Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 390623 (CVE-2011-3439) - <media-libs/freetype-2.4.8 CID-keyed Font Parsing Vulnerabilities (CVE-2011-3439)
Summary: <media-libs/freetype-2.4.8 CID-keyed Font Parsing Vulnerabilities (CVE-2011-3...
Status: RESOLVED FIXED
Alias: CVE-2011-3439
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/46839/
Whiteboard: B2 [glsa]
Keywords:
: 400883 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-11-15 16:16 UTC by Agostino Sarubbo
Modified: 2012-04-18 17:20 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-11-15 16:16:24 UTC 
From secunia security advisory at $URL:

Description:
The vulnerabilities are caused due to errors in src/cid/cidload.c when parsing CID-keyed Type 1 fonts. This can be exploited to corrupt memory via a specially crafted font file.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are reported in versions prior to 2.4.8.

Solution:
Update to version 2.4.8
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-11-16 23:48:15 UTC 
CVE-2011-3439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3439):
  FreeType in CoreGraphics in Apple iOS before 5.0.1 allows remote attackers
  to execute arbitrary code or cause a denial of service (memory corruption)
  via a crafted font in a document.
Comment 2 Ryan Hill (RETIRED) gentoo-dev 2011-11-17 01:28:42 UTC 
Bumped.
Comment 3 Agostino Sarubbo gentoo-dev 2011-11-17 01:35:50 UTC 
Thanks Ryan.

Arches, please test and mark stable:
=media-libs/freetype-2.4.8
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2011-11-17 12:21:35 UTC 
amd64 ok
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2011-11-18 05:22:40 UTC 
Stable for HPPA.
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2011-11-19 10:12:52 UTC 
amd64 done. Thanks Agostino
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-11-22 16:14:36 UTC 
x86 stable
Comment 8 Markus Meier gentoo-dev 2011-11-23 05:54:19 UTC 
arm stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-11-26 12:57:10 UTC 
alpha/ia64/m68k/s390/sh/sparc stable
Comment 10 Mark Loeser (RETIRED) gentoo-dev 2011-12-18 21:50:05 UTC 
ppc/ppc64 done
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-12-18 21:52:27 UTC 
Thanks, everyone. Added to existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 20:35:59 UTC 
This issue was resolved and addressed in
 GLSA 201201-09 at http://security.gentoo.org/glsa/glsa-201201-09.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2012-01-27 15:43:10 UTC 
*** Bug 400883 has been marked as a duplicate of this bug. ***
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2012-01-29 05:57:55 UTC 
@fonts, @tex.

Bug 400883 was opened because a GLSA [1] indicates that freetype 1 is affected by these vulnerabilities. If not these vulnerabilities, it is most likely affected by /some/ vulnerabilities. 

What options do we have for freetype:1 given its lack of upstream support [2] and the small number of packages that require it? I believe only games-action/heavygear2 and app-text/texlive depend on freetype:1.

Or do we do nothing, leave freetype:1 and texlive as is and reported as vulnerable by glsa-check?

Thanks much.

[1] http://www.gentoo.org/security/en/glsa/glsa-201201-09.xml
[2] http://www.freetype.org/freetype1/index.html
Comment 15 Ryan Hill (RETIRED) gentoo-dev 2012-02-05 19:19:08 UTC 
First determine that freetype:1 is actually vulnerable.
Comment 16 Ryan Hill (RETIRED) gentoo-dev 2012-02-05 19:50:07 UTC 
I don't think this version supported CID-keyed fonts.  The only mention of them I can find is in a comment.
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2012-02-05 21:06:30 UTC 
(In reply to comment #15)
> First determine that freetype:1 is actually vulnerable.

It may or may not be vulnerable to this issue, but is likely vulnerable to at least one of the 2.x vulnerabilities that have been disclosed since support for freetype:1 stopped. 

Is moving away from freetype:1 an option, or do we need to look at all the recent freetype:2 vulnerabilities to see which apply?