[Bug 1191080] New: CVE-2014-9658 freetype: DoS in the tt_face_load_kern function in sfnt/ttkern.c
https://bugzilla.redhat.com/show_bug.cgi?id=1191080
Bug ID: 1191080 Summary: CVE-2014-9658 freetype: DoS in the tt_face_load_kern function in sfnt/ttkern.c Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: vkaigoro@redhat.com CC: behdad@fedoraproject.org, fonts-bugs@lists.fedoraproject.org, kevin@tigcc.ticalc.org, mkasik@redhat.com
Common Vulnerabilities and Exposures assigned CVE-2014-9658 to the following issue:
The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4 enforces an incorrect minimum table length, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font.
http://code.google.com/p/google-security-research/issues/detail?id=194 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f70d9342e...
https://bugzilla.redhat.com/show_bug.cgi?id=1191080
Vasyl Kaigorodov vkaigoro@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1191099
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1191099 [Bug 1191099] CVE-2014-9656 CVE-2014-9657 freetype: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1191080
--- Comment #1 from Vasyl Kaigorodov vkaigoro@redhat.com ---
Created freetype tracking bugs for this issue:
Affects: fedora-all [bug 1191099]
https://bugzilla.redhat.com/show_bug.cgi?id=1191080
Vasyl Kaigorodov vkaigoro@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1191102
https://bugzilla.redhat.com/show_bug.cgi?id=1191080 Bug 1191080 depends on bug 1191099, which changed state.
Bug 1191099 Summary: CVE-2014-9656 CVE-2014-9657 CVE-2014-9661 CVE-2014-9660 CVE-2014-9667 CVE-2014-9666 CVE-2014-9665 CVE-2014-9664 CVE-2014-9669 CVE-2014-9668 CVE-2014-9662 CVE-2014-9658 CVE-2014-9659 CVE-2014-9663 CVE-2014-9670 freetype: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1191099
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1191080
--- Comment #2 from Fedora Update System updates@fedoraproject.org --- freetype-2.5.3-15.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1191080
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |low Fixed In Version| |freetype 2.5.4 Summary|CVE-2014-9658 freetype: DoS |CVE-2014-9658 freetype: |in the tt_face_load_kern |buffer over-read and |function in sfnt/ttkern.c |integer underflow in | |tt_face_load_kern() Whiteboard|impact=moderate,public=2014 |impact=low,public=20141124, |1124,reported=20150210,sour |reported=20150210,source=cv |ce=cve,cvss2=3.7/AV:L/AC:H/ |e,cvss2=4.3/AV:N/AC:M/Au:N/ |Au:N/C:P/I:P/A:P,fedora-all |C:N/I:N/A:P,cwe=CWE-20->CWE |/freetype=affected,rhel-5/f |-190->CWE-125,rhel-4/freety |reetype=new,rhel-6/freetype |pe=notaffected,rhel-5/freet |=new,rhel-7/freetype=new |ype=affected,rhel-6/freetyp | |e=affected,rhel-7/freetype= | |affected,rhev-m-3/mingw-vir | |t-viewer=affected,fedora-al | |l/freetype=affected,fedora- | |all/mingw-freetype=affected | |,epel-7/mingw-freetype=affe | |cted Severity|medium |low
--- Comment #3 from Tomas Hoger thoger@redhat.com --- Upstream bug is:
https://savannah.nongnu.org/bugs/?43672
Issue was fixed upstream in 2.5.4.
The issue here starts as a simple short buffer over-read. Existing check to ensure enough input data is still available was incorrect:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/sfnt/ttkern...
The length <= 6 only takes into account the previously read header:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/sfnt/ttkern...
p is later incremented by 8 (but only the first two bytes are actually read/accessed):
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/sfnt/ttkern...
However, when length is too short, p_next may be less than p, which leads to integer underflow in (p_next - p) in this num_pairs check:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/sfnt/ttkern...
