Bug 263032 (CVE-2009-0946)

Summary:

<media-libs/freetype-2.3.9-r1 Multiple integer overflows (CVE-2009-0946)

Product:

Gentoo Security

Reporter:

Robert Buchholz (RETIRED) <rbu>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

normal

CC:

fonts, gentoo, please.no.spam.here, rhill

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

Whiteboard:

A2 [glsa]

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
freetype-2.3.8-sec.diff	none
freetype-2.3.9-CVE-2009-0946.patch	none

Description Robert Buchholz (RETIRED) gentoo-dev

2009-03-19 12:55:20 UTC

** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Tavis Ormandy of Google Security discovered multiple integer overflows in freetype.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2009-03-19 12:56:29 UTC

This is still lacking CVE id and upstream approval for the patch provided by Tavis. Reproducers are available.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2009-03-19 12:56:52 UTC

Created attachment 185509 [details, diff]
freetype-2.3.8-sec.diff

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2009-04-16 21:56:49 UTC

This is now public.

Patches are here:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=79972af4f0485a11dcb19551356c45245749fc5b
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a18788b14db60ae3673f932249cd02d33a227c4e
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0a05ba257b6ddd87dacf8d54b626e4b360e0a596
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0545ec1ca36b27cb928128870a83e5f668980bc5

Comment 4 Alex Legler (RETIRED) archtester

2009-04-17 16:23:22 UTC

CVE-2009-0946 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0946):
  Multiple integer overflows in FreeType 2.3.9 and earlier allow remote
  attackers to execute arbitrary code via vectors related to large
  values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c,
  and (3) cff/cffload.c.

Comment 5 Ryan Hill (RETIRED) gentoo-dev

2009-05-03 18:24:05 UTC

Created attachment 190235 [details, diff]
freetype-2.3.9-CVE-2009-0946.patch

Comment 6 Ryan Hill (RETIRED) gentoo-dev

2009-05-03 18:38:18 UTC

freetype-2.3.9-r1 added to tree

Comment 7 Robert Buchholz (RETIRED) gentoo-dev

2009-05-03 22:29:21 UTC

Arches, please test and mark stable:
=media-libs/freetype-2.3.9-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Comment 8 Brent Baude (RETIRED) gentoo-dev

2009-05-04 00:10:50 UTC

ppc64 done

Comment 9 Brent Baude (RETIRED) gentoo-dev

2009-05-04 00:10:57 UTC

ppc done

Comment 10 Tobias Heinlein (RETIRED) gentoo-dev

2009-05-04 14:02:07 UTC

amd64 stable

Comment 11 Christian Faulhammer (RETIRED) gentoo-dev

2009-05-04 17:27:57 UTC

x86 stable

Comment 12 Jeroen Roovers (RETIRED) gentoo-dev

2009-05-05 05:14:31 UTC

Stable for HPPA.

Comment 13 Raúl Porcel (RETIRED) gentoo-dev

2009-05-06 16:06:33 UTC

alpha/arm/ia64/m68k/s390/sh/sparc stable

Comment 14 Alex Legler (RETIRED) archtester

2009-05-06 18:50:18 UTC

GLSA request filed.

Comment 15 Alex Legler (RETIRED) archtester

2009-05-24 18:04:14 UTC

GLSA 200905-05

Comment 16 Nick White 2009-05-25 12:16:16 UTC

Does this bug also affect freetype-1.4? I still need this for texlive, but it doesn't appear to have been patched.