Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 124828 - media-libs/freetype: integer overflows (CVE-2006-{0747|1861|2493|2661})
Summary: media-libs/freetype: integer overflows (CVE-2006-{0747|1861|2493|2661})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.freetype.org/index2.html#r...
Whiteboard: A2 [glsa] jaervosz
Keywords:
: 133158 134011 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-03-03 10:23 UTC by Thierry Carrez (RETIRED)
Modified: 2008-03-06 09:31 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
issue_1.patch (issue_1.patch,897 bytes, patch)
2006-05-03 23:18 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
issue_2.patch (issue_2.patch,2.70 KB, patch)
2006-05-03 23:19 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
issue_3.patch (issue_3.patch,908 bytes, patch)
2006-05-03 23:20 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
issue_4.patch (issue_4.patch,4.38 KB, patch)
2006-05-03 23:20 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
issue_5.patch (issue_5.patch,5.92 KB, patch)
2006-05-03 23:21 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
issue_6.patch (issue_6.patch,1.19 KB, patch)
2006-05-03 23:21 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
array.patch (array.patch,57.34 KB, patch)
2006-05-05 08:20 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
CVE-2006-0747_integer-underflows.diff (CVE-2006-0747_integer-underflows.diff,1.04 KB, patch)
2006-06-13 21:07 UTC, Donnie Berkholz (RETIRED)
no flags Details | Diff
CVE-2006-0747_nullpointer-deref.diff (CVE-2006-0747_nullpointer-deref.diff,1.14 KB, patch)
2006-06-13 21:08 UTC, Donnie Berkholz (RETIRED)
no flags Details | Diff
CVE-2006-1861_integer-overflows.diff (CVE-2006-1861_integer-overflows.diff,4.25 KB, patch)
2006-06-13 21:08 UTC, Donnie Berkholz (RETIRED)
no flags Details | Diff
CVE-2006-2493_integer-overflows.diff (CVE-2006-2493_integer-overflows.diff,4.21 KB, patch)
2006-06-13 21:09 UTC, Donnie Berkholz (RETIRED)
no flags Details | Diff
freetype-2.1.10-r1.ebuild (freetype-2.1.10-r1.ebuild,2.04 KB, patch)
2006-06-13 21:09 UTC, Donnie Berkholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2006-03-03 10:23:12 UTC
Fuzz Testing by Josh Bressers (RedHat) uncovered an integer overflow issue in freetype2.

CVE-2006-0747:
http://cvs.savannah.gnu.org/viewcvs/freetype/freetype2/src/pshinter/pshglob.c?r1=1.30&r2=1.31&makepatch=1&diff_format=h
http://cvs.savannah.gnu.org/viewcvs/freetype/freetype2/src/cff/cffload.c?r1=1.73&r2=1.74&makepatch=1&diff_format=h
http://cvs.savannah.gnu.org/viewcvs/freetype/freetype2/src/type1/t1load.c?r1=1.104&r2=1.105&makepatch=1&diff_format=h

"Normally I wouldn't think this is exploitable as it should crash before anything exciting can happen, most graphical applications are multi-threaded, so this does worry me.  At the very least this issue is a denial of service bug."

NO-CVE-ID:
http://cvs.savannah.gnu.org/viewcvs/freetype/freetype2/src/base/ftutil.c?r1=1.17&r2=1.18&makepatch=1&diff_format=h

"I'm not going to give this one a CVE id, I don't envision it DoSing anything other than end user desktop applications."

foser: please apply patches and silently reference this bug. This will be fully public on March 22.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2006-03-03 10:25:17 UTC
Setting status
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-03-05 07:34:53 UTC
In fact more is coming, Chris Evans found a few exploitable integer overflows in font parsers. The March 22 date has been cancelled pending more details. Let's wait a little.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2006-03-28 09:26:31 UTC
Details for the Chris Evans part :
http://scary.beasts.org/security/63ddacf7d2224298/CESA-2006-001.html

Still no disclosure date, though the Freetype people said they would probably commit te fixes in their CVS soon.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2006-04-28 12:39:33 UTC
A new release is coming up next week. We should be able to derive a patch soon.
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2006-05-03 23:17:37 UTC
Following by Josh Bressers from Red Hat:

I'm attaching patches for what I've found along with the CVE ids and
descriptions.  The descriptions come from the commit messages.  I think
I've classified all these correctly, it's possible I've not, speak up if
you think I'm wrong.



