freetype: various new security issues

Debian Bug report logs - #777656
freetype: various new security issues

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: freetype: various new security issues

Date: Wed, 11 Feb 2015 07:51:16 +0100

Source: freetype
Version: 2.5.2-2
Severity: grave
Tags: security upstream fixed-upstream

Hi,

the following vulnerabilities were published for freetype. I filled
this as "RC" since at least one seems to allow code execution. Could
you help identify which also affect wheezy?

CVE-2014-9656[0]:
| The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType
| before 2.5.4 does not properly check for an integer overflow, which
| allows remote attackers to cause a denial of service (out-of-bounds
| read) or possibly have unspecified other impact via a crafted OpenType
| font.

CVE-2014-9657[1]:
| The tt_face_load_hdmx function in truetype/ttpload.c in FreeType
| before 2.5.4 does not establish a minimum record size, which allows
| remote attackers to cause a denial of service (out-of-bounds read) or
| possibly have unspecified other impact via a crafted TrueType font.

CVE-2014-9658[2]:
| The tt_face_load_kern function in sfnt/ttkern.c in FreeType before
| 2.5.4 enforces an incorrect minimum table length, which allows remote
| attackers to cause a denial of service (out-of-bounds read) or
| possibly have unspecified other impact via a crafted TrueType font.

CVE-2014-9659[3]:
| cff/cf2intrp.c in the CFF CharString interpreter in FreeType before
| 2.5.4 proceeds with additional hints after the hint mask has been
| computed, which allows remote attackers to execute arbitrary code or
| cause a denial of service (stack-based buffer overflow) via a crafted
| OpenType font.  NOTE: this vulnerability exists because of an
| incomplete fix for CVE-2014-2240.

CVE-2014-9660[4]:
| The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before
| 2.5.4 does not properly handle a missing ENDCHAR record, which allows
| remote attackers to cause a denial of service (NULL pointer
| dereference) or possibly have unspecified other impact via a crafted
| BDF font.

CVE-2014-9661[5]:
| type42/t42parse.c in FreeType before 2.5.4 does not consider that
| scanning can be incomplete without triggering an error, which allows
| remote attackers to cause a denial of service (use-after-free) or
| possibly have unspecified other impact via a crafted Type42 font.

CVE-2014-9662[6]:
| cff/cf2ft.c in FreeType before 2.5.4 does not validate the return
| values of point-allocation functions, which allows remote attackers to
| cause a denial of service (heap-based buffer overflow) or possibly
| have unspecified other impact via a crafted OTF font.

CVE-2014-9663[7]:
| The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before
| 2.5.4 validates a certain length field before that field's value is
| completely calculated, which allows remote attackers to cause a denial
| of service (out-of-bounds read) or possibly have unspecified other
| impact via a crafted cmap SFNT table.

CVE-2014-9664[8]:
| FreeType before 2.5.4 does not check for the end of the data during
| certain parsing actions, which allows remote attackers to cause a
| denial of service (out-of-bounds read) or possibly have unspecified
| other impact via a crafted Type42 font, related to type42/t42parse.c
| and type1/t1load.c.

CVE-2014-9665[9]:
| The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4
| does not restrict the rows and pitch values of PNG data, which allows
| remote attackers to cause a denial of service (integer overflow and
| heap-based buffer overflow) or possibly have unspecified other impact
| by embedding a PNG file in a .ttf font file.

CVE-2014-9666[10]:
| The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before
| 2.5.4 proceeds with a count-to-size association without restricting
| the count value, which allows remote attackers to cause a denial of
| service (integer overflow and out-of-bounds read) or possibly have
| unspecified other impact via a crafted embedded bitmap.

CVE-2014-9667[11]:
| sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length
| calculations without restricting the values, which allows remote
| attackers to cause a denial of service (integer overflow and
| out-of-bounds read) or possibly have unspecified other impact via a
| crafted SFNT table.

CVE-2014-9668[12]:
| The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4
| proceeds with offset+length calculations without restricting length
| values, which allows remote attackers to cause a denial of service
| (integer overflow and heap-based buffer overflow) or possibly have
| unspecified other impact via a crafted Web Open Font Format (WOFF)
| file.

