Fuzz Testing by Josh Bressers (RedHat) uncovered an integer overflow issue in freetype2. CVE-2006-0747: http://cvs.savannah.gnu.org/viewcvs/freetype/freetype2/src/pshinter/pshglob.c?r1=1.30&r2=1.31&makepatch=1&diff_format=h http://cvs.savannah.gnu.org/viewcvs/freetype/freetype2/src/cff/cffload.c?r1=1.73&r2=1.74&makepatch=1&diff_format=h http://cvs.savannah.gnu.org/viewcvs/freetype/freetype2/src/type1/t1load.c?r1=1.104&r2=1.105&makepatch=1&diff_format=h "Normally I wouldn't think this is exploitable as it should crash before anything exciting can happen, most graphical applications are multi-threaded, so this does worry me. At the very least this issue is a denial of service bug." NO-CVE-ID: http://cvs.savannah.gnu.org/viewcvs/freetype/freetype2/src/base/ftutil.c?r1=1.17&r2=1.18&makepatch=1&diff_format=h "I'm not going to give this one a CVE id, I don't envision it DoSing anything other than end user desktop applications." foser: please apply patches and silently reference this bug. This will be fully public on March 22.
Setting status
In fact more is coming, Chris Evans found a few exploitable integer overflows in font parsers. The March 22 date has been cancelled pending more details. Let's wait a little.
Details for the Chris Evans part : http://scary.beasts.org/security/63ddacf7d2224298/CESA-2006-001.html Still no disclosure date, though the Freetype people said they would probably commit te fixes in their CVS soon.
A new release is coming up next week. We should be able to derive a patch soon.
Following by Josh Bressers from Red Hat: I'm attaching patches for what I've found along with the CVE ids and descriptions. The descriptions come from the commit messages. I think I've classified all these correctly, it's possible I've not, speak up if you think I'm wrong. * DoS #1 * src/sfnt/ttkern.c (tt_face_get_kerning): fixed a serious bug that caused some programs to go into an infinite loop when dealing with fonts that don't have a properly sorted kerning sub-table * Integer overflow Issues 2, 3, 4, and 6 are CVE-2006-1861 #2 * src/bdf/bdflib.c (ERRMSG4): New macro. (_bdf_parse_glyphs): Handle invalid BBX values. * include/freetype/fterrdef.h (FT_Err_Bbx_Too_Big): New error macro. #3 * src/sfnt/ttcmap.c (tt_face_build_cmaps): Handle invalid offset correctly. #4 * src/cff/cfftypes.h (CFF_CharsetRec): Add `max_cid' member. * src/cff/cffload.c (cff_charset_load): Set `charset->max_cid'. * src/cff/cffgload.c (cff_slot_load): Change type of third parameter to `FT_UInt'. Check range of `glyph_index'. * src/cff/cffgload.h: Updated. #6 * src/bdf/bdflib.c: fixed a problem with large encodings. Again, this patch comes from Debian libfreetype6 for 2.1.10 ! #5 This issue has no CVE id, it won't get one. * src/base/ftutil.c: ft_mem_alloc and related functions now return an error if a negative size is passed in parameters. The issues below are CVE-2006-0747 * src/cache/ftccache.c: make ftc_node_destroy FT_BASE_DEF, it needs to be exported for rogue clients * src/pshinter/pshglob.c: prevent problems with malformed fonts which have an odd number of blue values (these are broken according to the specs). * src/cff/cffload.c, src/type1/t1load.c: modify the loaders to force even-ness of 'num_blue_values'. Also change the CFF loader so that invalid entries in index files are ignored.
Created attachment 86118 [details, diff] issue_1.patch
Created attachment 86119 [details, diff] issue_2.patch
Created attachment 86120 [details, diff] issue_3.patch
Created attachment 86121 [details, diff] issue_4.patch
Created attachment 86122 [details, diff] issue_5.patch
Created attachment 86123 [details, diff] issue_6.patch
2.2.1 should be released soon to address these problems. The patches above are apparently not enough, let me know if you want to patch instead of bumping to 2.2.1 and I'll attach the latest patch I have.
2.2 snapshot is available at URI.
2.1 needs to be patched for sure, the change between it and 2.2 are too extensive. Some packs in the tree will not build with 2.2 . I'll have a look at it today, there's some more things I should fix in freetype and I was waiting for this bug to deal with it.
