[Bug 800591] CVE-2012-1133 freetype: heap buffer underflow in BDF parser _bdf_parse_glyphs() (#35607)

bugzilla at redhat.com bugzilla at redhat.com
Fri Mar 16 07:50:23 UTC 2012 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=800591

Tomas Hoger <thoger at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Status Whiteboard|impact=important,public=201 |impact=important,public=201
                   |20223,reported=20120302,sou |20223,reported=20120302,sou
                   |rce=secalert,cvss2=6.8/AV:N |rce=secalert,cvss2=6.8/AV:N
                   |/AC:M/Au:N/C:P/I:P/A:P,rhel |/AC:M/Au:N/C:P/I:P/A:P,rhel
                   |-5/freetype=new,rhel-6/free |-4/freetype=notaffected,rhe
                   |type=new,fedora-all/freetyp |l-5/freetype=notaffected,rh
                   |e=affected,fedora-all/mingw |el-6/freetype=notaffected,f
                   |32-freetype=affected        |edora-all/freetype=affected
                   |                            |,fedora-all/mingw32-freetyp
                   |                            |e=affected

--- Comment #8 from Tomas Hoger <thoger at redhat.com> 2012-03-16 03:50:21 EDT ---
It seems this issue existed in old freetype versions.  It was later resolved
via the following commit:

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=481838e2

That commit addresses a security issue CVE-2006-1861 (bug 484437, bug 190593)
related to the large ENCODING values causing buffer overflow.  The fix ensures
that ENCODING value is not negative and not too large.

The fix was backported to freetype packages in Red Hat Enterprise Linux 2.1, 3,
and 4:

https://access.redhat.com/security/cve/CVE-2006-1861

The freetype packages in Red Hat Enterprise Linux 5 and 6 are based on upstream
versions that include the fix.

However, the fix introduced a regression and caused valid ENCODING value of -1
to be rejected as invalid.  This was reported upstream and resolved via:

https://savannah.nongnu.org/bugs/?33663
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=96ddc679

That regression fix re-introduced the security problem.  The regression fix is
no included in freetype packages in Red Hat Enterprise Linux 4, 5 and 6.

Statement:

Not vulnerable. This issue did not affect freetype packages as shipped with Red
Hat Enterprise Linux 3, 4, 5, and 6.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the fonts-bugs mailing list