[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F566C18.2010301@redhat.com>
Date: Tue, 06 Mar 2012 20:57:12 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security@...ts.openwall.com, Mateusz Jurczyk <mjurczyk@...gle.com>,
Werner Lemberg <wl@....org>, Moritz Muehlenhoff <jmm@...ian.org>,
Moritz Muehlenhoff <jmm@...til.org>
Subject: CVE Request -- FreeType: Multiple security flaws to be fixed in v2.4.9
Hello Kurt, Steve, vendors,
we have been notified by Mateusz Jurczyk of the Google Security Team,
about the following FreeType security flaws, which are going to be fixed
in v2.4.9 version.
Credit: Mateusz Jurczyk, Google Security Team
Note: Though some the issues below might look like related / the same, I have
checked that each of them exclude themselves (IOW each of them is different
issue like the another. But was lazy to cross-reference those, which of them
is different from which another.
Reproducers are attached to relevant upstream bug reports.
Have Cc-ed Werner Lemberg of FreeType upstream on this post too, so he could
collect CVE identifiers prior FreeType v2.4.9 release.
Yet, requesting CVE identifier even for the NULL ptr dereference and floating
point exception / integer divide by zero issue below, even if Red Hat would not
consider these to be security flaws. But other distributions might be doing so,
thus will let Steve to decide, if these two desire CVE identifiers or not.
And finally, due the count of the issues, not including full issues description
under each entry (to shorten the request). Only particular Red Hat Bugzilla entry
summary is included with relevant links to upstream bugs and commits. Further issue
description can be found under particular Red Hat Bugzilla entry for each of them
in initial comment (#c0).
Kurt, Steve, could you allocate CVE identifiers for these?
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Issue #1:
=========
freetype: Out-of heap-based buffer read by parsing, adding properties in BDF
fonts, or validating if property being an atom (FU#35597, FU#35598)
Upstream bug reports:
[1] https://savannah.nongnu.org/bugs/?35597
[2] https://savannah.nongnu.org/bugs/?35598
Upstream patch:
[3]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=320d4976d1d010b5abe9d61a7423d8ca06bc34df
Red Hat Bugzilla entry:
[4] https://bugzilla.redhat.com/show_bug.cgi?id=800581
Issue #2:
=========
freetype: Out-of heap-based buffer read by parsing glyph information and
bitmaps for BDF fonts (FU#35599, FU#35600)
Upstream bug reports:
[1] https://savannah.nongnu.org/bugs/?35599
[2] https://savannah.nongnu.org/bugs/?35600
Upstream patch:
[3]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0b1c0c6b20bf121096afff206d570f26183402b3
Red Hat Bugzilla entry:
[4] https://bugzilla.redhat.com/show_bug.cgi?id=800583
Issue #3:
=========
freetype: NULL pointer dereference by moving zone2 pointer point for certain
TrueType font (FU#35601)
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35601
Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=96cddb8d1d32d6738b06552083db9d6cee5b5cb4
Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800584
Issue #4:
=========
freetype: Out-of heap-based buffer read when parsing certain SFNT strings
by Type42 font parser (FU#35602)
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35602
Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=82365c0dead99dd119d9e7117cf4f36ce1d1cbe1
Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800585
Issue #5:
=========
freetype: Out-of heap-based buffer read by loading properties of PCF
fonts (FU#35603)
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35603
Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c776fc17bfeaa607405fc96620e9445e7a0965c3
Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800587
Issue #6:
=========
freetype (64-bit specific): Out-of heap-based buffer read by attempt to
record current cell into the cell table (FU#35604)
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35604
Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=fcbc82e69e7b114b0db75e955896107d611898e6
Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800589
Issue #7:
=========
freetype: Out-of heap-based buffer read flaw in Type1 font loader by
parsing font dictionary entries (FU#35606)
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35606
Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=58cbc465d2ccd904dee755cff791fbb3a866646d
Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800590
Issue #8:
=========
freetype: Out-of heap-based buffer write by parsing BDF glyph information
and bitmaps (FU#35607)
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35607
Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=28dd2c45957278e962f95633157b6139de8170aa
Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800591
Issue #9:
=========
freetype: Out-of heap-based buffer write in Type1 font parser by retrieving
font's private dictionary (FU#35608)
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35608
Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=d9577add645c8c05460c7d60ad486c021394b82e
Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800592
Issue #10:
==========
freetype: Out-of heap-based buffer read in TrueType bytecode interpreter
by executing NPUSHB and NPUSHW instructions (FU#35640)
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35640
Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=5dddcc45a03b336860436a180aec5b358517336b
Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800593
Issue #11:
==========
freetype: Out-of heap-based buffer write by parsing BDF glyph and bitmaps
information with missing ENCODING field (FU#35641)
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35641
Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=4086fb7caf41e33137e548e43a49a97b127cd369
Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800594
Issue #12:
==========
freetype: Out-of heap-based buffer read by parsing BDF font header (FU#35643)
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35643
Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=cee5d593582801f65c5e127d9de9ca24ebcdc747
Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800595
Issue #13:
==========
freetype: Out-of heap-based buffer read in the TrueType bytecode
interpreter by executing the MIRP instruction (FU#35646)
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35646
Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a33c013fe2dc6e65de2879682201d9c155292349
Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800597
Issue #14:
==========
freetype: Array index error, leading to out-of stack based buffer
read by parsing BDF font glyph information (FU#35656)
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35656
Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=6ac022dc750d95296a6f731b9594f2e751d997fa
Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800598
Issue #15:
==========
freetype: Out-of heap-based buffer read by conversion of PostScript font objects (FU#35657)
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35657
Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=292144b44a15c1a72f2ef76475d65b7a3a3fba67
Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800600
Issue #16:
==========
freetype: Out-of heap-based buffer read flaw by conversion of an ASCII
string into a signed short integer by processing BDF fonts (FU#35658)
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35658
Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=d9c1659610f9cd5e103790cb5963483d65cf0d2d
Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800602
Issue #17:
==========
freetype: Out-of heap-based buffer write by retrieval of advance values
for glyph outlines (FU#35659)
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35659
Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=7d35a7dc7cc621538a1f4a63c83ebf223aace0b0
Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800604
Issue #18:
==========
freetype: Integer divide by zero by performing arithmetic
computations for certain fonts (FU#35660)
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35660
Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=ba67957d5ead443f4b6b31805d6e780d54361ca4
Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800606
Issue #19:
==========
freetype: Out-of heap-based buffer write in the TrueType bytecode
interpreter by moving zone2 pointer point (FU#35689)
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35689
Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0fc8debeb6c2f6a8a9a2b97332a7c8a0a1bd9e85
Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800607
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
