[Bug 1172633] New: freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240).

List overview All Threads
Download

newer

older

[Bug 1177278] CVE-2014-8964...

[Bug 1162578] New: CVE-2014-8501...

Red Hat Bugzilla

10 Dec 2014 10 Dec '14

7:37 a.m.

https://bugzilla.redhat.com/show_bug.cgi?id=1172633

Bug ID: 1172633 Summary: freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240). Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: vkaigoro@redhat.com CC: behdad@fedoraproject.org, erik-fedora@vanpienbroek.nl, fedora-mingw@lists.fedoraproject.org, fonts-bugs@lists.fedoraproject.org, kevin@tigcc.ticalc.org, lfarkas@lfarkas.org, mkasik@redhat.com, rjones@redhat.com

It was reported [1] that Freetype before 2.5.4 suffers from an out-of-bounds stack-based read/write flaw in cf2_hintmap_build() in the CFF rasterizing code, which could lead to a buffer overflow. This is due to an incomplete fix for CVE-2014-2240.

Upstream patch is at [2] Upstream bug with some additional info is at [3].

This new CFF handling code was introduced in Freetype 2.4.12 (new Type 2 interpreter and hinter); earlier versions are not affected. This is fixed in 2.5.4 [4].

[1]: https://bugs.mageia.org/show_bug.cgi?id=14771 [2]: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0eae6eb06... [3]: http://savannah.nongnu.org/bugs/?43661 [4]: http://sourceforge.net/projects/freetype/files/freetype2/2.5.4/

Statement:

Not vulnerable. This issue did not affect the versions of freetype as shipped with Red Hat Enterprise Linux 5, 6 and 7.

-- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=yLFKJV2zPY&a=cc_unsubscribe

Show replies by date

Red Hat Bugzilla

10 Dec 10 Dec

7:37 a.m.

New subject: [Bug 1172633] freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240).

https://bugzilla.redhat.com/show_bug.cgi?id=1172633

Vasyl Kaigorodov vkaigoro@redhat.com changed:

--- Comment #1 from Vasyl Kaigorodov vkaigoro@redhat.com ---

Created freetype tracking bugs for this issue:

Affects: fedora-20 [bug 1172634]

Referenced Bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=1172634 [Bug 1172634] freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240). [fedora-20] https://bugzilla.redhat.com/show_bug.cgi?id=1172635 [Bug 1172635] mingw-freetype: freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240). [fedora-20] https://bugzilla.redhat.com/show_bug.cgi?id=1172636 [Bug 1172636] mingw-freetype: freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240). [fedora-19]

-- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=JjLJEy3Smp&a=cc_unsubscribe

Red Hat Bugzilla

7:37 a.m.

New subject: [Bug 1172633] freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240).

https://bugzilla.redhat.com/show_bug.cgi?id=1172633

--- Comment #2 from Vasyl Kaigorodov vkaigoro@redhat.com ---

Created mingw-freetype tracking bugs for this issue:

Affects: fedora-20 [bug 1172635] Affects: fedora-19 [bug 1172636]

-- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=BVw2eMkTTY&a=cc_unsubscribe

Red Hat Bugzilla

8:09 a.m.

New subject: [Bug 1172633] freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240).

https://bugzilla.redhat.com/show_bug.cgi?id=1172633

--- Comment #3 from Marek Kašík mkasik@redhat.com --- Shouldn't we use the patch from http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=2cdc4562f... instead of the [2]? Also, according to the mentioned versions, we should probably fix it in Fedora 21 too.

-- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=csph4o47Xc&a=cc_unsubscribe

Red Hat Bugzilla

4:55 p.m.

New subject: [Bug 1172633] freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240).

https://bugzilla.redhat.com/show_bug.cgi?id=1172633

--- Comment #4 from David Walser luigiwalser@yahoo.com --- (In reply to Marek Kašík from comment #3)

...

Shouldn't we use the patch from http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/ ?id=2cdc4562f873237f1c77d43540537c7a721d3fd8 instead of the [2]? Also, according to the mentioned versions, we should probably fix it in Fedora 21 too.

As well as this one, yes: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f89396cb6...

The one linked in [2] is the original incomplete fix from before.

-- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=vQqXMCVvDL&a=cc_unsubscribe

Red Hat Bugzilla

11 Dec 11 Dec

5:05 a.m.