Created attachment 86201 [details, diff] array.patch The last patch (I think). Patch for the following changelog entry extracted by Josh Bressers from Red Hat. 2006-05-02 David Turner <david@freetype.org> Update the memory management functions and macros to safely deal with array size buffer overflows.
foser: any news from this ? This should get public soon so better have an ebuild ready.
I was unable to apply the array patch to 2.1.10, too extensive. Sune suggested we wait to see what other distro's would come up with.
Public @ http://www.freetype.org/index2.html#release-freetype-2.2.1
*** Bug 133158 has been marked as a duplicate of this bug. ***
Well, as indicated before I can't patch 2.1.10 all the way and it is a no-go to make 2.2 stable immediatly because quite a few packs won't build with it and the internal changes have been extensive. So what would you advise ?
We apparently aren't the only ones caught in the "I only work on the latest version" Freetype stance. So we should probably wait-for and/or collaborate-with other distros to make up a 2.1.10 patch. If I understand correctly, the problem with the array.patch is that it's extracted from the 2.2 -> 2.2.1 changes so it doesn't apply to 2.1 cleanly (and changes are too extensive for us to be able to adapt it), right ?
Correct. I'm not saying it's impossible to adapt, but it's a bit over the top and would ideally require an understanding of freetype that I do not possess. iirc it interferes with the issue_x patches and patches stuff that does not yet exist (in the same form) in the 2.1 codebase. The issue_x patches don't apply all that clean either, but I got those to work. I'm just hoping some paid RH/Ubuntu/Novell folk get around to it soon. To me the question is if you want the partially patched ft-2.1.10 or none at all at this point in time. 2.2 will be added, but masked.
Better wait and patch them all. We'll try to look for help on v-s, otherwise we'll dissect the security patches from the others when they will be out.
*** Bug 134011 has been marked as a duplicate of this bug. ***
Ubuntu fixed this today: http://www.ubuntu.com/usn/usn-291-1
DSA 1095-1 patch against 2.1.7 : http://security.debian.org/pool/updates/main/f/freetype/freetype_2.1.7-2.5.diff.gz
foser, can you provide new ebuilds with the debian patches?
Created attachment 89111 [details, diff] CVE-2006-0747_integer-underflows.diff Patch 1 of 4
Created attachment 89112 [details, diff] CVE-2006-0747_nullpointer-deref.diff Patch 2 of 4
Created attachment 89113 [details, diff] CVE-2006-1861_integer-overflows.diff Patch 3 of 4
Created attachment 89114 [details, diff] CVE-2006-2493_integer-overflows.diff Patch 4 of 4
Created attachment 89115 [details, diff] freetype-2.1.10-r1.ebuild
sorry for my lacking involvement, been too busy. I'll try to get this in tonight.
so they only did the overflows as well.. I could've done that ages ago.
Sorry, but upgrading to freetype-2.1.10-r1.ebuild make all my kde apps crash the xorg server (yes, xorg server, not only the kde app). Reverting to 2.1.10 solves the problem. One of the patch here should be wrong. My emerge info : Portage 2.1.1_pre1-r1 (default-linux/x86/2006.0, gcc-4.1.1/vanilla, glibc-2.4-r3, 2.6.16.20-sw i686) ================================================================= System uname: 2.6.16.20-sw i686 Intel(R) Celeron(R) CPU 2.60GHz Gentoo Base System version 1.12.1 ccache version 2.4 [enabled] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r2 dev-util/confcache: 0.4.2-r1 sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r2 sys-devel/gcc-config: [Not Present] sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r5 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium4 -O2 -mtune=pentium4 -fomit-frame-pointer -funroll-loops -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/eselect/compiler /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-march=pentium4 -O2 -mtune=pentium4 -fomit-frame-pointer -funroll-loops -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildsyspkg ccache confcache distlocks fixpackages metadata-transfer sandbox sfperms strict userpriv usersandbox" GENTOO_MIRRORS="http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ http://mir1.ovh.net/gentoo-distfiles/ http://pandemonium.tiscali.de/pub/gentoo/ http://ftp.du.se/pub/os/gentoo" LANG="fr_FR.UTF-8" LC_ALL="fr_FR.UTF-8" LINGUAS="fr" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/gcpan-portage /usr/local/portage /usr/local/portage-local" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X a52 aac acl