CVE-2014-9669[13]:
| Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4
| allow remote attackers to cause a denial of service (out-of-bounds
| read or memory corruption) or possibly have unspecified other impact
| via a crafted cmap SFNT table.

CVE-2014-9670[14]:
| Multiple integer signedness errors in the pcf_get_encodings function
| in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to
| cause a denial of service (integer overflow, NULL pointer dereference,
| and application crash) via a crafted PCF file that specifies negative
| values for the first column and first row.

CVE-2014-9671[15]:
| Off-by-one error in the pcf_get_properties function in pcf/pcfread.c
| in FreeType before 2.5.4 allows remote attackers to cause a denial of
| service (NULL pointer dereference and application crash) via a crafted
| PCF file with a 0xffffffff size value that is improperly incremented.

CVE-2014-9672[16]:
| Array index error in the parse_fond function in base/ftmac.c in
| FreeType before 2.5.4 allows remote attackers to cause a denial of
| service (out-of-bounds read) or obtain sensitive information from
| process memory via a crafted FOND resource in a Mac font file.

CVE-2014-9673[17]:
| Integer signedness error in the Mac_Read_POST_Resource function in
| base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to
| cause a denial of service (heap-based buffer overflow) or possibly
| have unspecified other impact via a crafted Mac font.

CVE-2014-9674[18]:
| The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType
| before 2.5.4 proceeds with adding to length values without validating
| the original values, which allows remote attackers to cause a denial
| of service (integer overflow and heap-based buffer overflow) or
| possibly have unspecified other impact via a crafted Mac font.

CVE-2014-9675[19]:
| bdf/bdflib.c in FreeType before 2.5.4 identifies property names by
| only verifying that an initial substring is present, which allows
| remote attackers to discover heap pointer values and bypass the ASLR
| protection mechanism via a crafted BDF font.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-9656
[1] https://security-tracker.debian.org/tracker/CVE-2014-9657
[2] https://security-tracker.debian.org/tracker/CVE-2014-9658
[3] https://security-tracker.debian.org/tracker/CVE-2014-9659
[4] https://security-tracker.debian.org/tracker/CVE-2014-9660
[5] https://security-tracker.debian.org/tracker/CVE-2014-9661
[6] https://security-tracker.debian.org/tracker/CVE-2014-9662
[7] https://security-tracker.debian.org/tracker/CVE-2014-9663
[8] https://security-tracker.debian.org/tracker/CVE-2014-9664
[9] https://security-tracker.debian.org/tracker/CVE-2014-9665
[10] https://security-tracker.debian.org/tracker/CVE-2014-9666
[11] https://security-tracker.debian.org/tracker/CVE-2014-9667
[12] https://security-tracker.debian.org/tracker/CVE-2014-9668
[13] https://security-tracker.debian.org/tracker/CVE-2014-9669
[14] https://security-tracker.debian.org/tracker/CVE-2014-9670
[15] https://security-tracker.debian.org/tracker/CVE-2014-9671
[16] https://security-tracker.debian.org/tracker/CVE-2014-9672
[17] https://security-tracker.debian.org/tracker/CVE-2014-9673
[18] https://security-tracker.debian.org/tracker/CVE-2014-9674
[19] https://security-tracker.debian.org/tracker/CVE-2014-9675

Regards,
Salvatore

Message #10 received at 777656@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Steve Langasek <vorlon@debian.org>, Anthony Fok <foka@debian.org>, Keith Packard <keithp@keithp.com>

Cc: debian-lts@lists.debian.org, 777656@bugs.debian.org

Subject: squeeze update of freetype?

Date: Mon, 23 Feb 2015 12:03:15 +0100

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of your package:
https://security-tracker.debian.org/tracker/source-package/freetype

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #15 received at 777656@bugs.debian.org (full text, mbox, reply):

From: Keith Packard <keithp@keithp.com>

To: Raphael Hertzog <hertzog@debian.org>, Steve Langasek <vorlon@debian.org>, Anthony Fok <foka@debian.org>

Cc: debian-lts@lists.debian.org, 777656@bugs.debian.org

Subject: Re: squeeze update of freetype?

Date: Mon, 23 Feb 2015 10:20:14 -0800

[Message part 1 (text/plain, inline)]

Raphael Hertzog <hertzog@debian.org> writes:

> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of your package:
> https://security-tracker.debian.org/tracker/source-package/freetype
>
> Would you like to take care of this yourself?

