654696 – (CVE-2018-6942) <media-libs/freetype-2.9.1: crash with certain malformed variation fonts (CVE-2018-6942)

Bug 654696 (CVE-2018-6942) - <media-libs/freetype-2.9.1: crash with certain malformed variation fonts (CVE-2018-6942)

Summary: <media-libs/freetype-2.9.1: crash with certain malformed variation fonts (CVE...

Status:	RESOLVED FIXED

Alias:	CVE-2018-6942

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugs.chromium.org/p/oss-fuzz/...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:	655052 655650
Blocks:
	Show dependency tree

Reported:	2018-05-03 08:28 UTC by Lars Wendler (Polynomial-C) (RETIRED)
Modified:	2018-12-05 14:16 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/8627
Package list:	=media-libs/freetype-2.9.1-r3
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2018-05-03 08:28:37 UTC

CHANGES BETWEEN 2.9 and 2.9.1 

I. IMPORTANT BUG FIXES 

- Type 1 fonts containing flex features were not rendered correctly (bug introduced in version 2.9). 
- CVE-2018-6942: Older FreeType versions can crash with certain malformed variation fonts. 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6942

Comment 1 Mart Raudsepp gentoo-dev

2018-05-11 08:39:35 UTC

arm64 stable

Comment 2 Larry the Git Cow gentoo-dev

2018-05-11 19:11:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c31b429a5b8af9994964416b64afc40935d06cd

commit 1c31b429a5b8af9994964416b64afc40935d06cd
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-05-11 19:11:07 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-11 19:11:07 +0000

    media-libs/freetype: stable 2.9.1-r1 for ia64, bug #654696
    
    Bug: https://bugs.gentoo.org/654696
    Package-Manager: Portage-2.3.36, Repoman-2.3.9
    RepoMan-Options: --include-arches="ia64"

 media-libs/freetype/freetype-2.9.1-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 3 Larry the Git Cow gentoo-dev

2018-05-11 19:21:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71448ce899880e28310d5766a9493f654559b0ba

commit 71448ce899880e28310d5766a9493f654559b0ba
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-05-11 18:19:43 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-11 19:20:56 +0000

    media-libs/freetype: stable 2.9.1-r1 for sparc
    
    Bug: https://bugs.gentoo.org/654696
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 media-libs/freetype/freetype-2.9.1-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 4 Mikle Kolyada (RETIRED) archtester

2018-05-11 20:36:30 UTC

amd64 stable

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2018-05-13 22:08:07 UTC

x86 stable

Comment 6 Tobias Klausmann (RETIRED) gentoo-dev

2018-05-14 19:22:09 UTC

Stable on alpha.

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2018-05-19 18:34:09 UTC

commit 8a3acbd604bf81b28d09daa20cde83c5fe7e0826
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Fri May 18 09:59:12 2018 +0200

    media-libs/freetype: Stable for HPPA too.

Comment 8 Matt Turner gentoo-dev

2018-05-25 03:46:25 UTC

ppc64 stable

Comment 9 Matt Turner gentoo-dev

2018-05-25 04:13:11 UTC

ppc stable

Comment 10 Mikle Kolyada (RETIRED) archtester

2018-05-27 14:42:37 UTC

arm stable

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2018-06-07 20:25:32 UTC

@maintainer, please clean vulnerable

Comment 12 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2018-06-07 20:46:40 UTC

(In reply to Aaron Bauman from comment #11)
> @maintainer, please clean vulnerable

No can do until <app-text/texlive-core-2017-r4 has finally fixed the stupid freetype dependency restriction (or =2017-r4 gets stabilized).

Comment 13 Aaron Bauman (RETIRED) gentoo-dev

2018-11-25 01:44:10 UTC

@maintainers, please clean vulnerable.

Comment 14 Aaron Bauman (RETIRED) gentoo-dev

2018-12-01 01:01:47 UTC

(In reply to Lars Wendler (Polynomial-C) from comment #12)
> (In reply to Aaron Bauman from comment #11)
> > @maintainer, please clean vulnerable
> 
> No can do until <app-text/texlive-core-2017-r4 has finally fixed the stupid
> freetype dependency restriction (or =2017-r4 gets stabilized).

@Lars, 2017-r4 is stable.

Comment 15 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2018-12-05 10:57:43 UTC

(In reply to Aaron Bauman from comment #14)
> (In reply to Lars Wendler (Polynomial-C) from comment #12)
> > (In reply to Aaron Bauman from comment #11)
> > > @maintainer, please clean vulnerable
> > 
> > No can do until <app-text/texlive-core-2017-r4 has finally fixed the stupid
> > freetype dependency restriction (or =2017-r4 gets stabilized).
> 
> @Lars, 2017-r4 is stable.

Yeah but =app-text/texlive-core-2017-r3 is still in the tree and depends on <media-libs/freetype-2.9.1-r3 so removal of vulnerable freetype releases would break the tree.

Comment 16 Aaron Bauman (RETIRED) gentoo-dev

2018-12-05 14:01:23 UTC

(In reply to Lars Wendler (Polynomial-C) from comment #15)
> (In reply to Aaron Bauman from comment #14)
> > (In reply to Lars Wendler (Polynomial-C) from comment #12)
> > > (In reply to Aaron Bauman from comment #11)
> > > > @maintainer, please clean vulnerable
> > > 
> > > No can do until <app-text/texlive-core-2017-r4 has finally fixed the stupid
> > > freetype dependency restriction (or =2017-r4 gets stabilized).
> > 
> > @Lars, 2017-r4 is stable.
> 
> Yeah but =app-text/texlive-core-2017-r3 is still in the tree and depends on
> <media-libs/freetype-2.9.1-r3 so removal of vulnerable freetype releases
> would break the tree.

It is gone now.

Comment 17 Larry the Git Cow gentoo-dev

2018-12-05 14:13:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=841a4344507aaac22d7fe28d4b160c719c51e31f

commit 841a4344507aaac22d7fe28d4b160c719c51e31f
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2018-12-05 14:13:39 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2018-12-05 14:13:39 +0000

    media-libs/freetype: Security cleanup
    
    Bug: https://bugs.gentoo.org/654696
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 media-libs/freetype/Manifest            |   6 --
 media-libs/freetype/freetype-2.8.ebuild | 179 --------------------------------
 media-libs/freetype/freetype-2.9.ebuild | 178 -------------------------------
 3 files changed, 363 deletions(-)

Comment 18 Aaron Bauman (RETIRED) gentoo-dev

2018-12-05 14:16:34 UTC

(In reply to Larry the Git Cow from comment #17)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=841a4344507aaac22d7fe28d4b160c719c51e31f
> 
> commit 841a4344507aaac22d7fe28d4b160c719c51e31f
> Author:     Lars Wendler <polynomial-c@gentoo.org>
> AuthorDate: 2018-12-05 14:13:39 +0000
> Commit:     Lars Wendler <polynomial-c@gentoo.org>
> CommitDate: 2018-12-05 14:13:39 +0000
> 
>     media-libs/freetype: Security cleanup
>     
>     Bug: https://bugs.gentoo.org/654696
>     Package-Manager: Portage-2.3.52, Repoman-2.3.12
>     Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
> 
>  media-libs/freetype/Manifest            |   6 --
>  media-libs/freetype/freetype-2.8.ebuild | 179
> --------------------------------
>  media-libs/freetype/freetype-2.9.ebuild | 178
> -------------------------------
>  3 files changed, 363 deletions(-)

Thanks, Lars!