://savannah.nongnu.org/bugs/?35600

Upstream patch:

[3]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0b1c0c6b20bf121096afff206d570f26183402b3


Red Hat Bugzilla entry:
[4] https://bugzilla.redhat.com/show_bug.cgi?id=800583

Issue #3:
=========
  freetype: NULL pointer dereference by moving zone2 pointer point for certain
  TrueType font (FU#35601)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35601

Upstream patch:

[2]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=96cddb8d1d32d6738b06552083db9d6cee5b5cb4


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800584

Issue #4:
=========
  freetype: Out-of heap-based buffer read when parsing certain SFNT strings
  by Type42 font parser (FU#35602)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35602

Upstream patch:

[2]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=82365c0dead99dd119d9e7117cf4f36ce1d1cbe1


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800585

Issue #5:
=========
  freetype: Out-of heap-based buffer read by loading properties of PCF
  fonts (FU#35603)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35603

Upstream patch:

[2]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c776fc17bfeaa607405fc96620e9445e7a0965c3


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800587

Issue #6:
=========
  freetype (64-bit specific): Out-of heap-based buffer read by attempt to
  record current cell into the cell table (FU#35604)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35604

Upstream patch:

[2]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=fcbc82e69e7b114b0db75e955896107d611898e6


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800589

Issue #7:
=========
  freetype: Out-of heap-based buffer read flaw in Type1 font loader by
  parsing font dictionary entries (FU#35606)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35606

Upstream patch:

[2]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=58cbc465d2ccd904dee755cff791fbb3a866646d


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800590

Issue #8:
=========
  freetype: Out-of heap-based buffer write by parsing BDF glyph information
  and bitmaps (FU#35607)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35607

Upstream patch:

[2]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=28dd2c45957278e962f95633157b6139de8170aa


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800591

Issue #9:
=========
  freetype: Out-of heap-based buffer write in Type1 font parser by retrieving
  font's private dictionary (FU#35608)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35608

Upstream patch:

[2]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=d9577add645c8c05460c7d60ad486c021394b82e


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800592

Issue #10:
==========
  freetype: Out-of heap-based buffer read in TrueType bytecode interpreter
  by executing NPUSHB and NPUSHW instructions (FU#35640)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35640

Upstream patch:

[2]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=5dddcc45a03b336860436a180aec5b358517336b


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800593

Issue #11:
==========
  freetype: Out-of heap-based buffer write by parsing BDF glyph and bitmaps
  information with missing ENCODING field (FU#35641)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35641

Upstream patch:

[2]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=4086fb7caf41e33137e548e43a49a97b127cd369


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800594

Issue #12:
==========
  freetype: Out-of heap-based buffer read by parsing BDF font header (FU#35643)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35643

Upstream patch:

[2]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=cee5d593582801f65c5e127d9de9ca24ebcdc747


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800595

Issue #13:
==========
  freetype: Out-of heap-based buffer read in the TrueType bytecode
  interpreter by executing the MIRP instruction (FU#35646)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35646

Upstream patch:

[2]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a33c013fe2dc6e65de2879682201d9c155292349


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800597

Issue #14:
==========
  freetype: Array index error, leading to out-of stack based buffer
  read by parsing BDF font glyph information (FU#35656)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35656

Upstream patch:

[2]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=6ac022dc750d95296a6f731b9594f2e751d997fa


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800598

Issue #15:
==========
  freetype: Out-of heap-based buffer read by conversion of PostScript font objects (FU#35657)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35657

Upstream patch:

[2]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=292144b44a15c1a72f2ef76475d65b7a3a3fba67


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800600

Issue #16:
==========
  freetype: Out-of heap-based buffer read flaw by conversion of an ASCII
  string into a signed short integer by processing BDF fonts (FU#35658)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35658

Upstream patch:

[2]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=d9c1659610f9cd5e103790cb5963483d65cf0d2d


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800602

Issue #17:
==========
  freetype: Out-of heap-based buffer write by retrieval of advance values
  for glyph outlines (FU#35659)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35659

Upstream patch:

[2]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=7d35a7dc7cc621538a1f4a63c83ebf223aace0b0


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800604

Issue #18:
==========
  freetype: Integer divide by zero by performing arithmetic
  computations for certain fonts (FU#35660)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35660

Upstream patch:

[2]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=ba67957d5ead443f4b6b31805d6e780d54361ca4


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800606

Issue #19:
==========
  freetype: Out-of heap-based buffer write in the TrueType bytecode
  interpreter by moving zone2 pointer point (FU#35689)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35689

Upstream patch:

[2]http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0fc8debeb6c2f6a8a9a2b97332a7c8a0a1bd9e85


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800607

Current thread:

CVE Request -- FreeType: Multiple security flaws to be fixed in v2.4.9 Jan Lieskovsky (Mar 06)
- Re: CVE Request -- FreeType: Multiple security flaws to be fixed in v2.4.9 Kurt Seifried (Mar 06)
  - Re: CVE Request -- FreeType: Multiple security flaws to be fixed in v2.4.9 Werner LEMBERG (Mar 07)