[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F567653.4080009@redhat.com>
Date: Tue, 06 Mar 2012 13:40:51 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
"Steven M. Christey" <coley@...us.mitre.org>,
Mateusz Jurczyk <mjurczyk@...gle.com>, Werner Lemberg <wl@....org>,
Moritz Muehlenhoff <jmm@...ian.org>,
Moritz Muehlenhoff <jmm@...til.org>
Subject: Re: CVE Request -- FreeType: Multiple security flaws
to be fixed in v2.4.9
On 03/06/2012 12:57 PM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
A summary will also be posted at the end of this email. I gotta say this
is the best mass CVE request I've ever seen!
> we have been notified by Mateusz Jurczyk of the Google Security Team,
> about the following FreeType security flaws, which are going to be fixed
> in v2.4.9 version.
>
> Credit: Mateusz Jurczyk, Google Security Team
>
> Note: Though some the issues below might look like related / the same, I
> have
> checked that each of them exclude themselves (IOW each of them is
> different
> issue like the another. But was lazy to cross-reference those,
> which of them
> is different from which another.
>
> Reproducers are attached to relevant upstream bug reports.
>
> Have Cc-ed Werner Lemberg of FreeType upstream on this post too,
> so he could
> collect CVE identifiers prior FreeType v2.4.9 release.
>
> Yet, requesting CVE identifier even for the NULL ptr dereference
> and floating
> point exception / integer divide by zero issue below, even if Red
> Hat would not
> consider these to be security flaws. But other distributions might
> be doing so,
> thus will let Steve to decide, if these two desire CVE identifiers
> or not.
>
> And finally, due the count of the issues, not including full
> issues description
> under each entry (to shorten the request). Only particular Red Hat
> Bugzilla entry
> summary is included with relevant links to upstream bugs and
> commits. Further issue
> description can be found under particular Red Hat Bugzilla entry
> for each of them
> in initial comment (#c0).
>
> Kurt, Steve, could you allocate CVE identifiers for these?
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
>
>
>
>
> Issue #1:
> =========
> freetype: Out-of heap-based buffer read by parsing, adding properties
> in BDF
> fonts, or validating if property being an atom (FU#35597, FU#35598)
>
> Upstream bug reports:
> [1] https://savannah.nongnu.org/bugs/?35597
> [2] https://savannah.nongnu.org/bugs/?35598
>
> Upstream patch:
> [3]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=320d4976d1d010b5abe9d61a7423d8ca06bc34df
>
>
> Red Hat Bugzilla entry:
> [4] https://bugzilla.redhat.com/show_bug.cgi?id=800581
Please use CVE-2012-1126 for this issue.
> Issue #2:
> =========
> freetype: Out-of heap-based buffer read by parsing glyph information and
> bitmaps for BDF fonts (FU#35599, FU#35600)
>
> Upstream bug reports:
> [1] https://savannah.nongnu.org/bugs/?35599
> [2] https://savannah.nongnu.org/bugs/?35600
>
> Upstream patch:
> [3]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0b1c0c6b20bf121096afff206d570f26183402b3
>
>
> Red Hat Bugzilla entry:
> [4] https://bugzilla.redhat.com/show_bug.cgi?id=800583
Please use CVE-2012-1127 for this issue.
> Issue #3:
> =========
> freetype: NULL pointer dereference by moving zone2 pointer point for
> certain
> TrueType font (FU#35601)
>
> Upstream bug report:
> [1] https://savannah.nongnu.org/bugs/?35601
>
> Upstream patch:
> [2]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=96cddb8d1d32d6738b06552083db9d6cee5b5cb4
>
>
> Red Hat Bugzilla entry:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=800584
Please use CVE-2012-1128 for this issue.
> Issue #4:
> =========
> freetype: Out-of heap-based buffer read when parsing certain SFNT strings
> by Type42 font parser (FU#35602)
>
> Upstream bug report:
> [1] https://savannah.nongnu.org/bugs/?35602
>
> Upstream patch:
> [2]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=82365c0dead99dd119d9e7117cf4f36ce1d1cbe1
>
>
> Red Hat Bugzilla entry:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=800585
Please use CVE-2012-1129 for this issue.
> Issue #5:
> =========
> freetype: Out-of heap-based buffer read by loading properties of PCF
> fonts (FU#35603)
>
> Upstream bug report:
> [1] https://savannah.nongnu.org/bugs/?35603
>
> Upstream patch:
> [2]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c776fc17bfeaa607405fc96620e9445e7a0965c3
>
>
> Red Hat Bugzilla entry:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=800587
Please use CVE-2012-1130 for this issue.
