263032 – (CVE-2009-0946) <media-libs/freetype-2.3.9-r1 Multiple integer overflows (CVE-2009-0946)

Bug 263032 (CVE-2009-0946) - <media-libs/freetype-2.3.9-r1 Multiple integer overflows (CVE-2009-0946)

Summary: <media-libs/freetype-2.3.9-r1 Multiple integer overflows (CVE-2009-0946)

Status:	RESOLVED FIXED

Alias:	CVE-2009-0946

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2009-03-19 12:55 UTC by Robert Buchholz (RETIRED)
Modified:	2009-05-25 12:16 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
freetype-2.3.8-sec.diff (freetype-2.3.8-sec.diff,3.55 KB, patch) 2009-03-19 12:56 UTC, Robert Buchholz (RETIRED)	no flags	Details \| Diff
freetype-2.3.9-CVE-2009-0946.patch (freetype-2.3.9-CVE-2009-0946.patch,4.32 KB, patch) 2009-05-03 18:24 UTC, Ryan Hill (RETIRED)	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2009-03-19 12:55:20 UTC

** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Tavis Ormandy of Google Security discovered multiple integer overflows in freetype.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2009-03-19 12:56:29 UTC

This is still lacking CVE id and upstream approval for the patch provided by Tavis. Reproducers are available.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2009-03-19 12:56:52 UTC

Created attachment 185509 [details, diff]
freetype-2.3.8-sec.diff

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2009-04-16 21:56:49 UTC

This is now public.

Patches are here:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=79972af4f0485a11dcb19551356c45245749fc5b
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a18788b14db60ae3673f932249cd02d33a227c4e
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0a05ba257b6ddd87dacf8d54b626e4b360e0a596
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0545ec1ca36b27cb928128870a83e5f668980bc5

Comment 4 Alex Legler (RETIRED) archtester

2009-04-17 16:23:22 UTC

CVE-2009-0946 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0946):
  Multiple integer overflows in FreeType 2.3.9 and earlier allow remote
  attackers to execute arbitrary code via vectors related to large
  values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c,
  and (3) cff/cffload.c.

Comment 5 Ryan Hill (RETIRED) gentoo-dev

2009-05-03 18:24:05 UTC

Created attachment 190235 [details, diff]
freetype-2.3.9-CVE-2009-0946.patch

Comment 6 Ryan Hill (RETIRED) gentoo-dev

2009-05-03 18:38:18 UTC

freetype-2.3.9-r1 added to tree

Comment 7 Robert Buchholz (RETIRED) gentoo-dev

2009-05-03 22:29:21 UTC

Arches, please test and mark stable:
=media-libs/freetype-2.3.9-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Comment 8 Brent Baude (RETIRED) gentoo-dev

2009-05-04 00:10:50 UTC

ppc64 done

Comment 9 Brent Baude (RETIRED) gentoo-dev

2009-05-04 00:10:57 UTC

ppc done

Comment 10 Tobias Heinlein (RETIRED) gentoo-dev

2009-05-04 14:02:07 UTC

amd64 stable

Comment 11 Christian Faulhammer (RETIRED) gentoo-dev

2009-05-04 17:27:57 UTC

x86 stable

Comment 12 Jeroen Roovers (RETIRED) gentoo-dev

2009-05-05 05:14:31 UTC

Stable for HPPA.

Comment 13 Raúl Porcel (RETIRED) gentoo-dev

2009-05-06 16:06:33 UTC

alpha/arm/ia64/m68k/s390/sh/sparc stable

Comment 14 Alex Legler (RETIRED) archtester

2009-05-06 18:50:18 UTC

GLSA request filed.

Comment 15 Alex Legler (RETIRED) archtester

2009-05-24 18:04:14 UTC

GLSA 200905-05

Comment 16 Nick White 2009-05-25 12:16:16 UTC

Does this bug also affect freetype-1.4? I still need this for texlive, but it doesn't appear to have been patched.