Seems like the following bad font file is still an issue: http://scary.beasts.org/misc/bad1.pcf
Marinus please advise.
Ok, this is already public :-) Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors, as demonstrated by the Red Hat bad1.pcf test file, due to a partial fix of CVE-2006-1861.
Created attachment 93124 [details, diff] fix for CVE 2006 3467 If I add the supposed fix to 2.1.10 I still get crashes with the font attached to this bug. Can someone please confirm this ?
Setting to Auditing for a patch review. Tavis, could you have a look ?
(In reply to comment #3) > Created an attachment (id=93124) [edit] > fix for CVE 2006 3467 > > If I add the supposed fix to 2.1.10 I still get crashes with the font attached > to this bug. Can someone please confirm this ? foser, how are you testing? I used the supplied patch and after a rebuild of 2.1.10-r1 with the patch it no longer goes boom: plasmaroo /tmp $ ./ftcrash ./bad1.pcf error: 2 ftcrash: moo.c:34: main: Assertion `error == 0' failed. Aborted
I just drop the font in my ~/.fonts dir. Starting any GUI app afterwards results in a segfault.
plasmaroo did you get a chance to test it again?
(In reply to comment #7) > plasmaroo did you get a chance to test it again? Yeah, I think foser isn't patching his freetype correctly or something is compiled with a static older version somewhere... It definitely fixes the bug for me.
Sorry for my slow update. I'm patching fine and im certain I have no older versions lying around. I have been dealing with fc/ft for a long time, i know the pitfalls. The only thing I can think of is gcc/glibc issues, but I don't see them anywhere else. So I would like to see more confirmation to be sure it's not a local problem.
marking WFM, the patch looks good to me, and I cant recreate the issue.