> Issue #6:
> =========
> freetype (64-bit specific): Out-of heap-based buffer read by attempt to
> record current cell into the cell table (FU#35604)
>
> Upstream bug report:
> [1] https://savannah.nongnu.org/bugs/?35604
>
> Upstream patch:
> [2]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=fcbc82e69e7b114b0db75e955896107d611898e6
>
>
> Red Hat Bugzilla entry:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=800589
Please use CVE-2012-1131 for this issue.
> Issue #7:
> =========
> freetype: Out-of heap-based buffer read flaw in Type1 font loader by
> parsing font dictionary entries (FU#35606)
>
> Upstream bug report:
> [1] https://savannah.nongnu.org/bugs/?35606
>
> Upstream patch:
> [2]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=58cbc465d2ccd904dee755cff791fbb3a866646d
>
>
> Red Hat Bugzilla entry:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=800590
Please use CVE-2012-1132 for this issue.
> Issue #8:
> =========
> freetype: Out-of heap-based buffer write by parsing BDF glyph information
> and bitmaps (FU#35607)
>
> Upstream bug report:
> [1] https://savannah.nongnu.org/bugs/?35607
>
> Upstream patch:
> [2]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=28dd2c45957278e962f95633157b6139de8170aa
>
>
> Red Hat Bugzilla entry:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=800591
Please use CVE-2012-1133 for this issue.
> Issue #9:
> =========
> freetype: Out-of heap-based buffer write in Type1 font parser by
> retrieving
> font's private dictionary (FU#35608)
>
> Upstream bug report:
> [1] https://savannah.nongnu.org/bugs/?35608
>
> Upstream patch:
> [2]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=d9577add645c8c05460c7d60ad486c021394b82e
>
>
> Red Hat Bugzilla entry:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=800592
Please use CVE-2012-1134 for this issue.
> Issue #10:
> ==========
> freetype: Out-of heap-based buffer read in TrueType bytecode interpreter
> by executing NPUSHB and NPUSHW instructions (FU#35640)
>
> Upstream bug report:
> [1] https://savannah.nongnu.org/bugs/?35640
>
> Upstream patch:
> [2]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=5dddcc45a03b336860436a180aec5b358517336b
>
>
> Red Hat Bugzilla entry:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=800593
Please use CVE-2012-1135 for this issue.
> Issue #11:
> ==========
> freetype: Out-of heap-based buffer write by parsing BDF glyph and bitmaps
> information with missing ENCODING field (FU#35641)
>
> Upstream bug report:
> [1] https://savannah.nongnu.org/bugs/?35641
>
> Upstream patch:
> [2]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=4086fb7caf41e33137e548e43a49a97b127cd369
>
>
> Red Hat Bugzilla entry:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=800594
Please use CVE-2012-1136 for this issue.
> Issue #12:
> ==========
> freetype: Out-of heap-based buffer read by parsing BDF font header
> (FU#35643)
>
> Upstream bug report:
> [1] https://savannah.nongnu.org/bugs/?35643
>
> Upstream patch:
> [2]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=cee5d593582801f65c5e127d9de9ca24ebcdc747
>
>
> Red Hat Bugzilla entry:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=800595
Please use CVE-2012-1137 for this issue.
> Issue #13:
> ==========
> freetype: Out-of heap-based buffer read in the TrueType bytecode
> interpreter by executing the MIRP instruction (FU#35646)
>
> Upstream bug report:
> [1] https://savannah.nongnu.org/bugs/?35646
>
> Upstream patch:
> [2]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a33c013fe2dc6e65de2879682201d9c155292349
>
>
> Red Hat Bugzilla entry:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=800597
Please use CVE-2012-1138 for this issue.
> Issue #14:
> ==========
> freetype: Array index error, leading to out-of stack based buffer
> read by parsing BDF font glyph information (FU#35656)
>
> Upstream bug report:
> [1] https://savannah.nongnu.org/bugs/?35656
>
> Upstream patch:
> [2]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=6ac022dc750d95296a6f731b9594f2e751d997fa
>
>
> Red Hat Bugzilla entry:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=800598
Please use CVE-2012-1139 for this issue.
> Issue #15:
> ==========
> freetype: Out-of heap-based buffer read by conversion of PostScript
> font objects (FU#35657)
>
> Upstream bug report:
> [1] https://savannah.nongnu.org/bugs/?35657
>
> Upstream patch:
> [2]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=292144b44a15c1a72f2ef76475d65b7a3a3fba67
>
>
> Red Hat Bugzilla entry:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=800600
Please use CVE-2012-1140 for this issue.