acpi acpi4linux alsa apache2 apm asf async audiofile avi bash-completion berkdb bitmap-fonts bzip2 cairo clamav cli codecs commercial crypt cups dba dbus dga distribution dnd dri dv dvd dvdread editor encode exif exo expat extensions faad fbcon ffmpeg firefox flac foomaticdb fortran freetype fs gd gdbm gif gimp glut gmp gpm gtk gtk2 hal idled idn imagemagick imap imlib2 ipv6 isdnlog ithreads jabber java jce jpeg jpeg2k kde kdeenablefinal kdehiddenvisibility kqemu lcms libcaca libg++ libwww logitech-mouse mad maildir matroska md5sum mhash mikmod mmx mng monkey motif mozdevelop mozsvg mp3 mpeg mpm-worker ncurses network nls no_wxgtk1 nptl nptlonly nsplugin nvidia offensive ofx ogg opengl pam panel-plugin pcre pdflib perl php pic png posix povray ppds pppd print python qt qt3 quicktime rdesktop readline real reflection samba sasl sdl session slang soap sockets softmmu speex spell spl sse sse2 ssl startup-notification svg sysfs syslog tabs tcpd tetex theora threads thunar-vfs tiff tools truetype truetype-fonts type1 type1-fonts udev unicode usb v4l v4l2 vorbis win32codecs wxwindows xcomposite xine xml xml2 xorg xprint xrandr xv xvid zlib elibc_glibc input_devices_keyboard input_devices_mouse kernel_linux linguas_fr userland_GNU video_cards_i810" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
I was worried about that, thats why i put it out to test for a bit. If you comment out the revert_pointer patch, does that fix the crashing ?
(In reply to comment #36) > I was worried about that, thats why i put it out to test for a bit. If you > comment out the revert_pointer patch, does that fix the crashing ? > No, commenting this patch does not solve the problem with the kde apps. The only way to solve it is to comment the security patch (${FILESDIR}/${P}-security_batch.patch)...
can you get a backtrace (with debug info) from a crashing app ?
(In reply to comment #38) > can you get a backtrace (with debug info) from a crashing app ? > Sorry, but when I launch a kde (or Qt, wich also crash) app with gdb, after the crash, gdb reports "no stack" when y use the "bt" command. I currently have tested launching a twm session, then : DISPLAY=:0 gdb /usr/qt/3/bin/qtconfig (or /usr/kde/3.5/bin/kcalc for example) run <go to the X session to set the window position> <Xorg crash> <return to gdb tty> bt -> empty stack freetype is compiled with debug infos (-ggdb and feature nostrip) Do you have an other idea to get a backtrace ? Xorg log reports this error : > Backtrace: > 0: /usr/bin/X(xf86SigHandler+0xa4) [0x80e74e4] > > Fatal server error: > Caught signal 8. Server aborting Should I also recompile xorg-server with debug infos ?
I finally got it using gdb on the X process : (gdb) bt #0 0x40128fa8 in ft_raster1_render (render=0x84b7be8, slot=0x84d9220, mode=FT_RENDER_MODE_MONO, origin=0x0) at ftrend1.c:179 #1 0x400ed8de in FT_Render_Glyph_Internal (library=0x84a8048, slot=0x84d9220, render_mode=FT_RENDER_MODE_MONO) at ftobjs.c:2898 #2 0x400ed99f in FT_Render_Glyph (slot=0x84d9220, render_mode=FT_RENDER_MODE_MONO) at ftobjs.c:2938 #3 0x40065106 in FreeTypeRegisterFontFileFunctions () from /usr/lib/libXfont.so.1 #4 0xbfe10900 in ?? () #5 0x00000000 in ?? () So the problem is the part of CVE-2006-2493_integer-overflows.diff concerning ftrend1.c. Removing this part of the patch solves the problem : # diff -U3 freetype-2.1.10-security_batch.patch.orig freetype-2.1.10-security_batch.patch --- freetype-2.1.10-security_batch.patch.orig 2006-06-21 22:06:50.000000000 +0200 +++ freetype-2.1.10-security_batch.patch 2006-06-21 22:07:00.000000000 +0200 @@ -233,27 +233,6 @@ { FT_Int reference, delta; FT_UInt count; -diff -uNr -x '*.orig' freetype-2.1.10/src/raster/ftrend1.c freetype-2.1.10.patched/src/raster/ftrend1.c ---- freetype-2.1.10/src/raster/ftrend1.c 2005-05-11 17:01:49.000000000 +0200 -+++ freetype-2.1.10.patched/src/raster/ftrend1.c 2006-06-19 19:16:07.000000000 +0200 -@@ -21,6 +21,7 @@ - #include FT_OUTLINE_H - #include "ftrend1.h" - #include "ftraster.h" -+#include <limits.h> - - #include "rasterrs.h" - -@@ -175,6 +176,9 @@ - bitmap->rows = height; - bitmap->pitch = pitch; - -+ if ((FT_ULong)pitch > LONG_MAX/height) -+ goto Exit; -+ - if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) ) - goto Exit; - diff -uNr -x '*.orig' freetype-2.1.10/src/sfnt/ttcmap.c freetype-2.1.10.patched/src/sfnt/ttcmap.c --- freetype-2.1.10/src/sfnt/ttcmap.c 2005-05-11 16:37:40.000000000 +0200 +++ freetype-2.1.10.patched/src/sfnt/ttcmap.c 2006-06-19 19:16:01.000000000 +0200 After this motification, all goes OK !