I went to a BSP this weekend and worked on this -- I've merged 17 of
the 19 patches that are already upstream into the current unstable
version. I should be able to get the last two fixes merged and a new
package prepared tomorrow, at which point I suspect those patches will
be easier to get merged into the LTS version.

-- 
-keith

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 777656-close@bugs.debian.org (full text, mbox, reply):

From: Keith Packard <keithp@keithp.com>

To: 777656-close@bugs.debian.org

Subject: Bug#777656: fixed in freetype 2.5.2-3

Date: Sat, 28 Feb 2015 05:19:01 +0000

Source: freetype
Source-Version: 2.5.2-3

We believe that the bug you reported is fixed in the latest version of
freetype, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 777656@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Keith Packard <keithp@keithp.com> (supplier of updated freetype package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 23 Feb 2015 22:04:36 -0800
Source: freetype
Binary: libfreetype6 libfreetype6-dev freetype2-demos libfreetype6-udeb
Architecture: source amd64
Version: 2.5.2-3
Distribution: unstable
Urgency: medium
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Keith Packard <keithp@keithp.com>
Description:
 freetype2-demos - FreeType 2 demonstration programs
 libfreetype6 - FreeType 2 font engine, shared library files
 libfreetype6-dev - FreeType 2 font engine, development files
 libfreetype6-udeb - FreeType 2 font engine for the debian-installer (udeb)
Closes: 777656
Changes:
 freetype (2.5.2-3) unstable; urgency=medium
 .
   * Fix Savannah bug #43535. CVE-2014-9675
   * [bdf] Fix Savannah bug #41692. CVE-2014-9675-fixup-1
   * src/base/ftobj.c (Mac_Read_POST_Resource): Additional overflow check
     in the summation of POST fragment lengths. CVE-2014-0674-part-2
   * src/base/ftobjs.c (Mac_Read_POST_Resource): Insert comments and fold
     too long tracing messages. CVS-2014-9674-fixup-2
   * src/base/ftobjs.c (Mac_Read_POST_Resource): Use unsigned long variables to read the lengths in POST fragments. CVE-2014-9674-fixup-1
   * Fix Savannah bug #43538. CVE-2014-9674-part-1
   * Fix Savannah bug #43539. CVE-2014-9673
   * src/base/ftobjs.c (Mac_Read_POST_Resource): Avoid memory leak by
     a broken POST table in resource-fork. CVE-2014-9673-fixup
   * Fix Savannah bug #43540. CVE-2014-9672
   * Fix Savannah bug #43547. CVE-2014-9671
   * Fix Savannah bug #43548. CVE-2014-9670
   * [sfnt] Fix Savannah bug #43588. CVE-2014-9669
   * [sfnt] Fix Savannah bug #43589. CVE-2014-9668
   * [sfnt] Fix Savannah bug #43590. CVE-2014-9667
   * [sfnt] Fix Savannah bug #43591. CVE-2014-9666
   * Change some fields in `FT_Bitmap' to unsigned type. CVE-2014-9665
   * Fix uninitialized variable warning. CVE-2014-9665-fixup-2
   * Make `FT_Bitmap_Convert' correctly handle negative `pitch' values.
     CVE-2014-9665-fixup
   * [type1, type42] Fix Savannah bug #43655. CVE-2014-9664