> Issue #16:
> ==========
> freetype: Out-of heap-based buffer read flaw by conversion of an ASCII
> string into a signed short integer by processing BDF fonts (FU#35658)
>
> Upstream bug report:
> [1] https://savannah.nongnu.org/bugs/?35658
>
> Upstream patch:
> [2]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=d9c1659610f9cd5e103790cb5963483d65cf0d2d
>
>
> Red Hat Bugzilla entry:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=800602
Please use CVE-2012-1141 for this issue.
> Issue #17:
> ==========
> freetype: Out-of heap-based buffer write by retrieval of advance values
> for glyph outlines (FU#35659)
>
> Upstream bug report:
> [1] https://savannah.nongnu.org/bugs/?35659
>
> Upstream patch:
> [2]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=7d35a7dc7cc621538a1f4a63c83ebf223aace0b0
>
>
> Red Hat Bugzilla entry:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=800604
Please use CVE-2012-1142 for this issue.
> Issue #18:
> ==========
> freetype: Integer divide by zero by performing arithmetic
> computations for certain fonts (FU#35660)
>
> Upstream bug report:
> [1] https://savannah.nongnu.org/bugs/?35660
>
> Upstream patch:
> [2]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=ba67957d5ead443f4b6b31805d6e780d54361ca4
>
>
> Red Hat Bugzilla entry:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=800606
Please use CVE-2012-1143 for this issue.
> Issue #19:
> ==========
> freetype: Out-of heap-based buffer write in the TrueType bytecode
> interpreter by moving zone2 pointer point (FU#35689)
>
> Upstream bug report:
> [1] https://savannah.nongnu.org/bugs/?35689
>
> Upstream patch:
> [2]
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0fc8debeb6c2f6a8a9a2b97332a7c8a0a1bd9e85
>
>
> Red Hat Bugzilla entry:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=800607
Please use CVE-2012-1144 for this issue.
Summary:
CVE-2012-1126 FreeType 2.4.8 Out-of heap-based buffer read by parsing,
adding properties in BDF
CVE-2012-1127 FreeType 2.4.8 Out-of heap-based buffer read by parsing
glyph information and bitmaps for BDF fonts
CVE-2012-1128 FreeType 2.4.8 NULL pointer dereference by moving zone2
pointer point for certain TrueType font
CVE-2012-1129 FreeType 2.4.8 Out-of heap-based buffer read when parsing
certain SFNT strings by Type42 font parser
CVE-2012-1130 FreeType 2.4.8 Out-of heap-based buffer read by loading
properties of PCF fonts
CVE-2012-1131 FreeType 2.4.8 freetype (64-bit specific): Out-of
heap-based buffer read by attempt to record current cell into the cell table
CVE-2012-1132 FreeType 2.4.8 Out-of heap-based buffer read flaw in Type1
font loader by parsing font dictionary entries
CVE-2012-1133 FreeType 2.4.8 Out-of heap-based buffer write by parsing
BDF glyph information and bitmaps
CVE-2012-1134 FreeType 2.4.8 Out-of heap-based buffer write in Type1
font parser by retrieving font's private dictionary
CVE-2012-1135 FreeType 2.4.8 Out-of heap-based buffer read in TrueType
bytecode interpreter by executing NPUSHB and NPUSHW instructions
CVE-2012-1136 FreeType 2.4.8 Out-of heap-based buffer write by parsing
BDF glyph and bitmaps information with missing ENCODING field
CVE-2012-1137 FreeType 2.4.8 Out-of heap-based buffer read by parsing
BDF font header
CVE-2012-1138 FreeType 2.4.8 Out-of heap-based buffer read in the
TrueType bytecode interpreter by executing the MIRP instruction
CVE-2012-1139 FreeType 2.4.8 Array index error, leading to out-of stack
based buffer read by parsing BDF font glyph information
CVE-2012-1140 FreeType 2.4.8 Out-of heap-based buffer read by conversion
of PostScript font objects
CVE-2012-1141 FreeType 2.4.8 Out-of heap-based buffer read flaw by
conversion of an ASCII string into a signed short integer by processing
BDF fonts
CVE-2012-1142 FreeType 2.4.8 Out-of heap-based buffer write by retrieval
of advance values for glyph outlines
CVE-2012-1143 FreeType 2.4.8 Integer divide by zero by performing
arithmetic computations for certain fonts
CVE-2012-1144 FreeType 2.4.8 Out-of heap-based buffer write in the
TrueType bytecode interpreter by moving zone2 pointer point
--
Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
