fontconfig: CVE-2016-5384: possible double free due to insufficiently validated cache files

Debian Bug report logs - #833570
fontconfig: CVE-2016-5384: possible double free due to insufficiently validated cache files

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: fontconfig: CVE-2016-5384: possible double free due to insufficiently validated cache files

Date: Sat, 06 Aug 2016 10:09:45 +0200

Source: fontconfig
Version: 2.11.0-6.3
Severity: grave
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for fontconfig.

CVE-2016-5384[0]:
possible double free due to insufficiently validated cache files

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-5384
[1] https://cgit.freedesktop.org/fontconfig/commit/?id=7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940

Regards,
Salvatore

Message #10 received at 833570@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 833570@bugs.debian.org

Subject: Re: Bug#833570: fontconfig: CVE-2016-5384: possible double free due to insufficiently validated cache files

Date: Sat, 6 Aug 2016 10:41:30 +0200

[Message part 1 (text/plain, inline)]

Hi,

On Sat, Aug 06, 2016 at 10:09:45AM +0200, Salvatore Bonaccorso wrote:
> Source: fontconfig
> Version: 2.11.0-6.3
> Severity: grave
> Tags: security upstream patch fixed-upstream
> 
> Hi,
> 
> the following vulnerability was published for fontconfig.
> 
> CVE-2016-5384[0]:
> possible double free due to insufficiently validated cache files
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-5384
> [1] https://cgit.freedesktop.org/fontconfig/commit/?id=7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940

Attached is the debdiff for sid (similarly is the jessie-security one,
which I have already locally as well).

Regards,
Salvatore

[fontconfig_2.11.0-6.5.debdiff (text/plain, attachment)]

Message #15 received at 833570@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 833570@bugs.debian.org

Subject: fontconfig: diff for NMU version 2.11.0-6.5

Date: Sat, 6 Aug 2016 21:41:27 +0200

[Message part 1 (text/plain, inline)]

Control: tags 833570 + pending

Hi Keith,

I've prepared an NMU for fontconfig (versioned as 2.11.0-6.5) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[fontconfig-2.11.0-6.5-nmu.diff (text/x-diff, attachment)]

Message #22 received at 833570@bugs.debian.org (full text, mbox, reply):

From: Keith Packard <keithp@keithp.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 833570@bugs.debian.org, 833570@bugs.debian.org

Subject: Re: Bug#833570: fontconfig: diff for NMU version 2.11.0-6.5

Date: Sat, 06 Aug 2016 15:04:14 -0700

[Message part 1 (text/plain, inline)]

Salvatore Bonaccorso <carnil@debian.org> writes:

> Control: tags 833570 + pending
>
> Hi Keith,
>
> I've prepared an NMU for fontconfig (versioned as 2.11.0-6.5) and
> uploaded it to DELAYED/5. Please feel free to tell me if I
> should delay it longer.

Looks like that patch is already in fontconfig 2.12.1; thanks for
backporting. I don't see any reason to delay this any more than that,
I'd be comfortable with having it move into unstable immediately.

-- 
-keith

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 833570@bugs.debian.org (full text, mbox, reply):

From: Keith Packard <keithp@keithp.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 833570@bugs.debian.org, 833570@bugs.debian.org

Subject: Re: Bug#833570: fontconfig: diff for NMU version 2.11.0-6.5

Date: Sat, 06 Aug 2016 15:04:41 -0700

[Message part 1 (text/plain, inline)]

Salvatore Bonaccorso <carnil@debian.org> writes:

> Control: tags 833570 + pending
>
> Hi Keith,
>
> I've prepared an NMU for fontconfig (versioned as 2.11.0-6.5) and
> uploaded it to DELAYED/5. Please feel free to tell me if I
> should delay it longer.

Also, thanks for doing this upload!
-- 
-keith

[signature.asc (application/pgp-signature, inline)]

Message #32 received at 833570@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Keith Packard <keithp@keithp.com>

Cc: 833570@bugs.debian.org

Subject: Re: Bug#833570: fontconfig: diff for NMU version 2.11.0-6.5

Date: Sun, 7 Aug 2016 07:44:39 +0200

[Message part 1 (text/plain, inline)]

Hi Keith,

On Sat, Aug 06, 2016 at 03:04:14PM -0700, Keith Packard wrote:
> Salvatore Bonaccorso <carnil@debian.org> writes:
> 
> > Control: tags 833570 + pending
> >
> > Hi Keith,
> >
> > I've prepared an NMU for fontconfig (versioned as 2.11.0-6.5) and
> > uploaded it to DELAYED/5. Please feel free to tell me if I
> > should delay it longer.
> 
> Looks like that patch is already in fontconfig 2.12.1; thanks for
> backporting. I don't see any reason to delay this any more than that,
> I'd be comfortable with having it move into unstable immediately.

Thanks a lot for your quick reply!

I will reschedule then to have the fix sooner in unstable.

