https://bugzilla.redhat.com/show_bug.cgi?id=1191192
Bug ID: 1191192 Summary: CVE-2014-9675 freetype: bypass the ASLR protection mechanism via a crafted BDF font Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: mprpic@redhat.com CC: behdad@fedoraproject.org, fonts-bugs@lists.fedoraproject.org, kevin@tigcc.ticalc.org, mkasik@redhat.com
bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allows remote attackers to discover heap pointer values and bypass the ASLR protection mechanism via a crafted BDF font.
Upstream issue:
http://code.google.com/p/google-security-research/issues/detail?id=151
Upstream patch:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=2c4832d30...
https://bugzilla.redhat.com/show_bug.cgi?id=1191192
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1191102
https://bugzilla.redhat.com/show_bug.cgi?id=1191192
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1191193
--- Comment #1 from Martin Prpic mprpic@redhat.com ---
Created freetype tracking bugs for this issue:
Affects: fedora-all [bug 1191193]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1191193 [Bug 1191193] CVE-2014-9675 freetype: bypass the ASLR protection mechanism via a crafted BDF font [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1191192 Bug 1191192 depends on bug 1191193, which changed state.
Bug 1191193 Summary: CVE-2014-9675 freetype: bypass the ASLR protection mechanism via a crafted BDF font [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1191193
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1191192
--- Comment #2 from Fedora Update System updates@fedoraproject.org --- freetype-2.5.3-15.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1191192
--- Comment #3 from Fedora Update System updates@fedoraproject.org --- freetype-2.5.0-9.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1191192
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |low Summary|CVE-2014-9675 freetype: |CVE-2014-9675 freetype: |bypass the ASLR protection |information leak in |mechanism via a crafted BDF |_bdf_add_property() |font | Whiteboard|impact=moderate,public=2015 |impact=low,public=20150208, |0208,reported=20150209,sour |reported=20150209,source=su |ce=suse,cvss2=3.7/AV:L/AC:H |se,cvss2=4.3/AV:N/AC:M/Au:N |/Au:N/C:P/I:P/A:P,fedora-al |/C:P/I:N/A:N,rhel-4/freetyp |l/freetype=affected,rhel-5/ |e=wontfix,rhel-5/freetype=w |freetype=new,rhel-6/freetyp |ontfix,rhel-6/freetype=affe |e=new,rhel-7/freetype=new |cted,rhel-7/freetype=affect | |ed,rhev-m-3/mingw-virt-view | |er=affected,fedora-all/free | |type=affected,fedora-all/mi | |ngw-freetype=affected,epel- | |7/mingw-freetype=affected Severity|medium |low
--- Comment #4 from Tomas Hoger thoger@redhat.com --- Upstream bug is: https://savannah.nongnu.org/bugs/?43535
Issue was fixed upstream in 2.5.4.
This issue possibly leads to disclosure of portion of process memory. Leaked information is heap pointer, so it may provide information to bypass address space layout randomization (ASLR) and hence make it easier to exploit other flaws in the application.
https://bugzilla.redhat.com/show_bug.cgi?id=1191192
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1197737
https://bugzilla.redhat.com/show_bug.cgi?id=1191192
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1197738
https://bugzilla.redhat.com/show_bug.cgi?id=1191192
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1197739
https://bugzilla.redhat.com/show_bug.cgi?id=1191192
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1197740
https://bugzilla.redhat.com/show_bug.cgi?id=1191192
--- Comment #7 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7
Via RHSA-2015:0696 https://rhn.redhat.com/errata/RHSA-2015-0696.html
https://bugzilla.redhat.com/show_bug.cgi?id=1191192
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2015-03-18 03:40:58
https://bugzilla.redhat.com/show_bug.cgi?id=1191192
Ján Rusnačko jrusnack@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jrusnack@redhat.com Whiteboard|impact=low,public=20150208, |impact=low,public=20150208, |reported=20150209,source=su |reported=20150209,source=su |se,cvss2=4.3/AV:N/AC:M/Au:N |se,cvss2=4.3/AV:N/AC:M/Au:N |/C:P/I:N/A:N,rhel-4/freetyp |/C:P/I:N/A:N,rhel-4/freetyp |e=wontfix,rhel-5/freetype=w |e=wontfix,rhel-5/freetype=w |ontfix,rhel-6/freetype=affe |ontfix,rhel-6/freetype=affe |cted,rhel-7/freetype=affect |cted,rhel-7/freetype=affect |ed,rhev-m-3/mingw-virt-view |ed,rhev-m-3/mingw-virt-view |er=affected,fedora-all/free |er=affected,fedora-all/free |type=affected,fedora-all/mi |type=affected,fedora-all/mi |ngw-freetype=affected,epel- |ngw-freetype=affected,epel- |7/mingw-freetype=affected |7/mingw-freetype=affected,c | |we=CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=1191192
Vincent Danen vdanen@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20150208, |impact=low,public=20150208, |reported=20150209,source=su |reported=20150209,source=su |se,cvss2=4.3/AV:N/AC:M/Au:N |se,cvss2=4.3/AV:N/AC:M/Au:N |/C:P/I:N/A:N,rhel-4/freetyp |/C:P/I:N/A:N,rhel-4/freetyp |e=wontfix,rhel-5/freetype=w |e=wontfix,rhel-5/freetype=w |ontfix,rhel-6/freetype=affe |ontfix,rhel-6/freetype=nota |cted,rhel-7/freetype=affect |ffected,rhel-7/freetype=aff |ed,rhev-m-3/mingw-virt-view |ected,rhev-m-3/mingw-virt-v |er=affected,fedora-all/free |iewer=affected,fedora-all/f |type=affected,fedora-all/mi |reetype=affected,fedora-all |ngw-freetype=affected,epel- |/mingw-freetype=affected,ep |7/mingw-freetype=affected,c |el-7/mingw-freetype=affecte |we=CWE-200 |d,cwe=CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=1191192
Ján Rusnačko jrusnack@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20150208, |impact=low,public=20150208, |reported=20150209,source=su |reported=20150209,source=su |se,cvss2=4.3/AV:N/AC:M/Au:N |se,cvss2=4.3/AV:N/AC:M/Au:N |/C:P/I:N/A:N,rhel-4/freetyp |/C:P/I:N/A:N,rhel-4/freetyp |e=wontfix,rhel-5/freetype=w |e=wontfix,rhel-5/freetype=w |ontfix,rhel-6/freetype=nota |ontfix,rhel-6/freetype=affe |ffected,rhel-7/freetype=aff |cted,rhel-7/freetype=affect |ected,rhev-m-3/mingw-virt-v |ed,rhev-m-3/mingw-virt-view |iewer=affected,fedora-all/f |er=affected,fedora-all/free |reetype=affected,fedora-all |type=affected,fedora-all/mi |/mingw-freetype=affected,ep |ngw-freetype=affected,epel- |el-7/mingw-freetype=affecte |7/mingw-freetype=affected,c |d,cwe=CWE-200 |we=CWE-200
fonts-bugs@lists.fedoraproject.org