Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 06 Mar 2012 20:57:12 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security@...ts.openwall.com, Mateusz Jurczyk <mjurczyk@...gle.com>,
        Werner Lemberg <wl@....org>, Moritz Muehlenhoff <jmm@...ian.org>,
        Moritz Muehlenhoff <jmm@...til.org>
Subject: CVE Request -- FreeType: Multiple security flaws to be fixed in v2.4.9

Hello Kurt, Steve, vendors,

   we have been notified by Mateusz Jurczyk of the Google Security Team,
about the following FreeType security flaws, which are going to be fixed
in v2.4.9 version.

Credit: Mateusz Jurczyk, Google Security Team

Note: Though some the issues below might look like related / the same, I have
       checked that each of them exclude themselves (IOW each of them is different
       issue like the another. But was lazy to cross-reference those, which of them
       is different from which another.

       Reproducers are attached to relevant upstream bug reports.

       Have Cc-ed Werner Lemberg of FreeType upstream on this post too, so he could
       collect CVE identifiers prior FreeType v2.4.9 release.

       Yet, requesting CVE identifier even for the NULL ptr dereference and floating
       point exception / integer divide by zero issue below, even if Red Hat would not
       consider these to be security flaws. But other distributions might be doing so,
       thus will let Steve to decide, if these two desire CVE identifiers or not.

       And finally, due the count of the issues, not including full issues description
       under each entry (to shorten the request). Only particular Red Hat Bugzilla entry
       summary is included with relevant links to upstream bugs and commits. Further issue
       description can be found under particular Red Hat Bugzilla entry for each of them
       in initial comment (#c0).

Kurt, Steve, could you allocate CVE identifiers for these?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team




Issue #1:
=========
   freetype: Out-of heap-based buffer read by parsing, adding properties in BDF
   fonts, or validating if property being an atom (FU#35597, FU#35598)

Upstream bug reports:
[1] https://savannah.nongnu.org/bugs/?35597
[2] https://savannah.nongnu.org/bugs/?35598

Upstream patch:
[3] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=320d4976d1d010b5abe9d61a7423d8ca06bc34df

Red Hat Bugzilla entry:
[4] https://bugzilla.redhat.com/show_bug.cgi?id=800581

Issue #2:
=========
   freetype: Out-of heap-based buffer read by parsing glyph information and
   bitmaps for BDF fonts (FU#35599, FU#35600)

Upstream bug reports:
[1] https://savannah.nongnu.org/bugs/?35599
[2] https://savannah.nongnu.org/bugs/?35600

Upstream patch:
[3] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0b1c0c6b20bf121096afff206d570f26183402b3

Red Hat Bugzilla entry:
[4] https://bugzilla.redhat.com/show_bug.cgi?id=800583

Issue #3:
=========
   freetype: NULL pointer dereference by moving zone2 pointer point for certain
   TrueType font (FU#35601)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35601

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=96cddb8d1d32d6738b06552083db9d6cee5b5cb4

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800584

Issue #4:
=========
   freetype: Out-of heap-based buffer read when parsing certain SFNT strings
   by Type42 font parser (FU#35602)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35602

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=82365c0dead99dd119d9e7117cf4f36ce1d1cbe1

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800585

Issue #5:
=========
   freetype: Out-of heap-based buffer read by loading properties of PCF
   fonts (FU#35603)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35603

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c776fc17bfeaa607405fc96620e9445e7a0965c3

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800587

Issue #6:
=========
   freetype (64-bit specific): Out-of heap-based buffer read by attempt to
   record current cell into the cell table (FU#35604)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35604

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=fcbc82e69e7b114b0db75e955896107d611898e6

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800589

Issue #7:
=========
   freetype: Out-of heap-based buffer read flaw in Type1 font loader by
   parsing font dictionary entries (FU#35606)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35606

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=58cbc465d2ccd904dee755cff791fbb3a866646d

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800590

Issue #8:
=========
   freetype: Out-of heap-based buffer write by parsing BDF glyph information
   and bitmaps (FU#35607)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35607

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=28dd2c45957278e962f95633157b6139de8170aa

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800591

Issue #9:
=========
   freetype: Out-of heap-based buffer write in Type1 font parser by retrieving
   font's private dictionary (FU#35608)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35608

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=d9577add645c8c05460c7d60ad486c021394b82e

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800592

Issue #10:
==========
   freetype: Out-of heap-based buffer read in TrueType bytecode interpreter
   by executing NPUSHB and NPUSHW instructions (FU#35640)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35640

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=5dddcc45a03b336860436a180aec5b358517336b

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800593

Issue #11:
==========
   freetype: Out-of heap-based buffer write by parsing BDF glyph and bitmaps
   information with missing ENCODING field (FU#35641)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35641

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=4086fb7caf41e33137e548e43a49a97b127cd369

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800594

Issue #12:
==========
   freetype: Out-of heap-based buffer read by parsing BDF font header (FU#35643)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35643

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=cee5d593582801f65c5e127d9de9ca24ebcdc747

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800595

Issue #13:
==========
   freetype: Out-of heap-based buffer read in the TrueType bytecode
   interpreter by executing the MIRP instruction (FU#35646)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35646

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a33c013fe2dc6e65de2879682201d9c155292349

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800597

Issue #14:
==========
   freetype: Array index error, leading to out-of stack based buffer
   read by parsing BDF font glyph information (FU#35656)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35656

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=6ac022dc750d95296a6f731b9594f2e751d997fa

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800598

Issue #15:
==========
   freetype: Out-of heap-based buffer read by conversion of PostScript font objects (FU#35657)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35657

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=292144b44a15c1a72f2ef76475d65b7a3a3fba67

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800600

Issue #16:
==========
   freetype: Out-of heap-based buffer read flaw by conversion of an ASCII
   string into a signed short integer by processing BDF fonts (FU#35658)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35658

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=d9c1659610f9cd5e103790cb5963483d65cf0d2d

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800602

Issue #17:
==========
   freetype: Out-of heap-based buffer write by retrieval of advance values
   for glyph outlines (FU#35659)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35659

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=7d35a7dc7cc621538a1f4a63c83ebf223aace0b0

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800604

Issue #18:
==========
   freetype: Integer divide by zero by performing arithmetic
   computations for certain fonts (FU#35660)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35660

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=ba67957d5ead443f4b6b31805d6e780d54361ca4

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800606

Issue #19:
==========
   freetype: Out-of heap-based buffer write in the TrueType bytecode
   interpreter by moving zone2 pointer point (FU#35689)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35689

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0fc8debeb6c2f6a8a9a2b97332a7c8a0a1bd9e85

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800607

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.