* DoS

    #1
    * src/sfnt/ttkern.c (tt_face_get_kerning): fixed a serious bug
      that caused some programs to go into an infinite loop when dealing with
      fonts that don't have a properly sorted kerning sub-table

* Integer overflow

Issues 2, 3, 4, and 6 are CVE-2006-1861

    #2
    * src/bdf/bdflib.c (ERRMSG4): New macro.
      (_bdf_parse_glyphs): Handle invalid BBX values.
    * include/freetype/fterrdef.h (FT_Err_Bbx_Too_Big): New error
      macro.

    #3
    * src/sfnt/ttcmap.c (tt_face_build_cmaps): Handle invalid offset
    correctly.

    #4
    * src/cff/cfftypes.h (CFF_CharsetRec): Add `max_cid' member.
    * src/cff/cffload.c (cff_charset_load): Set `charset->max_cid'.
    * src/cff/cffgload.c (cff_slot_load): Change type of third parameter
    to `FT_UInt'.
    Check range of `glyph_index'.
    * src/cff/cffgload.h: Updated.

    #6
    * src/bdf/bdflib.c: fixed a problem with large encodings.
    Again, this patch comes from Debian libfreetype6 for 2.1.10 !

    #5
This issue has no CVE id, it won't get one.
    * src/base/ftutil.c: ft_mem_alloc and related functions now return
    an error if a negative size is passed in parameters.

The issues below are CVE-2006-0747
    * src/cache/ftccache.c: make ftc_node_destroy FT_BASE_DEF, it needs
    to be exported for rogue clients
    * src/pshinter/pshglob.c: prevent problems with malformed fonts which
    have an odd number of blue values (these are broken according to the
    specs).
    * src/cff/cffload.c, src/type1/t1load.c: modify the loaders to force
    even-ness of 'num_blue_values'. Also change the CFF loader so that
    invalid entries in index files are ignored.
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2006-05-03 23:18:50 UTC
Created attachment 86118 [details, diff]
issue_1.patch
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2006-05-03 23:19:20 UTC
Created attachment 86119 [details, diff]
issue_2.patch
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2006-05-03 23:20:02 UTC
Created attachment 86120 [details, diff]
issue_3.patch
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2006-05-03 23:20:45 UTC
Created attachment 86121 [details, diff]
issue_4.patch
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2006-05-03 23:21:07 UTC
Created attachment 86122 [details, diff]
issue_5.patch
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2006-05-03 23:21:27 UTC
Created attachment 86123 [details, diff]
issue_6.patch
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2006-05-05 03:55:19 UTC
2.2.1 should be released soon to address these problems. 

The patches above are apparently not enough, let me know if you want to patch instead of bumping to 2.2.1 and I'll attach the latest patch I have.
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2006-05-05 04:03:41 UTC
2.2 snapshot is available at URI.
Comment 14 foser (RETIRED) gentoo-dev 2006-05-05 04:07:32 UTC
2.1 needs to be patched for sure, the change between it and 2.2 are too extensive. Some packs in the tree will not build with 2.2 .

I'll have a look at it today, there's some more things I should fix in freetype and I was waiting for this bug to deal with it.
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2006-05-05 08:20:32 UTC
Created attachment 86201 [details, diff]
array.patch

The last patch (I think).

Patch for the following changelog entry extracted by Josh Bressers from Red Hat.