The check aims to prevent further over-reads. Underflow bypasses the check and makes it possible to read 6 * 0xffff bytes (num_pairs is short). Crash should be possible.
https://bugzilla.redhat.com/show_bug.cgi?id=1191080
--- Comment #5 from Fedora Update System updates@fedoraproject.org --- freetype-2.5.0-9.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1191080
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20141124, |impact=low,public=20141124, |reported=20150210,source=cv |reported=20150210,source=cv |e,cvss2=4.3/AV:N/AC:M/Au:N/ |e,cvss2=4.3/AV:N/AC:M/Au:N/ |C:N/I:N/A:P,cwe=CWE-20->CWE |C:N/I:N/A:P,cwe=CWE-20->CWE |-190->CWE-125,rhel-4/freety |-190->CWE-125,rhel-4/freety |pe=notaffected,rhel-5/freet |pe=notaffected,rhel-5/freet |ype=affected,rhel-6/freetyp |ype=wontfix,rhel-6/freetype |e=affected,rhel-7/freetype= |=affected,rhel-7/freetype=a |affected,rhev-m-3/mingw-vir |ffected,rhev-m-3/mingw-virt |t-viewer=affected,fedora-al |-viewer=affected,fedora-all |l/freetype=affected,fedora- |/freetype=affected,fedora-a |all/mingw-freetype=affected |ll/mingw-freetype=affected, |,epel-7/mingw-freetype=affe |epel-7/mingw-freetype=affec |cted |ted
https://bugzilla.redhat.com/show_bug.cgi?id=1191080
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1197737
https://bugzilla.redhat.com/show_bug.cgi?id=1191080
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1197738
https://bugzilla.redhat.com/show_bug.cgi?id=1191080
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1197739
https://bugzilla.redhat.com/show_bug.cgi?id=1191080
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1197740
https://bugzilla.redhat.com/show_bug.cgi?id=1191080
--- Comment #7 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7
Via RHSA-2015:0696 https://rhn.redhat.com/errata/RHSA-2015-0696.html
https://bugzilla.redhat.com/show_bug.cgi?id=1191080
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2015-03-18 03:41:00
https://bugzilla.redhat.com/show_bug.cgi?id=1191080
Vincent Danen vdanen@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20141124, |impact=low,public=20141124, |reported=20150210,source=cv |reported=20150210,source=cv |e,cvss2=4.3/AV:N/AC:M/Au:N/ |e,cvss2=4.3/AV:N/AC:M/Au:N/ |C:N/I:N/A:P,cwe=CWE-20->CWE |C:N/I:N/A:P,cwe=CWE-20->CWE |-190->CWE-125,rhel-4/freety |-190->CWE-125,rhel-4/freety |pe=notaffected,rhel-5/freet |pe=notaffected,rhel-5/freet |ype=wontfix,rhel-6/freetype |ype=wontfix,rhel-6/freetype |=affected,rhel-7/freetype=a |=notaffected,rhel-7/freetyp |ffected,rhev-m-3/mingw-virt |e=affected,rhev-m-3/mingw-v |-viewer=affected,fedora-all |irt-viewer=affected,fedora- |/freetype=affected,fedora-a |all/freetype=affected,fedor |ll/mingw-freetype=affected, |a-all/mingw-freetype=affect |epel-7/mingw-freetype=affec |ed,epel-7/mingw-freetype=af |ted |fected
https://bugzilla.redhat.com/show_bug.cgi?id=1191080
Ján Rusnačko jrusnack@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20141124, |impact=low,public=20141124, |reported=20150210,source=cv |reported=20150210,source=cv |e,cvss2=4.3/AV:N/AC:M/Au:N/ |e,cvss2=4.3/AV:N/AC:M/Au:N/ |C:N/I:N/A:P,cwe=CWE-20->CWE |C:N/I:N/A:P,cwe=CWE-20->CWE |-190->CWE-125,rhel-4/freety |-190->CWE-125,rhel-4/freety |pe=notaffected,rhel-5/freet |pe=notaffected,rhel-5/freet |ype=wontfix,rhel-6/freetype |ype=wontfix,rhel-6/freetype |=notaffected,rhel-7/freetyp |=affected,rhel-7/freetype=a |e=affected,rhev-m-3/mingw-v |ffected,rhev-m-3/mingw-virt |irt-viewer=affected,fedora- |-viewer=affected,fedora-all |all/freetype=affected,fedor |/freetype=affected,fedora-a |a-all/mingw-freetype=affect |ll/mingw-freetype=affected, |ed,epel-7/mingw-freetype=af |epel-7/mingw-freetype=affec |fected |ted
fonts-bugs@lists.fedoraproject.org
-
Red Hat Bugzilla