Sorry, I forgot to paste the error type. It's a arithmetic exception : Program received signal SIGFPE, Arithmetic exception. [Switching to Thread 1076703280 (LWP 7974)] 0x40128fa8 in ft_raster1_render (render=0x84b7be8, slot=0x84d9220, mode=FT_RENDER_MODE_MONO, origin=0x0) at ftrend1.c:179
Here is more investigation : Program received signal SIGFPE, Arithmetic exception. [Switching to Thread 1076703280 (LWP 20070)] 0x40128fa8 in ft_raster1_render (render=0x84bec78, slot=0x84dbe50, mode=FT_RENDER_MODE_MONO, origin=0x0) at /var/tmp/portage/freetype-2.1.10-r1/work/freetype-2.1.10/src/raster/ftrend1.c:179 179 /var/tmp/portage/freetype-2.1.10-r1/work/freetype-2.1.10/src/raster/ftrend1.c: Aucun fichier ou r
Here is more investigation : Program received signal SIGFPE, Arithmetic exception. [Switching to Thread 1076703280 (LWP 20070)] 0x40128fa8 in ft_raster1_render (render=0x84bec78, slot=0x84dbe50, mode=FT_RENDER_MODE_MONO, origin=0x0) at /var/tmp/portage/freetype-2.1.10-r1/work/freetype-2.1.10/src/raster/ftrend1.c:179 179 /var/tmp/portage/freetype-2.1.10-r1/work/freetype-2.1.10/src/raster/ftrend1.c: Aucun fichier ou répertoire de ce type. in /var/tmp/portage/freetype-2.1.10-r1/work/freetype-2.1.10/src/raster/ftrend1.c (gdb) p height $1 = 0 (gdb) p pitch $2 = 0 (gdb) p cbox $3 = {xMin = 0, yMin = 0, xMax = 0, yMax = 0} (gdb) p *outline $6 = {n_contours = 0, n_points = 0, points = 0x0, tags = 0x0, contours = 0x0, flags = 260} In source code height is from : 150 height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 ); Cbox is from outline 141 /* compute the control box, and grid fit it */ 142 FT_Outline_Get_CBox( outline, &cbox ); So at line 179 : 179 if ((FT_ULong)pitch > LONG_MAX/height) There is a division by zero. Pointing to CVE advisory : http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2493 It seems that this patch should not be used...
progression has been made in #137388 with a new patchset, which should tackle all the security issues. According to http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2493 , 2493 is really 1861 and the patch is unneeded.
there have been no more problem reports with the current patchset in freetype-2.1.10-r2 here or in #137388 , so I think it can go stable. Everyone here thanks for your input and work so far.
Arches please test and mark stable.
ppc64 stable
Stable on ppc.
alpha stable.
amd64 stable.
sparc stable.
media-libs/freetype-2.1.10-r2 USE="zlib -bindist -doc" 0 kB compiling and working fine in x86
x86 is gone ^.^
allready stable on hppa
hi everyone, this one is ready for glsa
Thx everyone. GLSA 200607-02 arm, ia64, s390 don't forget to mark stable to benifit from the GLSA.
2.1.10-r2 stable on mips.
Does not affect current (2008.0) release. Removing release.