2006-05-02  David Turner  <david@freetype.org>
 
     Update the memory management functions and macros to safely deal
     with array size buffer overflows.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2006-05-09 10:11:17 UTC
foser: any news from this ? This should get public soon so better have an ebuild ready.
Comment 17 foser (RETIRED) gentoo-dev 2006-05-09 11:19:07 UTC
I was unable to apply the array patch to 2.1.10, too extensive. Sune suggested we wait to see what other distro's would come up with.
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2006-05-13 11:00:19 UTC
Public @ http://www.freetype.org/index2.html#release-freetype-2.2.1
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2006-05-13 11:01:12 UTC
*** Bug 133158 has been marked as a duplicate of this bug. ***
Comment 20 foser (RETIRED) gentoo-dev 2006-05-14 03:10:41 UTC
Well, as indicated before I can't patch 2.1.10 all the way and it is a no-go to make 2.2 stable immediatly because quite a few packs won't build with it and the internal changes have been extensive. So what would you advise ?
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2006-05-14 07:07:52 UTC
We apparently aren't the only ones caught in the "I only work on the latest version" Freetype stance. So we should probably wait-for and/or collaborate-with other distros to make up a 2.1.10 patch.

If I understand correctly, the problem with the array.patch is that it's extracted from the 2.2 -> 2.2.1 changes so it doesn't apply to 2.1 cleanly (and changes are too extensive for us to be able to adapt it), right ?
Comment 22 foser (RETIRED) gentoo-dev 2006-05-14 07:51:30 UTC
Correct. I'm not saying it's impossible to adapt, but it's a bit over the top and would ideally require an understanding of freetype that I do not possess. iirc it interferes with the issue_x patches and patches stuff that does not yet exist (in the same form) in the 2.1 codebase.

The issue_x patches don't apply all that clean either, but I got those to work.

I'm just hoping some paid RH/Ubuntu/Novell folk get around to it soon.

To me the question is if you want the partially patched ft-2.1.10 or none at all at this point in time. 2.2 will be added, but masked.
Comment 23 Thierry Carrez (RETIRED) gentoo-dev 2006-05-14 09:58:59 UTC
Better wait and patch them all.

We'll try to look for help on v-s, otherwise we'll dissect the security patches from the others when they will be out.
Comment 24 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-22 07:35:32 UTC
*** Bug 134011 has been marked as a duplicate of this bug. ***
Comment 25 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-08 09:42:37 UTC
Ubuntu fixed this today:

http://www.ubuntu.com/usn/usn-291-1
Comment 26 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-11 13:27:01 UTC
DSA 1095-1
patch against 2.1.7 :
http://security.debian.org/pool/updates/main/f/freetype/freetype_2.1.7-2.5.diff.gz
Comment 27 Stefan Cornelius (RETIRED) gentoo-dev 2006-06-13 01:50:36 UTC
foser, can you provide new ebuilds with the debian patches?
Comment 28 Donnie Berkholz (RETIRED) gentoo-dev 2006-06-13 21:07:47 UTC
Created attachment 89111 [details, diff]
CVE-2006-0747_integer-underflows.diff

Patch 1 of 4
Comment 29 Donnie Berkholz (RETIRED) gentoo-dev 2006-06-13 21:08:10 UTC
Created attachment 89112 [details, diff]
CVE-2006-0747_nullpointer-deref.diff

Patch 2 of 4
Comment 30 Donnie Berkholz (RETIRED) gentoo-dev 2006-06-13 21:08:41 UTC
Created attachment 89113 [details, diff]
CVE-2006-1861_integer-overflows.diff

Patch 3 of 4
Comment 31 Donnie Berkholz (RETIRED) gentoo-dev 2006-06-13 21:09:13 UTC
Created attachment 89114 [details, diff]
CVE-2006-2493_integer-overflows.diff

Patch 4 of 4
Comment 32 Donnie Berkholz (RETIRED) gentoo-dev 2006-06-13 21:09:50 UTC
Created attachment 89115 [details, diff]
freetype-2.1.10-r1.ebuild
Comment 33 foser (RETIRED) gentoo-dev 2006-06-19 01:58:17 UTC
sorry for my lacking involvement, been too busy. I'll try to get this in tonight.
Comment 34 foser (RETIRED) gentoo-dev 2006-06-19 10:12:23 UTC
so they only did the overflows as well.. I could've done that ages ago.
Comment 35 Guillaume Castagnino 2006-06-20 05:43:41 UTC
Sorry, but upgrading to freetype-2.1.10-r1.ebuild make all my kde apps crash the xorg server (yes, xorg server, not only the kde app).
Reverting to 2.1.10 solves the problem.

