Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 504088 (CVE-2014-2240) - <media-libs/freetype-2.5.3-r1 : CFF Fonts Stem Hints Processing Buffer Overflow Vulnerability (CVE-2014-2240)
Summary: <media-libs/freetype-2.5.3-r1 : CFF Fonts Stem Hints Processing Buffer Overfl...
Status: RESOLVED FIXED
Alias: CVE-2014-2240
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/57291/
Whiteboard: A2 [glsa]
Keywords:
: 507136 (view as bug list)
Depends on: 492244 501376 501442 504212 504214 504362 504584 504788 504790 504792 504794 504796 504798 504808 504850 514522
Blocks: 506190 507148 509584 516456
  Show dependency tree
 
Reported: 2014-03-10 14:40 UTC by Agostino Sarubbo
Modified: 2016-08-11 11:18 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-10 14:40:16 UTC
From ${URL} :

Description

A vulnerability has been reported in FreeType, which can be exploited by malicious people to compromise an 
application using the library.

The vulnerability is caused due to an error in the "cf2_hintmap_build()" function (src/cff/cf2hints.c) 
when processing stem hints, which can be exploited to cause a stack-based buffer overflow via a specially 
crafted font file.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 2.5.3.


Solution:
Update to version 2.5.3.

Provided and/or discovered by:
Mateusz "j00ru" Jurczyk within a bug ticket.

Original Advisory:
FreeType:
http://www.freetype.org/index.html#news

Mateusz "j00ru" Jurczyk:
http://savannah.nongnu.org/bugs/?41697


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-03-10 15:28:04 UTC
+*freetype-2.5.3 (10 Mar 2014)
+
+  10 Mar 2014; Lars Wendler <polynomial-c@gentoo.org> +freetype-2.5.3.ebuild:
+  Security bump (bug #504088).
+

We cannot simply stabilize this version as there's still tracker bug #493570 with a couple of unfixed packages...
Comment 2 Ben de Groot (RETIRED) gentoo-dev 2014-03-11 15:58:19 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #1)
> +*freetype-2.5.3 (10 Mar 2014)
> +
> +  10 Mar 2014; Lars Wendler <polynomial-c@gentoo.org>
> +freetype-2.5.3.ebuild:
> +  Security bump (bug #504088).
> +
> 
> We cannot simply stabilize this version as there's still tracker bug #493570
> with a couple of unfixed packages...

Only one remaining now. I'd like to move forward, and unmask/stablereq this tomorrow.
Comment 3 Ben de Groot (RETIRED) gentoo-dev 2014-03-16 12:15:02 UTC
Arches, please mark stable latest freetype and its reverse deps (see bugs this depends on):

=media-libs/freetype-2.5.3-r1
=media-gfx/gimp-2.8.10-r1 #504212
=media-libs/sk1libs-0.9.1-r3 #504214
=media-gfx/inkscape-0.48.4-r1 #492244
>=media-video/vlc-2.1.2 #499806
=media-libs/libbluray-0.5.0 #504788
=media-video/transcode-1.1.7-r3 #504790
>=app-emulation/wine-1.7.8 #504792
=dev-util/cmake-2.8.12.1-r4 #504794
=dev-dotnet/libgdiplus-2.10.9-r1 #504796
=dev-lang/php-5.3.28-r3 #501376
=sys-devel/gcc-4.6.4 #504798
=media-video/libav-0.8.11 #504584
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-18 19:35:00 UTC
>=media-libs/freetype-2.5.3-r1 is still in profiles/package.mask.
Comment 5 Ben de Groot (RETIRED) gentoo-dev 2014-03-21 07:49:16 UTC
(In reply to Jeroen Roovers from comment #4)
> >=media-libs/freetype-2.5.3-r1 is still in profiles/package.mask.

That was due to a multilib mess-up, which is now fixed. Please arches, go ahead.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-28 03:19:06 UTC
Stable for HPPA.
Comment 7 Ben de Groot (RETIRED) gentoo-dev 2014-04-08 22:19:27 UTC
*** Bug 507136 has been marked as a duplicate of this bug. ***
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2014-06-17 16:14:34 UTC
Stabilized these on alpha:
=media-libs/freetype-2.5.3-1                                            
=sys-devel/gcc-4.6.4                                                    
=media-video/libav-0.8.11 

Already stable on alpha:
=media-gfx/gimp-2.8.10-r1 504212                                       
>=media-video/vlc-2.1.2
=media-video/transcode-1.1.7-r3
=dev-util/cmake-2.8.12.1-r4
=dev-lang/php-5.3.28-r3

These were never keyworded on alpha:
=media-libs/sk1libs-0.9.1-r3                                         
=media-gfx/inkscape-0.48.4-r1
=media-libs/libbluray-0.5.0
>=app-emulation/wine-1.7.8
=dev-dotnet/libgdiplus-2.10.9-r1
Comment 9 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2014-06-19 08:03:03 UTC
I have allowed myself to change the topic to make the stablereq easier to find.
Comment 10 Akinori Hattori gentoo-dev 2014-06-22 14:38:10 UTC
ia64 stable
Comment 11 Pacho Ramos gentoo-dev 2014-07-02 08:08:00 UTC
For amd64 looks like we are blocked by bug 504796 (has arches CCed but giflib stabilization looks to be blocked).

Also bug 504798 needs arched CCed
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-07-15 20:27:18 UTC
CVE-2014-2240 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2240):
  Stack-based buffer overflow in the cf2_hintmap_build function in
  cff/cf2hints.c in FreeType before 2.5.3 allows remote attackers to cause a
  denial of service (crash) and possibly execute arbitrary code via a large
  number of stem hints in a font file.
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2014-08-02 17:41:25 UTC
arm/sparc stable
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-08-02 17:50:59 UTC
ppc64 stable
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-08-02 17:53:38 UTC
@maintainers, cleanup, please!

GLSA ready for release.
Comment 16 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-08-09 19:08:22 UTC
Maintainer timeout. Cleanup done.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-08-09 19:42:14 UTC
This issue was resolved and addressed in
 GLSA 201408-02 at http://security.gentoo.org/glsa/glsa-201408-02.xml
by GLSA coordinator Mikle Kolyada (Zlogene).