Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 635188 (CVE-2017-11568, CVE-2017-11569, CVE-2017-11571, CVE-2017-11572, CVE-2017-11574, CVE-2017-11575, CVE-2017-11576, CVE-2017-11577) - <media-gfx/fontforge-20170731: Multiple vulnerabilities
Summary: <media-gfx/fontforge-20170731: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-11568, CVE-2017-11569, CVE-2017-11571, CVE-2017-11572, CVE-2017-11574, CVE-2017-11575, CVE-2017-11576, CVE-2017-11577
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/fontforge/fontforg...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 637154
Blocks:
  Show dependency tree
 
Reported: 2017-10-23 16:59 UTC by GLSAMaker/CVETool Bot
Modified: 2018-01-20 19:12 UTC (History)
2 users (show)

See Also:
Package list:
=media-gfx/fontforge-20170731
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-23 16:59:14 UTC
CVE-2017-11577 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11577):
  FontForge 20161012 is vulnerable to a buffer over-read in getsid
  (parsettf.c) resulting in DoS or code execution via a crafted otf file.

CVE-2017-11576 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11576):
  FontForge 20161012 does not ensure a positive size in a weight vector memcpy
  call in readcfftopdict (parsettf.c) resulting in DoS via a crafted otf file.

CVE-2017-11575 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11575):
  FontForge 20161012 is vulnerable to a buffer over-read in strnmatch (char.c)
  resulting in DoS or code execution via a crafted otf file, related to a call
  from the readttfcopyrights function in parsettf.c.

CVE-2017-11574 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11574):
  FontForge 20161012 is vulnerable to a heap-based buffer overflow in
  readcffset (parsettf.c) resulting in DoS or code execution via a crafted otf
  file.

CVE-2017-11573 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11573):
  FontForge 20161012 is vulnerable to a buffer over-read in
  ValidatePostScriptFontName (parsettf.c) resulting in DoS or code execution
  via a crafted otf file.

CVE-2017-11572 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11572):
  FontForge 20161012 is vulnerable to a heap-based buffer over-read in
  readcfftopdicts (parsettf.c) resulting in DoS or code execution via a
  crafted otf file.

CVE-2017-11571 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11571):
  FontForge 20161012 is vulnerable to a stack-based buffer overflow in
  addnibble (parsettf.c) resulting in DoS or code execution via a crafted otf
  file.

CVE-2017-11570 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11570):
  FontForge 20161012 is vulnerable to a buffer over-read in umodenc
  (parsettf.c) resulting in DoS or code execution via a crafted otf file.

CVE-2017-11569 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11569):
  FontForge 20161012 is vulnerable to a heap-based buffer over-read in
  readttfcopyrights (parsettf.c) resulting in DoS or code execution via a
  crafted otf file.

CVE-2017-11568 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11568):
  FontForge 20161012 is vulnerable to a heap-based buffer over-read in
  PSCharStringToSplines (psread.c) resulting in DoS or code execution via a
  crafted otf file.
Comment 1 Mike Gilbert gentoo-dev 2017-10-23 20:03:11 UTC
I think these are resolved in fontforge-20170731. We should be all set to stabilize that version.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-25 16:10:33 UTC
(In reply to Mike Gilbert from comment #1)
> I think these are resolved in fontforge-20170731. We should be all set to
> stabilize that version.

Awesome,

@Arches please test and mark stable
Comment 3 Mike Gilbert gentoo-dev 2017-10-25 16:29:14 UTC
According to the github issue in URL (thanks!), most of the CVEs have been addressed, but there are a couple that have not been.

Anyway, it is certainly worth stabilizing the current version regardless.
Comment 4 Manuel Rüger (RETIRED) gentoo-dev 2017-10-25 23:37:20 UTC
Stable on amd64
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-26 17:38:34 UTC
x86 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-26 19:13:39 UTC
hppa stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-26 21:33:12 UTC
ia64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-26 21:48:09 UTC
ppc stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-28 23:36:58 UTC
ppc64 stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2017-11-08 12:52:23 UTC
Stable on alpha.
Comment 11 Aleksandr Wagner (Kivak) 2017-11-08 17:19:58 UTC
@ Maintainer(s): Stabilization is complete, please clean the vulnerable
versions from the tree.

