Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- FreeType: Multiple security flaws to be fixed in v2.4.9
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 06 Mar 2012 13:40:51 -0700

On 03/06/2012 12:57 PM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors,

A summary will also be posted at the end of this email. I gotta say this
is the best mass CVE request I've ever seen!

  we have been notified by Mateusz Jurczyk of the Google Security Team,
about the following FreeType security flaws, which are going to be fixed
in v2.4.9 version.

Credit: Mateusz Jurczyk, Google Security Team

Note: Though some the issues below might look like related / the same, I
have
      checked that each of them exclude themselves (IOW each of them is
different
      issue like the another. But was lazy to cross-reference those,
which of them
      is different from which another.

      Reproducers are attached to relevant upstream bug reports.

      Have Cc-ed Werner Lemberg of FreeType upstream on this post too,
so he could
      collect CVE identifiers prior FreeType v2.4.9 release.

      Yet, requesting CVE identifier even for the NULL ptr dereference
and floating
      point exception / integer divide by zero issue below, even if Red
Hat would not
      consider these to be security flaws. But other distributions might
be doing so,
      thus will let Steve to decide, if these two desire CVE identifiers
or not.

      And finally, due the count of the issues, not including full
issues description
      under each entry (to shorten the request). Only particular Red Hat
Bugzilla entry
      summary is included with relevant links to upstream bugs and
commits. Further issue
      description can be found under particular Red Hat Bugzilla entry
for each of them
      in initial comment (#c0).

Kurt, Steve, could you allocate CVE identifiers for these?

Thank you && Regards, Jan.
-- 
Jan iankko Lieskovsky / Red Hat Security Response Team




Issue #1:
=========
  freetype: Out-of heap-based buffer read by parsing, adding properties
in BDF
  fonts, or validating if property being an atom (FU#35597, FU#35598)

Upstream bug reports:
[1] https://savannah.nongnu.org/bugs/?35597
[2] https://savannah.nongnu.org/bugs/?35598

Upstream patch:
[3]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=320d4976d1d010b5abe9d61a7423d8ca06bc34df


Red Hat Bugzilla entry:
[4] https://bugzilla.redhat.com/show_bug.cgi?id=800581

Please use CVE-2012-1126 for this issue.

Issue #2:
=========
  freetype: Out-of heap-based buffer read by parsing glyph information and
  bitmaps for BDF fonts (FU#35599, FU#35600)

Upstream bug reports:
[1] https://savannah.nongnu.org/bugs/?35599
[2] https://savannah.nongnu.org/bugs/?35600

Upstream patch:
[3]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0b1c0c6b20bf121096afff206d570f26183402b3


Red Hat Bugzilla entry:
[4] https://bugzilla.redhat.com/show_bug.cgi?id=800583

Please use CVE-2012-1127 for this issue.

Issue #3:
=========
  freetype: NULL pointer dereference by moving zone2 pointer point for
certain
  TrueType font (FU#35601)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35601

Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=96cddb8d1d32d6738b06552083db9d6cee5b5cb4


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800584

Please use CVE-2012-1128 for this issue.

Issue #4:
=========
  freetype: Out-of heap-based buffer read when parsing certain SFNT strings
  by Type42 font parser (FU#35602)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35602

Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=82365c0dead99dd119d9e7117cf4f36ce1d1cbe1


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800585

Please use CVE-2012-1129 for this issue.

Issue #5:
=========
  freetype: Out-of heap-based buffer read by loading properties of PCF
  fonts (FU#35603)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35603

Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c776fc17bfeaa607405fc96620e9445e7a0965c3


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800587

Please use CVE-2012-1130 for this issue.

Issue #6:
=========
  freetype (64-bit specific): Out-of heap-based buffer read by attempt to
  record current cell into the cell table (FU#35604)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35604

Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=fcbc82e69e7b114b0db75e955896107d611898e6


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800589

Please use CVE-2012-1131 for this issue.

Issue #7:
=========
  freetype: Out-of heap-based buffer read flaw in Type1 font loader by
  parsing font dictionary entries (FU#35606)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35606

Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=58cbc465d2ccd904dee755cff791fbb3a866646d


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800590

Please use CVE-2012-1132 for this issue.

Issue #8:
=========
  freetype: Out-of heap-based buffer write by parsing BDF glyph information
  and bitmaps (FU#35607)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35607

Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=28dd2c45957278e962f95633157b6139de8170aa


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800591

Please use CVE-2012-1133 for this issue.

Issue #9:
=========
  freetype: Out-of heap-based buffer write in Type1 font parser by
retrieving
  font's private dictionary (FU#35608)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35608

Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=d9577add645c8c05460c7d60ad486c021394b82e


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800592

Please use CVE-2012-1134 for this issue.

Issue #10:
==========
  freetype: Out-of heap-based buffer read in TrueType bytecode interpreter
  by executing NPUSHB and NPUSHW instructions (FU#35640)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35640

Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=5dddcc45a03b336860436a180aec5b358517336b


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800593

Please use CVE-2012-1135 for this issue.

