Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!

Full Text Bug Listing

Multiple vulnerabilities have been found in freetype2

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=715
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=716
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=717

idefense reports the following in all three advisories:
<quote>
Exploitation of this vulnerability results in the execution of arbitrary code
with the privileges of the application using the library. Since FreeType2 is a
library and not a standalone application, the exploitation vector will vary.
iDefense Labs verified that local privilege escalation was possible via the
X.Org Xserver.</quote>

fonts herd, please provide an updated ebuild

I(In reply to comment #1)
> fonts herd, please provide an updated ebuild

Please check your local portage rsync mirror.

sorry, loki_val pointed out that it was already in the tree

arches, please test media-libs/freetype-2.3.6 and mark stable if possible

target KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc
~sparc-fbsd x86 ~x86-fbsd"

x86 stable

sparc stable

alpha/ia64 stable

amd64 stable

ppc64 done

it should be okay to remove 2.1.10-r3 now.  i kept it in the tree because some
people were getting crashes with newer versions, but we fixed that with some
eclass changes a while back.

Stable for HPPA.

ppc stable

Created an attachment (id=156889) [details]
freetype 2.3.6 build log

emerge failed for me -> x86

build log attached

Portage 2.1.4.4 (default-linux/x86/2007.0, gcc-4.1.2, glibc-2.6.1-r0,
2.6.24-gentoo-r8 i686)
=================================================================
System uname: 2.6.24-gentoo-r8 i686 Intel(R) Pentium(R) M processor 2.00GHz
Timestamp of tree: Sun, 15 Jun 2008 12:30:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p33
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.4.4-r13
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.12
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.7.9-r1, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium-m -O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf
/etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c
/etc/udev/rules.d"
CXXFLAGS="-march=pentium-m -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distlocks metadata-transfer parallel-fetch
sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://darkstar.ist.utl.pt/gentoo/
http://ftp.dei.uc.pt/pub/linux/gentoo/ http://cesium.di.uminho.pt/pub/gentoo/"
LANG="en_US.UTF-8"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --stats --timeout=180 --exclude=/distfiles
--exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/science /usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X alsa bzip2 cli cracklib crypt cups dri firefox fortran gdbm gif gpm
iconv ipv6 isdnlog jpeg midi mudflap ncurses nptl nptlonly opengl openmp pcre
perl png pppd python readline reflection sdl session spl sse sse2 ssl tcpd tiff
truetype unicode x86 xorg zlib" ALSA_CARDS="intel8x0 intel8x0m"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest
authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile
authz_host authz_owner authz_user autoindex cache dbd deflate dir disk_cache
env expires ext_filter file_cache filter headers ident imagemap include info
log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp
proxy_balancer proxy_connect proxy_ftp proxy_http rewrite setenvif speling
status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker"
ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses
text" USERLAND="GNU" VIDEO_CARDS="fbdev fglrx vesa vga radeon"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS,
LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

try rebuilding libtool.

Fixed in release snapshot.

(In reply to comment #13)
> try rebuilding libtool.
> 

Still doesn't build. The error is the same
revdep-rebuild finds nothing...
sync as of Thu Jun 19 21:20:34 UTC 2008

(In reply to comment #15)
> (In reply to comment #13)
> > try rebuilding libtool.
> > 
> 
> Still doesn't build. The error is the same
> revdep-rebuild finds nothing...
> sync as of Thu Jun 19 21:20:34 UTC 2008
> 

Nevermind... ccache was the culprit. cleaning ccache solved the problem

GLSA 200806-10

(In reply to comment #17)
> GLSA 200806-10
> 

All the CVE's state that FreeType2 has vulnerabilities.  
The GLSA's scope is applied to 1.X series also.  Is this correct?

TexLive has dependencies on =media-libs/freetype-1* 
I don't think this will be easy to change any time soon.

Is there really a problem with the 1.x code?
If there is, could a backported FreeType-1.x fix be made available?

the CVE's specifically say Freetype2, so I don't believe 1.* is affected. 
however i don't speak for the security team.

Are we still maintaining those? Whoops, this bug needs to be reopened then.

Analysis by our friends at RedHat yielded that 1.X is also affected, see this
for a patch:
http://cvs.fedoraproject.org/viewcvs/devel/freetype1/freetype-1.4pre-CVE-2008-1808.patch?rev=1.1&view=auto

+*freetype-1.4_pre20080316-r1 (06 Jul 2008)
+
+  06 Jul 2008; Peter Alfredsen <loki_val@gentoo.org>
+  +files/freetype-1.4_pre20080316-CVE-2008-1808.patch,
+  +freetype-1.4_pre20080316-r1.ebuild:
+  Revbump for CVE-2008-{1806,1807,1808}, bug #225851.
+

Arches, please test and mark stable:
=media-libs/freetype-1.4_pre20080316-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

ppc and ppc64 -r1 done now.

removing arches

Sparc stable for freetype-1.4_pre20080316-r1 , too.

amd64/x86 stable

Both stable for HPPA now.

alpha/ia64 stable

(In reply to comment #22)
> Arches, please test and mark stable:
> =media-libs/freetype-1.4_pre20080316-r1
> Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
> 

Can we get the GSLA vulnerable/unaffected versions updated so that glsa-check
does not keep identifying freetype-1.4_pre20080316-r1 as an issue?

(In reply to comment #29)
> Can we get the GSLA vulnerable/unaffected versions updated so that glsa-check
> does not keep identifying freetype-1.4_pre20080316-r1 as an issue?

Yes, we will. Please note that this will require an updated version of the GLSA
to be sent out.

*** Bug 233962 has been marked as a duplicate of this bug. ***

*** Bug 235412 has been marked as a duplicate of this bug. ***

xml fixed (added 1.4_pre20080316-r1 as unaffected). No errata will be released
as users were safe anyway. Sorry for the delay.