Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 616730 (CVE-2016-10328, CVE-2017-7857, CVE-2017-7858, CVE-2017-7864, CVE-2017-8105, CVE-2017-8287)

Summary: <media-libs/freetype-2.8: multiple overflows
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: nobrowser, polynomial-c, yngwin
Priority: Normal Keywords: STABLEREQ
Version: unspecifiedFlags: stable-bot: sanity-check+
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa cve glsa]
Package list:
=media-libs/freetype-2.8
Runtime testing required: ---

Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-04-28 00:39:54 UTC
 CVE ID: CVE-2016-10328
   Summary: FreeType 2 before 2016-12-16 has an out-of-bounds write caused by a heap-based buffer overflow related to the cff_parser_run function in cff/cffparse.c.
 Published: 2017-04-14T04:59:00.000Z

______________________________

    CVE ID: CVE-2017-7857
   Summary: FreeType 2 before 2017-03-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.
 Published: 2017-04-14T04:59:00.000Z
______________________________

    CVE ID: CVE-2017-7858
   Summary: FreeType 2 before 2017-03-07 has an out-of-bounds write related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.
 Published: 2017-04-14T04:59:00.000Z
______________________________

    CVE ID: CVE-2017-7864
   Summary: FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a heap-based buffer overflow related to the tt_size_reset function in truetype/ttobjs.c.
 Published: 2017-04-14T04:59:00.000Z
Comment 2 Agostino Sarubbo gentoo-dev 2017-04-28 12:34:03 UTC
other overflow were published:

https://bugzilla.redhat.com/show_bug.cgi?id=1446500
https://bugzilla.redhat.com/show_bug.cgi?id=1446073
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-04-28 20:55:20 UTC
  CVE ID: CVE-2017-8105
   Summary: FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c.
 Published: 2017-04-24T18:59:00.000Z
______________________________

    CVE ID: CVE-2017-8287
   Summary: FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c.
 Published: 2017-04-27T00:59:00.000Z
Comment 4 Coacher 2017-05-13 19:18:27 UTC
freetype-2.8 was released, which addresses the aforementioned CVEs [1].

[1]: https://www.mail-archive.com/freetype-announce@nongnu.org/msg00109.html
Comment 5 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-05-13 21:41:49 UTC
commit 2c4546adc0bcf78c07d372591cbf38fef22deee2
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Sat May 13 23:37:58 2017

    media-libs/freetype: Security bump to version 2.8 (bug #616730).

    Package-Manager: Portage-2.3.5, Repoman-2.3.2


This release also introduced a bunch of new features and some changes in the hinting engines so I'd like to wait one or two days (in case some new bugs get found) before I call for stabilization.
Comment 6 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-05-16 07:17:33 UTC
Arches please test and mark stable =media-libs/freetype-2.8 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt
Comment 7 Agostino Sarubbo gentoo-dev 2017-05-16 12:25:15 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-05-16 12:58:11 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-05-16 13:06:14 UTC
ppc64 stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2017-05-18 07:21:17 UTC
Stable for HPPA.
Comment 11 Andrew Petelin 2017-05-18 17:49:03 UTC
After updating from freetype-2.7.1-r2 to 2.8, I noticed 'Terminus' font was renamed and became 'xos4 Terminus', so font settings became inconsistent in some end-user GUI applications using this font: terminal emulators, gvim, gitk.

freetype-2.7.1-r2:

> $ fc-list | grep -i terminus
> /usr/share/fonts/terminus/ter-x18n.pcf.gz: Terminus:style=Regular
> ...
> /usr/share/fonts/terminus/ter-x12b.pcf.gz: Terminus:style=Bold
> ...

freetype-2.8:

> $ fc-list | grep -i terminus
> /usr/share/fonts/terminus/ter-x18n.pcf.gz: xos4 Terminus:style=Regular
> ...
> /usr/share/fonts/terminus/ter-x12b.pcf.gz: xos4 Terminus:style=Bold
> ...

Was it intended, or is it a bug?
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2017-05-18 22:23:08 UTC
(In reply to Andrew Petelin from comment #11)
> After updating from freetype-2.7.1-r2 to 2.8, 

File a new bug report.
Comment 13 Michael Weber (RETIRED) gentoo-dev 2017-05-18 23:48:28 UTC
arm64 stable.
Comment 14 Michael Weber (RETIRED) gentoo-dev 2017-05-19 00:12:49 UTC
ppc stable.
Comment 15 Andrew Petelin 2017-05-19 10:36:58 UTC
(In reply to Jeroen Roovers from comment #12)
> File a new bug report.

https://bugs.gentoo.org/show_bug.cgi?id=618918
Comment 16 Agostino Sarubbo gentoo-dev 2017-05-22 11:41:07 UTC
sparc stable
Comment 17 Tobias Klausmann (RETIRED) gentoo-dev 2017-05-22 13:25:43 UTC
Stable on alpha.
Comment 18 Markus Meier gentoo-dev 2017-05-26 18:30:32 UTC
arm stable
Comment 19 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-03 14:02:50 UTC
Added to an existing GLSA.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2017-06-06 20:10:33 UTC
This issue was resolved and addressed in
 GLSA 201706-14 at https://security.gentoo.org/glsa/201706-14
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 21 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-19 15:03:07 UTC
ia64 stable
Comment 22 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-19 15:04:27 UTC
Any reason why older versions were not masked?