As wrote in the previous bug mail, I have as well already prepared the
jessie-security based one, but I was still going to evaluate if we
have any reverse dependency using fontconfig in the explained way.
fbterm for example is not setuid in Debian at least.

Regards,
Salvatore

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 833570-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 833570-close@bugs.debian.org

Subject: Bug#833570: fixed in fontconfig 2.11.0-6.5

Date: Sun, 07 Aug 2016 06:03:38 +0000

Source: fontconfig
Source-Version: 2.11.0-6.5

We believe that the bug you reported is fixed in the latest version of
fontconfig, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 833570@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated fontconfig package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 06 Aug 2016 10:24:50 +0200
Source: fontconfig
Binary: fontconfig fontconfig-config fontconfig-udeb libfontconfig1-dev libfontconfig1 libfontconfig1-dbg
Architecture: all source
Version: 2.11.0-6.5
Distribution: unstable
Urgency: high
Maintainer: Keith Packard <keithp@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 833570
Description: 
 fontconfig - generic font configuration library - support binaries
 fontconfig-config - generic font configuration library - configuration
 fontconfig-udeb - generic font configuration library - minimal runtime (udeb)
 libfontconfig1 - generic font configuration library - runtime
 libfontconfig1-dbg - generic font configuration library - debugging symbols
 libfontconfig1-dev - generic font configuration library - development
Changes:
 fontconfig (2.11.0-6.5) unstable; urgency=high
 .
   * Non-maintainer upload.
   * CVE-2016-5384: Possible double free due to insufficiently validated cache
     files (Closes: #833570)
Package-Type: udeb
Checksums-Sha1: 
 e0df2e97cec01994160b2fdc12056c1586cb6c73 2180 fontconfig_2.11.0-6.5.dsc
 a2448565e5450d9f9534be525c6b04cd1fac39d6 1074160 fontconfig_2.11.0-6.5.debian.tar.xz
 1a42d41f9077ad5730534847c63cf78e540f95e7 271034 fontconfig-config_2.11.0-6.5_all.deb
Checksums-Sha256: 
 a16c1cab872522871c0540f9b28fac5a257735665c580e85baea9419851c29ca 2180 fontconfig_2.11.0-6.5.dsc
 2e3b04bda15eb8b6f803de2333e1ec993e43a8857a4fdfff6fcc0e99318e5ed7 1074160 fontconfig_2.11.0-6.5.debian.tar.xz
 69ccaed58be72ba10d3ee0b331675db898a8bc55a2c4b1c7fedea11a3ee53d6c 271034 fontconfig-config_2.11.0-6.5_all.deb
Files: 
 c5eefe1cc1d1d6c9475abcd6ca95a511 2180 fonts optional fontconfig_2.11.0-6.5.dsc
 03a839b5b8f3863031b199fd6e182cfa 1074160 fonts optional fontconfig_2.11.0-6.5.debian.tar.xz
 67da2431c38d642416563c33e925c23e 271034 fonts optional fontconfig-config_2.11.0-6.5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXpaFnAAoJEAVMuPMTQ89EZvUP/iZ12t+fZfxWWsV0AU2LQVdt
wzwc+Cw4DFWCOfiqM8Gr2/t905aypD77OXgVyq3FjY36jboSFs4BDBZdKdpTJyxX
vXghcN9BuZTYMmpmteXlgffTd+FOPWLkCGGf27+ZIODA3oqoSb6a1put0RoJBWeS
zJSL6q+H16c8jCTYF8R31fM4XJG4ZroQaf+FqtLXJBlOGVRjCBxLODlwkfA5XdpE
X8a7sWC0RqFjdXCj1Uu3IA/VIM6lu7B9ENqBa9t8dJQpTr8vze/3TRb9P9LkBSSa
SjaYHpzBTwz+/mNOedHxXQu8PvKb+qhBhWJyE/rRcMk0ecxmneqetdNJKfb0TMta
lBEmRi4YQ9Xc3OiVdh6fu4llf27yUibfmr0ldMfEVUXtmR3ToeQxHXN4pzeJLs3O
Ux2pTlWWpTIGU3pTfjw0rFUKYTIC1KvVI/G5QSWyx/CPc+1U/wfmr/YtK3SqrN0m
2UW4ctuAICvX31Ah8rkCTYoFy23EbISFf+Zmua3611Ros2Bx3A0Js9ulOKj8rPvd
QVZ3rhKY5C6vx9MpmPZ+CPKfSfN8bqDBcTIKHn6PfHuFjjucFxeDoc2E+XwFffu/
zcD89ShVVLwh8P69d8Ya3YJcB5EWMURr1LYzjwSkndH7dYzeQCWP1gt48xnQNyGa
8k91AmTgP22rKyQO5A7F
=5RO1
-----END PGP SIGNATURE-----

Message #46 received at 833570-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 833570-close@bugs.debian.org

