Bug 390623 (CVE-2011-3439)

Summary:	<media-libs/freetype-2.4.8 CID-keyed Font Parsing Vulnerabilities (CVE-2011-3439)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	fonts, goetzger, rich0, tex
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://secunia.com/advisories/46839/
Whiteboard:	B2 [glsa]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2011-11-15 16:16:24 UTC

From secunia security advisory at $URL:

Description:
The vulnerabilities are caused due to errors in src/cid/cidload.c when parsing CID-keyed Type 1 fonts. This can be exploited to corrupt memory via a specially crafted font file.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are reported in versions prior to 2.4.8.

Solution:
Update to version 2.4.8

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2011-11-16 23:48:15 UTC

CVE-2011-3439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3439):
  FreeType in CoreGraphics in Apple iOS before 5.0.1 allows remote attackers
  to execute arbitrary code or cause a denial of service (memory corruption)
  via a crafted font in a document.

Comment 2 Ryan Hill (RETIRED) gentoo-dev

2011-11-17 01:28:42 UTC

Bumped.

Comment 3 Agostino Sarubbo gentoo-dev

2011-11-17 01:35:50 UTC

Thanks Ryan.

Arches, please test and mark stable:
=media-libs/freetype-2.4.8
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Comment 4 Agostino Sarubbo gentoo-dev

2011-11-17 12:21:35 UTC

amd64 ok

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2011-11-18 05:22:40 UTC

Stable for HPPA.

Comment 6 Markos Chandras (RETIRED) gentoo-dev

2011-11-19 10:12:52 UTC

amd64 done. Thanks Agostino

Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-11-22 16:14:36 UTC

x86 stable

Comment 8 Markus Meier gentoo-dev

2011-11-23 05:54:19 UTC

arm stable

Comment 9 Raúl Porcel (RETIRED) gentoo-dev

2011-11-26 12:57:10 UTC

alpha/ia64/m68k/s390/sh/sparc stable

Comment 10 Mark Loeser (RETIRED) gentoo-dev

2011-12-18 21:50:05 UTC

ppc/ppc64 done

Comment 11 Tim Sammut (RETIRED) gentoo-dev

2011-12-18 21:52:27 UTC

Thanks, everyone. Added to existing GLSA request.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2012-01-23 20:35:59 UTC

This issue was resolved and addressed in
 GLSA 201201-09 at http://security.gentoo.org/glsa/glsa-201201-09.xml
by GLSA coordinator Sean Amoss (ackle).

Comment 13 Jeroen Roovers (RETIRED) gentoo-dev

2012-01-27 15:43:10 UTC

*** Bug 400883 has been marked as a duplicate of this bug. ***

Comment 14 Tim Sammut (RETIRED) gentoo-dev

2012-01-29 05:57:55 UTC

@fonts, @tex.

Bug 400883 was opened because a GLSA [1] indicates that freetype 1 is affected by these vulnerabilities. If not these vulnerabilities, it is most likely affected by /some/ vulnerabilities. 

What options do we have for freetype:1 given its lack of upstream support [2] and the small number of packages that require it? I believe only games-action/heavygear2 and app-text/texlive depend on freetype:1.

Or do we do nothing, leave freetype:1 and texlive as is and reported as vulnerable by glsa-check?

Thanks much.

[1] http://www.gentoo.org/security/en/glsa/glsa-201201-09.xml
[2] http://www.freetype.org/freetype1/index.html

Comment 15 Ryan Hill (RETIRED) gentoo-dev

2012-02-05 19:19:08 UTC

First determine that freetype:1 is actually vulnerable.

Comment 16 Ryan Hill (RETIRED) gentoo-dev

2012-02-05 19:50:07 UTC

I don't think this version supported CID-keyed fonts.  The only mention of them I can find is in a comment.

Comment 17 Tim Sammut (RETIRED) gentoo-dev

2012-02-05 21:06:30 UTC

(In reply to comment #15)
> First determine that freetype:1 is actually vulnerable.

It may or may not be vulnerable to this issue, but is likely vulnerable to at least one of the 2.x vulnerabilities that have been disclosed since support for freetype:1 stopped. 

Is moving away from freetype:1 an option, or do we need to look at all the recent freetype:2 vulnerabilities to see which apply?