https://bugzilla.redhat.com/show_bug.cgi?id=1429965
Bug ID: 1429965 Summary: CVE-2016-10244 freetype: parse_charstrings function in type1/t1load.c does not ensure that a font contains a glyph name Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: behdad@fedoraproject.org, bmcclain@redhat.com, cfergeau@redhat.com, dblechte@redhat.com, eedri@redhat.com, erik-fedora@vanpienbroek.nl, fedora-mingw@lists.fedoraproject.org, fonts-bugs@lists.fedoraproject.org, gklein@redhat.com, kevin@tigcc.ticalc.org, lsurette@redhat.com, mgoldboi@redhat.com, michal.skrivanek@redhat.com, mkasik@redhat.com, rbalakri@redhat.com, rh-spice-bugs@redhat.com, rjones@redhat.com, sherold@redhat.com, srevivo@redhat.com, ydary@redhat.com, ykaul@redhat.com
The parse_charstrings function in type1/t1load.c in FreeType 2 does not ensure that a font contains a glyph name, which allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted file.
References:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36
Upstream patch:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/type1/t1l...
https://bugzilla.redhat.com/show_bug.cgi?id=1429965
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1429966 Depends On| |1429969, 1429968, 1429967
--- Comment #1 from Andrej Nemec anemec@redhat.com --- Created freetype tracking bugs for this issue:
Affects: fedora-all [bug 1429968]
Created mingw-freetype tracking bugs for this issue:
Affects: epel-7 [bug 1429969] Affects: fedora-all [bug 1429967]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1429967 [Bug 1429967] CVE-2016-10244 mingw-freetype: freetype: parse_charstrings function in type1/t1load.c does not ensure that a font contains a glyph name [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1429968 [Bug 1429968] CVE-2016-10244 freetype: parse_charstrings function in type1/t1load.c does not ensure that a font contains a glyph name [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1429969 [Bug 1429969] CVE-2016-10244 mingw-freetype: freetype: parse_charstrings function in type1/t1load.c does not ensure that a font contains a glyph name [epel-7]
https://bugzilla.redhat.com/show_bug.cgi?id=1429965 Bug 1429965 depends on bug 1429968, which changed state.
Bug 1429968 Summary: CVE-2016-10244 freetype: parse_charstrings function in type1/t1load.c does not ensure that a font contains a glyph name [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1429968
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1429965
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0825,reported=20170306,sour |0825,reported=20170306,sour |ce=cve,cvss3=5.9/CVSS:3.0/A |ce=cve,cvss3=5.9/CVSS:3.0/A |V:N/AC:H/PR:N/UI:N/S:U/C:N/ |V:N/AC:H/PR:N/UI:N/S:U/C:N/ |I:N/A:H,cwe=CWE-20,fedora-a |I:N/A:H,cwe=CWE-20,fedora-a |ll/freetype=affected,fedora |ll/freetype=affected,fedora |-all/mingw-freetype=affecte |-all/mingw-freetype=affecte |d,epel-7/mingw-freetype=aff |d,epel-7/mingw-freetype=aff |ected,rhel-5/freetype=new,r |ected,rhel-5/freetype=wontf |hel-6/freetype=new,rhel-7/f |ix,rhel-6/freetype=wontfix, |reetype=new,rhev-m-3/mingw- |rhel-7/freetype=wontfix,rhe |virt-viewer=new |v-m-3/mingw-virt-viewer=won | |tfix Last Closed| |2017-03-23 01:50:59
--- Comment #2 from Huzaifa S. Sidhpurwala huzaifas@redhat.com --- Analysis:
As per the patch, seems to be a OOB read, causing a crash. I dont have access to the reproducer, but seems all versions of freetype shipped with Red Hat Enterprise Linux are affected.
https://bugzilla.redhat.com/show_bug.cgi?id=1429965 Bug 1429965 depends on bug 1429967, which changed state.
Bug 1429967 Summary: CVE-2016-10244 mingw-freetype: freetype: parse_charstrings function in type1/t1load.c does not ensure that a font contains a glyph name [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1429967
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX
fonts-bugs@lists.fedoraproject.org