Issue #11:
==========
  freetype: Out-of heap-based buffer write by parsing BDF glyph and bitmaps
  information with missing ENCODING field (FU#35641)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35641

Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=4086fb7caf41e33137e548e43a49a97b127cd369


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800594

Please use CVE-2012-1136 for this issue.

Issue #12:
==========
  freetype: Out-of heap-based buffer read by parsing BDF font header
(FU#35643)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35643

Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=cee5d593582801f65c5e127d9de9ca24ebcdc747


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800595

Please use CVE-2012-1137 for this issue.

Issue #13:
==========
  freetype: Out-of heap-based buffer read in the TrueType bytecode
  interpreter by executing the MIRP instruction (FU#35646)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35646

Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a33c013fe2dc6e65de2879682201d9c155292349


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800597

Please use CVE-2012-1138 for this issue.

Issue #14:
==========
  freetype: Array index error, leading to out-of stack based buffer
  read by parsing BDF font glyph information (FU#35656)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35656

Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=6ac022dc750d95296a6f731b9594f2e751d997fa


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800598

Please use CVE-2012-1139 for this issue.

Issue #15:
==========
  freetype: Out-of heap-based buffer read by conversion of PostScript
font objects (FU#35657)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35657

Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=292144b44a15c1a72f2ef76475d65b7a3a3fba67


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800600

Please use CVE-2012-1140 for this issue.

Issue #16:
==========
  freetype: Out-of heap-based buffer read flaw by conversion of an ASCII
  string into a signed short integer by processing BDF fonts (FU#35658)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35658

Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=d9c1659610f9cd5e103790cb5963483d65cf0d2d


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800602

Please use CVE-2012-1141 for this issue.

Issue #17:
==========
  freetype: Out-of heap-based buffer write by retrieval of advance values
  for glyph outlines (FU#35659)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35659

Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=7d35a7dc7cc621538a1f4a63c83ebf223aace0b0


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800604

Please use CVE-2012-1142 for this issue.

Issue #18:
==========
  freetype: Integer divide by zero by performing arithmetic
  computations for certain fonts (FU#35660)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35660

Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=ba67957d5ead443f4b6b31805d6e780d54361ca4


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800606

Please use CVE-2012-1143 for this issue.

Issue #19:
==========
  freetype: Out-of heap-based buffer write in the TrueType bytecode
  interpreter by moving zone2 pointer point (FU#35689)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35689

Upstream patch:
[2]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0fc8debeb6c2f6a8a9a2b97332a7c8a0a1bd9e85


Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800607

Please use CVE-2012-1144 for this issue.

Summary:

CVE-2012-1126 FreeType 2.4.8 Out-of heap-based buffer read by parsing,
adding properties in BDF

CVE-2012-1127 FreeType 2.4.8 Out-of heap-based buffer read by parsing
glyph information and bitmaps for BDF fonts

CVE-2012-1128 FreeType 2.4.8 NULL pointer dereference by moving zone2
pointer point for certain TrueType font

CVE-2012-1129 FreeType 2.4.8 Out-of heap-based buffer read when parsing
certain SFNT strings by Type42 font parser

CVE-2012-1130 FreeType 2.4.8 Out-of heap-based buffer read by loading
properties of PCF fonts

CVE-2012-1131 FreeType 2.4.8 freetype (64-bit specific): Out-of
heap-based buffer read by attempt to record current cell into the cell table

CVE-2012-1132 FreeType 2.4.8 Out-of heap-based buffer read flaw in Type1
font loader by parsing font dictionary entries

CVE-2012-1133 FreeType 2.4.8 Out-of heap-based buffer write by parsing
BDF glyph information and bitmaps

CVE-2012-1134 FreeType 2.4.8 Out-of heap-based buffer write in Type1
font parser by retrieving font's private dictionary

CVE-2012-1135 FreeType 2.4.8 Out-of heap-based buffer read in TrueType
bytecode interpreter by executing NPUSHB and NPUSHW instructions

CVE-2012-1136 FreeType 2.4.8 Out-of heap-based buffer write by parsing
BDF glyph and bitmaps information with missing ENCODING field

CVE-2012-1137 FreeType 2.4.8 Out-of heap-based buffer read by parsing
BDF font header

CVE-2012-1138 FreeType 2.4.8 Out-of heap-based buffer read in the
TrueType bytecode interpreter by executing the MIRP instruction

CVE-2012-1139 FreeType 2.4.8 Array index error, leading to out-of stack
based buffer read by parsing BDF font glyph information

CVE-2012-1140 FreeType 2.4.8 Out-of heap-based buffer read by conversion
of PostScript font objects

CVE-2012-1141 FreeType 2.4.8 Out-of heap-based buffer read flaw by
conversion of an ASCII string into a signed short integer by processing
BDF fonts

CVE-2012-1142 FreeType 2.4.8 Out-of heap-based buffer write by retrieval
of advance values for glyph outlines

CVE-2012-1143 FreeType 2.4.8 Integer divide by zero by performing
arithmetic computations for certain fonts

CVE-2012-1144 FreeType 2.4.8 Out-of heap-based buffer write in the
TrueType bytecode interpreter by moving zone2 pointer point


-- 
Kurt Seifried Red Hat Security Response Team (SRT)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]