   * [sfnt] Fix Savannah bug #43656. CVE-2014-9663
   * [cff] Fix Savannah bug #43658. CVE-2014-9662
   * [type42] Allow only embedded TrueType fonts. CVE-2014-9661
   * [bdf] Fix Savannah bug #43660. CVE-2014-9660
   * [cff] Fix Savannah bug #43661. CVE-2014-9659
   * [sfnt] Fix Savannah bug #43672. CVE-2014-9658
   * [truetype] Fix Savannah bug #43679. CVE-2014-9657
   * [sfnt] Fix Savannah bug #43680. CVE-2014-9656
   * All CVEs patched. Closes: #777656.
Checksums-Sha1:
 3a2a91cde82d0231cd17ac1ca9c93879ab81b152 2078 freetype_2.5.2-3.dsc
 0461db9903ba3cf76d8fb0c05589393f3bad6e37 65772 freetype_2.5.2-3.diff.gz
 23b5c440d27916d17c5581a04785fc01caa772e9 466228 libfreetype6_2.5.2-3_amd64.deb
 c76df6aed3041e8597fb203c5c0c28384c4d3560 639830 libfreetype6-dev_2.5.2-3_amd64.deb
 1509066bee74019295aad6cb33b8f50a36f22453 94324 freetype2-demos_2.5.2-3_amd64.deb
 1a8b57c3ea177ce29cf4893265dcb595619a605d 294948 libfreetype6-udeb_2.5.2-3_amd64.udeb
Checksums-Sha256:
 20f49e6af334c14921caf854b4c0f0d431b6ccec8d24ab87f05a5d87770fc0a5 2078 freetype_2.5.2-3.dsc
 3370204972ae5df8c0035dd0f473eee6cb461b85518c3155fc8ab062882b4bbd 65772 freetype_2.5.2-3.diff.gz
 90d27b9dbad6653eff439df987b4ef4ca340a08966b74072dfba88ab5fb33cf8 466228 libfreetype6_2.5.2-3_amd64.deb
 3031bd23dbd480e38d3adede602d2ffb72d080a34e40b87132bff2e63fddd4e5 639830 libfreetype6-dev_2.5.2-3_amd64.deb
 ade17c6d84ab2f7134f897c5e2f90af868aa489cd7ebe05c49deafc0ec8d4d0c 94324 freetype2-demos_2.5.2-3_amd64.deb
 c48a984d2bac451d69f5e9ca085271e32e0726d268618760005b51180d635a1b 294948 libfreetype6-udeb_2.5.2-3_amd64.udeb
Files:
 aaf787c7904ad14e7106e3e38e17f760 2078 libs optional freetype_2.5.2-3.dsc
 f08c158f41e2e5e4d8ba23e98aa05e6f 65772 libs optional freetype_2.5.2-3.diff.gz
 679df204496aaa7de1d131650bd4de9d 466228 libs optional libfreetype6_2.5.2-3_amd64.deb
 7079cc465d2d8caf3ca8454924be110d 639830 libdevel optional libfreetype6-dev_2.5.2-3_amd64.deb
 6666431bd19656f7d045973f2df93aac 94324 utils optional freetype2-demos_2.5.2-3_amd64.deb
 cb37948dcf3e77ac22a1f60dda553454 294948 debian-installer extra libfreetype6-udeb_2.5.2-3_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVPFLYtsiGmkAAAARAQhMeA/+Pksr1+7w2ofI0EjxNegjzpWTfeemeeOz
ts6yaDY3rsaIxegv+0Qt0XwP/CYqMJf3uqs51j6agFxVsrlsmS/MEH97HI0Y390L
poJ9Jrs3Aewewt3OyIn4fMcv7Kg/TBPj59ZG0GObBC2wm2ZupVYUy5gtkxvw6pvB
+ysZ12GP4LXj3Hbs/20XzrknZe5PY/wxi2+rucTA/NztqWX8WwebDp5BzJY5N93g
P3CTEEDAngbkQXow/AVknbrn83jEM+WoXC7sNr46zN3ETxVmdM/juNFd42357DBm
8b4q2WowKoCNcREKcebCbDjxaATKJEJ9OsCy5SBb/GKOmrS9mSFBKDyG89rfsocJ
lJqGK/jXdB4pIfKB9aKFKhTOIiDjE0YJBxVpNCzZQHoGm+jcN804Cl8sPOZfLjvN
oqTxPJHJDrScn0lWhO/Msia18lS2EaN63aTDybXmyMZwh4KNWZrTuRDMYWF9XdqS
GKDkdzWtLBLr8B7U7e+7+M+dziIGepWiHoeRpCMMWC8RK+c8lPhSFRYem3kkhn/F
LbgVlxRQlVlzfgTBZQHOV4TTT9yp1IMZCMhuCNmzcAXu7xPnVSMPqgBD3Dv4XroN
88w2tLWh4OK9VGttw1ZBDq5DsFff7WUw1K/9A74EAZ4jFl+SgXd/vco4vI/TuRWN
CUaT2yCxx20=
=G5BZ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.