One of the patch here should be wrong.

My emerge info :
Portage 2.1.1_pre1-r1 (default-linux/x86/2006.0, gcc-4.1.1/vanilla, glibc-2.4-r3, 2.6.16.20-sw i686)
=================================================================
System uname: 2.6.16.20-sw i686 Intel(R) Celeron(R) CPU 2.60GHz
Gentoo Base System version 1.12.1
ccache version 2.4 [enabled]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r2
dev-util/confcache:  0.4.2-r1
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r2
sys-devel/gcc-config: [Not Present]
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r5
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium4 -O2 -mtune=pentium4 -fomit-frame-pointer -funroll-loops -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/eselect/compiler /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-march=pentium4 -O2 -mtune=pentium4 -fomit-frame-pointer -funroll-loops -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildsyspkg ccache confcache distlocks fixpackages metadata-transfer sandbox sfperms strict userpriv usersandbox"
GENTOO_MIRRORS="http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ http://mir1.ovh.net/gentoo-distfiles/ http://pandemonium.tiscali.de/pub/gentoo/ http://ftp.du.se/pub/os/gentoo"
LANG="fr_FR.UTF-8"
LC_ALL="fr_FR.UTF-8"
LINGUAS="fr"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/gcpan-portage /usr/local/portage /usr/local/portage-local"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acl acpi acpi4linux alsa apache2 apm asf async audiofile avi bash-completion berkdb bitmap-fonts bzip2 cairo clamav cli codecs commercial crypt cups dba dbus dga distribution dnd dri dv dvd dvdread editor encode exif exo expat extensions faad fbcon ffmpeg firefox flac foomaticdb fortran freetype fs gd gdbm gif gimp glut gmp gpm gtk gtk2 hal idled idn imagemagick imap imlib2 ipv6 isdnlog ithreads jabber java jce jpeg jpeg2k kde kdeenablefinal kdehiddenvisibility kqemu lcms libcaca libg++ libwww logitech-mouse mad maildir matroska md5sum mhash mikmod mmx mng monkey motif mozdevelop mozsvg mp3 mpeg mpm-worker ncurses network nls no_wxgtk1 nptl nptlonly nsplugin nvidia offensive ofx ogg opengl pam panel-plugin pcre pdflib perl php pic png posix povray ppds pppd print python qt qt3 quicktime rdesktop readline real reflection samba sasl sdl session slang soap sockets softmmu speex spell spl sse sse2 ssl startup-notification svg sysfs syslog tabs tcpd tetex theora threads thunar-vfs tiff tools truetype truetype-fonts type1 type1-fonts udev unicode usb v4l v4l2 vorbis win32codecs wxwindows xcomposite xine xml xml2 xorg xprint xrandr xv xvid zlib elibc_glibc input_devices_keyboard input_devices_mouse kernel_linux linguas_fr userland_GNU video_cards_i810"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 36 foser (RETIRED) gentoo-dev 2006-06-20 05:52:01 UTC
I was worried about that, thats why i put it out to test for a bit. If you comment out the revert_pointer patch, does that fix the crashing ?
Comment 37 Guillaume Castagnino 2006-06-20 08:58:08 UTC
(In reply to comment #36)
> I was worried about that, thats why i put it out to test for a bit. If you
> comment out the revert_pointer patch, does that fix the crashing ?
> 

No, commenting this patch does not solve the problem with the kde apps.
The only way to solve it is to comment the security patch (${FILESDIR}/${P}-security_batch.patch)...
Comment 38 foser (RETIRED) gentoo-dev 2006-06-20 09:09:32 UTC
can you get a backtrace (with debug info) from a crashing app ?
Comment 39 Guillaume Castagnino 2006-06-20 10:18:21 UTC
(In reply to comment #38)
> can you get a backtrace (with debug info) from a crashing app ?
> 

Sorry, but when I launch a kde (or Qt, wich also crash) app with gdb, after the crash, gdb reports "no stack" when y use the "bt" command.

