Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 504088 (CVE-2014-2240)

Summary: <media-libs/freetype-2.5.3-r1 : CFF Fonts Stem Hints Processing Buffer Overflow Vulnerability (CVE-2014-2240)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: alexander, fonts, mgorny, multilib+disabled, nikoli, pacho, polynomial-c, yngwin
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 492244, 501376, 501442, 504212, 504214, 504362, 504584, 504788, 504790, 504792, 504794, 504796, 504798, 504808, 504850, 514522    
Bug Blocks: 506190, 507148, 509584, 516456    

Description Agostino Sarubbo gentoo-dev 2014-03-10 14:40:16 UTC
From ${URL} :


A vulnerability has been reported in FreeType, which can be exploited by malicious people to compromise an 
application using the library.

The vulnerability is caused due to an error in the "cf2_hintmap_build()" function (src/cff/cf2hints.c) 
when processing stem hints, which can be exploited to cause a stack-based buffer overflow via a specially 
crafted font file.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 2.5.3.

Update to version 2.5.3.

Provided and/or discovered by:
Mateusz "j00ru" Jurczyk within a bug ticket.

Original Advisory:

Mateusz "j00ru" Jurczyk:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-03-10 15:28:04 UTC
+*freetype-2.5.3 (10 Mar 2014)
+  10 Mar 2014; Lars Wendler <> +freetype-2.5.3.ebuild:
+  Security bump (bug #504088).

We cannot simply stabilize this version as there's still tracker bug #493570 with a couple of unfixed packages...
Comment 2 Ben de Groot (RETIRED) gentoo-dev 2014-03-11 15:58:19 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #1)
> +*freetype-2.5.3 (10 Mar 2014)
> +
> +  10 Mar 2014; Lars Wendler <>
> +freetype-2.5.3.ebuild:
> +  Security bump (bug #504088).
> +
> We cannot simply stabilize this version as there's still tracker bug #493570
> with a couple of unfixed packages...

Only one remaining now. I'd like to move forward, and unmask/stablereq this tomorrow.
Comment 3 Ben de Groot (RETIRED) gentoo-dev 2014-03-16 12:15:02 UTC
Arches, please mark stable latest freetype and its reverse deps (see bugs this depends on):

=media-gfx/gimp-2.8.10-r1 #504212
=media-libs/sk1libs-0.9.1-r3 #504214
=media-gfx/inkscape-0.48.4-r1 #492244
>=media-video/vlc-2.1.2 #499806
=media-libs/libbluray-0.5.0 #504788
=media-video/transcode-1.1.7-r3 #504790
>=app-emulation/wine-1.7.8 #504792
=dev-util/cmake- #504794
=dev-dotnet/libgdiplus-2.10.9-r1 #504796
=dev-lang/php-5.3.28-r3 #501376
=sys-devel/gcc-4.6.4 #504798
=media-video/libav-0.8.11 #504584
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-18 19:35:00 UTC
>=media-libs/freetype-2.5.3-r1 is still in profiles/package.mask.
Comment 5 Ben de Groot (RETIRED) gentoo-dev 2014-03-21 07:49:16 UTC
(In reply to Jeroen Roovers from comment #4)
> >=media-libs/freetype-2.5.3-r1 is still in profiles/package.mask.

That was due to a multilib mess-up, which is now fixed. Please arches, go ahead.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-28 03:19:06 UTC
Stable for HPPA.
Comment 7 Ben de Groot (RETIRED) gentoo-dev 2014-04-08 22:19:27 UTC
*** Bug 507136 has been marked as a duplicate of this bug. ***
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2014-06-17 16:14:34 UTC
Stabilized these on alpha:

Already stable on alpha:
=media-gfx/gimp-2.8.10-r1 504212                                       

These were never keyworded on alpha:
Comment 9 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2014-06-19 08:03:03 UTC
I have allowed myself to change the topic to make the stablereq easier to find.
Comment 10 Akinori Hattori gentoo-dev 2014-06-22 14:38:10 UTC
ia64 stable
Comment 11 Pacho Ramos gentoo-dev 2014-07-02 08:08:00 UTC
For amd64 looks like we are blocked by bug 504796 (has arches CCed but giflib stabilization looks to be blocked).

Also bug 504798 needs arched CCed
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-07-15 20:27:18 UTC
CVE-2014-2240 (
  Stack-based buffer overflow in the cf2_hintmap_build function in
  cff/cf2hints.c in FreeType before 2.5.3 allows remote attackers to cause a
  denial of service (crash) and possibly execute arbitrary code via a large
  number of stem hints in a font file.
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2014-08-02 17:41:25 UTC
arm/sparc stable
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-08-02 17:50:59 UTC
ppc64 stable
Comment 15 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-08-02 17:53:38 UTC
@maintainers, cleanup, please!

GLSA ready for release.
Comment 16 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-08-09 19:08:22 UTC
Maintainer timeout. Cleanup done.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-08-09 19:42:14 UTC
This issue was resolved and addressed in
 GLSA 201408-02 at
by GLSA coordinator Mikle Kolyada (Zlogene).