New subject: [Bug 1172633] freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240).

https://bugzilla.redhat.com/show_bug.cgi?id=1172633

--- Comment #5 from Marek Kašík mkasik@redhat.com --- (In reply to David Walser from comment #4)

...

(In reply to Marek Kašík from comment #3)

...
Shouldn't we use the patch from http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/ ?id=2cdc4562f873237f1c77d43540537c7a721d3fd8 instead of the [2]? Also, according to the mentioned versions, we should probably fix it in Fedora 21 too.

As well as this one, yes: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/ ?id=f89396cb6284954ff98b5dcbfc38e144deccdc83

Thank you for pointing me to this commit. I've updated the update.

...

The one linked in [2] is the original incomplete fix from before.

-- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=xSWIsq6hwT&a=cc_unsubscribe

Red Hat Bugzilla

16 Dec 16 Dec

6:58 p.m.

New subject: [Bug 1172633] freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240).

https://bugzilla.redhat.com/show_bug.cgi?id=1172633

--- Comment #6 from David Walser luigiwalser@yahoo.com --- You're welcome. Just FYI, you meant to add a link to Bug 1172634 in the SPEC file, but you accidentally put bugs.gnome.org instead of bugzilla.redhat.com.

-- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=sCuxXVTc57&a=cc_unsubscribe

Red Hat Bugzilla

17 Dec 17 Dec

4:15 a.m.

New subject: [Bug 1172633] freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240).

https://bugzilla.redhat.com/show_bug.cgi?id=1172633

--- Comment #7 from Marek Kašík mkasik@redhat.com --- (In reply to David Walser from comment #6)

...

You're welcome. Just FYI, you meant to add a link to Bug 1172634 in the SPEC file, but you accidentally put bugs.gnome.org instead of bugzilla.redhat.com.

Thanks, fixed.

-- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=ekYqhyJZ8a&a=cc_unsubscribe

Red Hat Bugzilla

23 Dec 23 Dec

12:31 p.m.

New subject: [Bug 1172633] freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240).

https://bugzilla.redhat.com/show_bug.cgi?id=1172633

--- Comment #8 from Fedora Update System updates@fedoraproject.org --- freetype-2.5.3-13.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.

-- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=jvCioFWSvu&a=cc_unsubscribe

Red Hat Bugzilla

31 Dec 31 Dec

11:13 a.m.

New subject: [Bug 1172633] freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240).

https://bugzilla.redhat.com/show_bug.cgi?id=1172633 Bug 1172633 depends on bug 1172636, which changed state.

Bug 1172636 Summary: mingw-freetype: freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240). [fedora-19] https://bugzilla.redhat.com/show_bug.cgi?id=1172636

-- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=TD8trAAsAF&a=cc_unsubscribe

Red Hat Bugzilla

1 Jan 1 Jan

11:01 p.m.

New subject: [Bug 1172633] freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240).

https://bugzilla.redhat.com/show_bug.cgi?id=1172633 Bug 1172633 depends on bug 1172635, which changed state.

Bug 1172635 Summary: mingw-freetype: freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240). [fedora-20] https://bugzilla.redhat.com/show_bug.cgi?id=1172635

-- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=y4RifU0JpD&a=cc_unsubscribe

Red Hat Bugzilla

3 Jan 3 Jan

1:05 p.m.

New subject: [Bug 1172633] freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240).

https://bugzilla.redhat.com/show_bug.cgi?id=1172633 Bug 1172633 depends on bug 1172634, which changed state.

Bug 1172634 Summary: freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240). [fedora-20] https://bugzilla.redhat.com/show_bug.cgi?id=1172634

-- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=9cE7hHwjdo&a=cc_unsubscribe

Red Hat Bugzilla

1:05 p.m.

New subject: [Bug 1172633] freetype: OOB stack-based read/write in cf2_hintmap_build() (incomplete fix for CVE-2014-2240).

https://bugzilla.redhat.com/show_bug.cgi?id=1172633

--- Comment #9 from Fedora Update System updates@fedoraproject.org --- freetype-2.5.0-7.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.

-- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=n1Fg90zqW3&a=cc_unsubscribe

4175

Age (days ago)

4199

Last active (days ago)

mingw@lists.fedoraproject.org

12 comments

1 participants

tags (0)

participants (1)

Red Hat Bugzilla