https://bugzilla.redhat.com/show_bug.cgi?id=1444898
Bug ID: 1444898 Summary: CVE-2017-7857 freetype: heap-based buffer overflow related to the TT_Get_MM_Var function Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: behdad@fedoraproject.org, bmcclain@redhat.com, cfergeau@redhat.com, dblechte@redhat.com, eedri@redhat.com, erik-fedora@vanpienbroek.nl, fedora-mingw@lists.fedoraproject.org, fonts-bugs@lists.fedoraproject.org, gklein@redhat.com, kevin@tigcc.ticalc.org, lsurette@redhat.com, mgoldboi@redhat.com, michal.skrivanek@redhat.com, mkasik@redhat.com, rbalakri@redhat.com, rh-spice-bugs@redhat.com, rjones@redhat.com, sherold@redhat.com, srevivo@redhat.com, ydary@redhat.com, ykaul@redhat.com
FreeType 2 before 2017-03-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.
Bug report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=759
Upstream patch:
https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=7bbb91fb...
https://bugzilla.redhat.com/show_bug.cgi?id=1444898
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1444917, 1444915, 1444916
--- Comment #1 from Adam Mariš amaris@redhat.com --- Created freetype tracking bugs for this issue:
Affects: fedora-all [bug 1444917]
Created mingw-freetype tracking bugs for this issue:
Affects: epel-7 [bug 1444915] Affects: fedora-all [bug 1444916]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1444915 [Bug 1444915] CVE-2016-10328 CVE-2017-7857 CVE-2017-7858 CVE-2017-7864 mingw-freetype: various flaws [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1444916 [Bug 1444916] CVE-2016-10328 CVE-2017-7857 CVE-2017-7858 CVE-2017-7864 mingw-freetype: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1444917 [Bug 1444917] CVE-2016-10328 CVE-2017-7857 CVE-2017-7858 CVE-2017-7864 freetype: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1444898
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1444919
Norman Sardella sardella@comcast.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |sardella@comcast.net
https://bugzilla.redhat.com/show_bug.cgi?id=1444898
--- Comment #2 from Marek Kašík mkasik@redhat.com --- While I can reproduce this with the commit mentioned in the chromium bug report I can not reproduce this on F24, F25, F26 or rawhide.
https://bugzilla.redhat.com/show_bug.cgi?id=1444898 Bug 1444898 depends on bug 1444917, which changed state.
Bug 1444917 Summary: CVE-2016-10328 CVE-2017-7857 CVE-2017-7858 CVE-2017-7864 freetype: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1444917
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1444898
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0308,reported=20170414,sour |0308,reported=20170414,sour |ce=cve,cvss3=7.8/CVSS:3.0/A |ce=cve,cvss3=7.8/CVSS:3.0/A |V:L/AC:L/PR:N/UI:R/S:U/C:H/ |V:L/AC:L/PR:N/UI:R/S:U/C:H/ |I:H/A:H,cwe=CWE-122,rhel-5/ |I:H/A:H,cwe=CWE-122,rhel-5/ |freetype=new,rhel-6/freetyp |freetype=notaffected,rhel-6 |e=new,rhel-7/freetype=new,r |/freetype=notaffected,rhel- |hev-m-3/mingw-virt-viewer=n |7/freetype=notaffected,rhev |ew,fedora-all/freetype=affe |-m-3/mingw-virt-viewer=nota |cted,fedora-all/mingw-freet |ffected,fedora-all/freetype |ype=affected,epel-7/mingw-f |=notaffected,fedora-all/min |reetype=affected |gw-freetype=notaffected,epe | |l-7/mingw-freetype=notaffec | |ted Last Closed| |2017-06-29 00:48:33
https://bugzilla.redhat.com/show_bug.cgi?id=1444898 Bug 1444898 depends on bug 1444916, which changed state.
Bug 1444916 Summary: CVE-2016-10328 CVE-2017-7857 CVE-2017-7858 CVE-2017-7864 mingw-freetype: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1444916
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX
fonts-bugs@lists.fedoraproject.org