I currently have tested launching a twm session, then :
DISPLAY=:0 gdb /usr/qt/3/bin/qtconfig (or /usr/kde/3.5/bin/kcalc for example)
run
<go to the X session to set the window position>
<Xorg crash>
<return to gdb tty>
bt
-> empty stack

freetype is compiled with debug infos (-ggdb and feature nostrip)
Do you have an other idea to get a backtrace ?

Xorg log reports this error :
> Backtrace:
> 0: /usr/bin/X(xf86SigHandler+0xa4) [0x80e74e4]
>
> Fatal server error:
> Caught signal 8.  Server aborting

Should I also recompile xorg-server with debug infos ?
Comment 40 Guillaume Castagnino 2006-06-21 13:16:40 UTC
I finally got it using gdb on the X process :

(gdb) bt
#0  0x40128fa8 in ft_raster1_render (render=0x84b7be8, slot=0x84d9220,
    mode=FT_RENDER_MODE_MONO, origin=0x0) at ftrend1.c:179
#1  0x400ed8de in FT_Render_Glyph_Internal (library=0x84a8048, slot=0x84d9220,
    render_mode=FT_RENDER_MODE_MONO) at ftobjs.c:2898
#2  0x400ed99f in FT_Render_Glyph (slot=0x84d9220,
    render_mode=FT_RENDER_MODE_MONO) at ftobjs.c:2938
#3  0x40065106 in FreeTypeRegisterFontFileFunctions ()
   from /usr/lib/libXfont.so.1
#4  0xbfe10900 in ?? ()
#5  0x00000000 in ?? ()

So the problem is the part of CVE-2006-2493_integer-overflows.diff concerning ftrend1.c.

Removing this part of the patch solves the problem :
# diff -U3 freetype-2.1.10-security_batch.patch.orig freetype-2.1.10-security_batch.patch
--- freetype-2.1.10-security_batch.patch.orig   2006-06-21 22:06:50.000000000 +0200
+++ freetype-2.1.10-security_batch.patch        2006-06-21 22:07:00.000000000 +0200
@@ -233,27 +233,6 @@
      {
        FT_Int         reference, delta;
        FT_UInt        count;
-diff -uNr -x '*.orig' freetype-2.1.10/src/raster/ftrend1.c freetype-2.1.10.patched/src/raster/ftrend1.c
---- freetype-2.1.10/src/raster/ftrend1.c       2005-05-11 17:01:49.000000000 +0200
-+++ freetype-2.1.10.patched/src/raster/ftrend1.c       2006-06-19 19:16:07.000000000 +0200
-@@ -21,6 +21,7 @@
- #include FT_OUTLINE_H
- #include "ftrend1.h"
- #include "ftraster.h"
-+#include <limits.h>
-
- #include "rasterrs.h"
-
-@@ -175,6 +176,9 @@
-     bitmap->rows  = height;
-     bitmap->pitch = pitch;
-
-+    if ((FT_ULong)pitch > LONG_MAX/height)
-+      goto Exit;
-+
-     if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) )
-       goto Exit;
-
 diff -uNr -x '*.orig' freetype-2.1.10/src/sfnt/ttcmap.c freetype-2.1.10.patched/src/sfnt/ttcmap.c
 --- freetype-2.1.10/src/sfnt/ttcmap.c  2005-05-11 16:37:40.000000000 +0200
 +++ freetype-2.1.10.patched/src/sfnt/ttcmap.c  2006-06-19 19:16:01.000000000 +0200

After this motification, all goes OK !
Comment 41 Guillaume Castagnino 2006-06-21 13:19:04 UTC
Sorry, I forgot to paste the error type. It's a arithmetic exception :

Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread 1076703280 (LWP 7974)]
0x40128fa8 in ft_raster1_render (render=0x84b7be8, slot=0x84d9220,
    mode=FT_RENDER_MODE_MONO, origin=0x0) at ftrend1.c:179
Comment 42 Guillaume Castagnino 2006-06-22 00:51:53 UTC
Here is more investigation :

Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread 1076703280 (LWP 20070)]
0x40128fa8 in ft_raster1_render (render=0x84bec78, slot=0x84dbe50, mode=FT_RENDER_MODE_MONO, origin=0x0)
    at /var/tmp/portage/freetype-2.1.10-r1/work/freetype-2.1.10/src/raster/ftrend1.c:179
179     /var/tmp/portage/freetype-2.1.10-r1/work/freetype-2.1.10/src/raster/ftrend1.c: Aucun fichier ou r
Comment 43 Guillaume Castagnino 2006-06-22 00:51:53 UTC
Here is more investigation :

Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread 1076703280 (LWP 20070)]
0x40128fa8 in ft_raster1_render (render=0x84bec78, slot=0x84dbe50, mode=FT_RENDER_MODE_MONO, origin=0x0)
    at /var/tmp/portage/freetype-2.1.10-r1/work/freetype-2.1.10/src/raster/ftrend1.c:179
179     /var/tmp/portage/freetype-2.1.10-r1/work/freetype-2.1.10/src/raster/ftrend1.c: Aucun fichier ou répertoire de ce type.
        in /var/tmp/portage/freetype-2.1.10-r1/work/freetype-2.1.10/src/raster/ftrend1.c
(gdb) p height
$1 = 0
(gdb) p pitch
$2 = 0
(gdb) p cbox
$3 = {xMin = 0, yMin = 0, xMax = 0, yMax = 0}
(gdb) p *outline
$6 = {n_contours = 0, n_points = 0, points = 0x0, tags = 0x0, contours = 0x0, flags = 260}


In source code height is from :
150     height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 );
Cbox is from outline
141     /* compute the control box, and grid fit it */
142     FT_Outline_Get_CBox( outline, &cbox );

So at line 179 :
179     if ((FT_ULong)pitch > LONG_MAX/height)
There is a division by zero.

Pointing to CVE advisory :
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2493

It seems that this patch should not be used...
Comment 44 foser (RETIRED) gentoo-dev 2006-06-22 05:30:45 UTC
progression has been made in #137388 with a new patchset, which should tackle all the security issues.

According to http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2493 , 2493 is really 1861 and the patch is unneeded.

Comment 45 foser (RETIRED) gentoo-dev 2006-06-29 09:20:46 UTC
there have been no more problem reports with the current patchset in freetype-2.1.10-r2 here or in #137388 , so I think it can go stable. Everyone here thanks for your input and work so far.
Comment 46 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-30 09:07:41 UTC
Arches please test and mark stable.
Comment 47 Markus Rothe (RETIRED) gentoo-dev 2006-06-30 12:24:46 UTC
ppc64 stable
Comment 48 Lars Weiler (RETIRED) gentoo-dev 2006-07-01 01:05:42 UTC
Stable on ppc.
Comment 49 Thomas Cort (RETIRED) gentoo-dev 2006-07-01 11:46:59 UTC
alpha stable.
Comment 50 Thomas Cort (RETIRED) gentoo-dev 2006-07-02 20:57:36 UTC
amd64 stable.
Comment 51 Gustavo Zacarias (RETIRED) gentoo-dev 2006-07-03 10:53:16 UTC
sparc stable.
Comment 52 Jesus de Santos Garcia 2006-07-03 16:52:50 UTC
media-libs/freetype-2.1.10-r2  USE="zlib -bindist -doc" 0 kB

compiling and working fine in x86
Comment 53 Joshua Jackson (RETIRED) gentoo-dev 2006-07-03 22:24:55 UTC
x86 is gone ^.^
Comment 54 René Nussbaumer (RETIRED) gentoo-dev 2006-07-04 04:46:49 UTC
allready stable on hppa
Comment 55 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-07-04 06:59:30 UTC
hi everyone,

this one is ready for glsa
Comment 56 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-09 09:38:29 UTC
Thx everyone.

GLSA 200607-02

arm, ia64, s390 don't forget to mark stable to benifit from the GLSA.
Comment 57 Joshua Kinard gentoo-dev 2006-09-03 20:48:33 UTC
2.1.10-r2 stable on mips.
Comment 58 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:31:17 UTC
Does not affect current (2008.0) release. Removing release.