@ Security: Please vote on glsa.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-11-11 13:36:01 UTC
GLSA Vote: No
Comment 13 Mike Gilbert gentoo-dev 2017-11-11 14:57:28 UTC
I suggest creating a new bug report for CVE-2017-11570 and CVE-2017-11573.

These issues have NOT been fixed upstream, and are therefore not fixed in fontforge-20170731 in Gentoo.
Comment 14 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-11 15:05:21 UTC
(In reply to Mike Gilbert from comment #13)
> I suggest creating a new bug report for CVE-2017-11570 and CVE-2017-11573.
> 
> These issues have NOT been fixed upstream, and are therefore not fixed in
> fontforge-20170731 in Gentoo.

Thank you Mike, bug 637136 will handle those two CVEs
Comment 15 Mike Gilbert gentoo-dev 2017-11-11 17:51:51 UTC
> @ Maintainer(s): Stabilization is complete, please clean the vulnerable
versions from the tree.

This is false; ARM has yet to mark the package stable.
Comment 16 Mike Gilbert gentoo-dev 2017-11-11 17:56:12 UTC
Oh, I see that ARM is not "supported".

Regardless, I cannot cleanup old versions without triggering a repoman error since ARM has stable profiles defined. This policy mismatch seems pretty retarded to me.
Comment 17 Mike Gilbert gentoo-dev 2017-11-11 18:18:10 UTC
I de-keyworded 20160404 for everything but arm and stable.

It would be helpful if you would update your boiler-plate cleanup text to include a warning that not all "stable" arches have been stabilized.

This would help prevent tree breakage when maintainers assume that "stabilization is complete" actually means "complete" and not "done for the arches that security cares about".
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2017-11-11 19:40:20 UTC
(In reply to Mike Gilbert from comment #17)
> I de-keyworded 20160404 for everything but arm and stable.
> 
> It would be helpful if you would update your boiler-plate cleanup text to
> include a warning that not all "stable" arches have been stabilized.
> 
> This would help prevent tree breakage when maintainers assume that
> "stabilization is complete" actually means "complete" and not "done for the
> arches that security cares about".

arm and sparc should have stayed in this bug as a STABLEREQ.  If the maintainer decided to remove the vulnerable without their stabilization then that is on them.  It is not that we do not care about that arch, but that arch has either taken to long or is not supported.

You can see this across many bugs that are out there.  I apologize that this was handled in such a way.  Thank you for taking the appropriate action to secure the other arches.
Comment 19 Mike Gilbert gentoo-dev 2017-11-11 20:02:29 UTC
(In reply to Aaron Bauman from comment #18)
> arm and sparc should have stayed in this bug as a STABLEREQ.  If the
> maintainer decided to remove the vulnerable without their stabilization then
> that is on them.  It is not that we do not care about that arch, but that
> arch has either taken to long or is not supported.

I removed the vulnerable versions because comment 11 said "stabilization complete". I had to revert this to fix repoman.

I then created a separate bug for arm and sparc because I was afraid the security team would mark this bug RESOLVED without arm and sparc being finished. Arch teams don't look at RESOLVED bugs.
Comment 20 Aaron Bauman (RETIRED) gentoo-dev 2018-01-20 15:11:34 UTC
(In reply to Mike Gilbert from comment #19)
> (In reply to Aaron Bauman from comment #18)
> > arm and sparc should have stayed in this bug as a STABLEREQ.  If the
> > maintainer decided to remove the vulnerable without their stabilization then
> > that is on them.  It is not that we do not care about that arch, but that
> > arch has either taken to long or is not supported.
> 
> I removed the vulnerable versions because comment 11 said "stabilization
> complete". I had to revert this to fix repoman.
> 
> I then created a separate bug for arm and sparc because I was afraid the
> security team would mark this bug RESOLVED without arm and sparc being
> finished. Arch teams don't look at RESOLVED bugs.

All arches have the fixed version stable now.

@maintainer, can it be cleaned now?
Comment 21 Mike Gilbert gentoo-dev 2018-01-20 17:22:18 UTC
Cleaned!
Comment 22 Aaron Bauman (RETIRED) gentoo-dev 2018-01-20 19:12:53 UTC
(In reply to Mike Gilbert from comment #21)
> Cleaned!

Thanks, Mike!