Subject: Bug#833570: fixed in fontconfig 2.11.0-6.3+deb8u1

Date: Tue, 16 Aug 2016 22:32:11 +0000

Source: fontconfig
Source-Version: 2.11.0-6.3+deb8u1

We believe that the bug you reported is fixed in the latest version of
fontconfig, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 833570@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated fontconfig package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 06 Aug 2016 10:15:01 +0200
Source: fontconfig
Binary: fontconfig fontconfig-config fontconfig-udeb libfontconfig1-dev libfontconfig1 libfontconfig1-dbg
Architecture: all source
Version: 2.11.0-6.3+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Keith Packard <keithp@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 833570
Description: 
 fontconfig - generic font configuration library - support binaries
 fontconfig-config - generic font configuration library - configuration
 fontconfig-udeb - generic font configuration library - minimal runtime (udeb)
 libfontconfig1 - generic font configuration library - runtime
 libfontconfig1-dbg - generic font configuration library - debugging symbols
 libfontconfig1-dev - generic font configuration library - development
Changes:
 fontconfig (2.11.0-6.3+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2016-5384: Possible double free due to insufficiently validated cache
     files (Closes: #833570)
Package-Type: udeb
Checksums-Sha1: 
 12acc3d083ca9312827b49f610a19646b95d28c2 2235 fontconfig_2.11.0-6.3+deb8u1.dsc
 3a3edfe295f508c070d41a0444ef8ab5e3b4b675 319652 fontconfig_2.11.0.orig.tar.xz
 5a9648edfdbef78b333403358869c29ec79a30a4 1073796 fontconfig_2.11.0-6.3+deb8u1.debian.tar.xz
 9c6a6c01b3521f481edc7caf198399d2b4571dbb 273876 fontconfig-config_2.11.0-6.3+deb8u1_all.deb
Checksums-Sha256: 
 c496170e75ece48a19c5b60745eef5522b62ae1a817c23125ebd9745bc255fcd 2235 fontconfig_2.11.0-6.3+deb8u1.dsc
 f19c7366d59dc4e79eaf3eedabd44b6375b238f29316db5020a183c7d9a78db9 319652 fontconfig_2.11.0.orig.tar.xz
 a8140c4576a2c43614930e8a307966018551ae71ad448af5f75faf4f47f70173 1073796 fontconfig_2.11.0-6.3+deb8u1.debian.tar.xz
 f7963c0338fd031101f3f684a4e37306eefcd05094220947dd9cb7388a2fe85f 273876 fontconfig-config_2.11.0-6.3+deb8u1_all.deb
Files: 
 923f59ffab4662dc3b41182cc860d2ed 2235 fonts optional fontconfig_2.11.0-6.3+deb8u1.dsc
 cd76258284e900d05951e42c07db1b69 319652 fonts optional fontconfig_2.11.0.orig.tar.xz
 09cc0e152a9d59570f93e0873bf04bbc 1073796 fonts optional fontconfig_2.11.0-6.3+deb8u1.debian.tar.xz
 ec38a9f319d9110d827560f11b14b244 273876 fonts optional fontconfig-config_2.11.0-6.3+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXpZ4vAAoJEAVMuPMTQ89EdMAP/0+6gyic/og7mJ2+fjn/E9kX
jMzXPiwtdWWngresX/jEhZMMcgiUXHBKpk5jmFS6kb4cYQllPWRg+dP7oRoeiLKC
FaFMp+0pHtzWEEf8/Pp3iiU/eDp17ntWZGuFmWaIqD0z6HywN3IBYaZ2jJU5YGgN
owdxjNC5y/tHj20DH1mK1KMLELrWrS6sQP6CIjuwKZRZ0TV7nxKukKt7NDRTuQqU
zh4VluNwcch42jGijj+Myln/i2OsraWBSG9j3kro1DwELuEyyfnIu8rN4EA+weBS
HHCVAr6MAJlEg4VFRPL6j51LtOpj0zZk7ibSR3BK8t11L0xDzv7+CglkoDK5TmTo
KgeOvB7NI07zJ3ov+IvnDh9Atna7TqA/z/d5IjkBPknmsphxq534jeza7sisaSkv
3EbhiPDrMx1oeXb7w2iURBufSpUwQBQtbC37F8IHc6XTkd+iQCcngNKlhWjR3Es0
jMYq3yyWJqg9eFRkIb3JJgFIymNE5nw6XLliootppXnan9wa7UJ2BDAsGqsBX/rm
1nrOgt5yx0o6eq+mMCe3aiIcPDZ0K/i9MPcGZXno9j8dtuTFO/sMIeGAhstBiX5F
gq9NTqUDAvNjWlpmI1I0w23bMAVBVvvnQpoh01KdgdQFD+KY8mMIyRdk7bgd+yYz
CYEHI0fJ6GkrmzXe2sBq
=1q9b
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.