Bug 1160220 (CVE-2020-5395)

Summary: VUL-1: CVE-2020-5395: fontforge: use-after-free in SFD_GetFontMetaData in sfd.c
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: skliu, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/250344/
Whiteboard: CVSSv3:SUSE:CVE-2020-5395:5.4:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: POC
log of before updating
log of after updating

Comment 1 Alexandros Toptsoglou 2020-01-07 10:57:10 UTC
Tracked SLE12 and SLE15 as affected. The POC can be found attached. To reproduce the issue simply run in GUI mode the following: 

valgrind fontforge $POC

OUTPUT:

==19620== Invalid write of size 8
==19620==    at 0x4C35717: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41857: UnknownInlinedFun (string_fortified.h:71)
==19620==    by 0x5E41857: SFD_GetFontMetaData (sfd.c:7826)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)
==19620==  Address 0x117a65b8 is 24 bytes before a block of size 24 alloc'd
==19620==    at 0x4C308BF: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41828: SFD_GetFontMetaData (sfd.c:7825)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)
==19620== 
==19620== Invalid write of size 8
==19620==    at 0x4C3571A: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41857: UnknownInlinedFun (string_fortified.h:71)
==19620==    by 0x5E41857: SFD_GetFontMetaData (sfd.c:7826)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)
==19620==  Address 0x117a65c0 is 16 bytes before a block of size 24 alloc'd
==19620==    at 0x4C308BF: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41828: SFD_GetFontMetaData (sfd.c:7825)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)
==19620== 
==19620== Invalid write of size 8
==19620==    at 0x4C3571E: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41857: UnknownInlinedFun (string_fortified.h:71)
==19620==    by 0x5E41857: SFD_GetFontMetaData (sfd.c:7826)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)
==19620==  Address 0x117a65c8 is 8 bytes before a block of size 24 alloc'd
==19620==    at 0x4C308BF: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41828: SFD_GetFontMetaData (sfd.c:7825)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)
Comment 2 Alexandros Toptsoglou 2020-01-07 10:57:34 UTC
Created attachment 827025 [details]
POC
Comment 4 Swamp Workflow Management 2020-01-16 17:12:35 UTC
SUSE-SU-2020:0118-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1160236
CVE References: CVE-2020-5395,CVE-2020-5496
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    fontforge-20170731-4.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Cliff Zhao 2020-01-17 01:09:10 UTC
Because the request has been accepted, so I will transfer this bug to our security team. thanks for reporting.
Comment 6 Swamp Workflow Management 2020-01-21 23:10:57 UTC
openSUSE-SU-2020:0089-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1160236
CVE References: CVE-2020-5395,CVE-2020-5496
Sources used:
openSUSE Leap 15.1 (src):    fontforge-20170731-lp151.4.3.1
Comment 7 Liu Shukui 2020-02-07 08:43:39 UTC
Created attachment 829598 [details]
log of before updating
Comment 8 Liu Shukui 2020-02-07 08:44:44 UTC
Created attachment 829599 [details]
log of after updating
Comment 9 Liu Shukui 2020-02-07 08:46:39 UTC
Hi, there are still a lot of errors after updating while runing "valgrind fontforge  test01.sfd". Is this acceptable?

Please see the above logs.
Comment 10 Liu Shukui 2020-02-18 09:41:48 UTC
(In reply to Liu Shukui from comment #9)
> Hi, there are still a lot of errors after updating while runing "valgrind
> fontforge  test01.sfd". Is this acceptable?
> 
> Please see the above logs.

new bug 1164079 is reported.
Comment 11 Swamp Workflow Management 2020-02-18 17:12:58 UTC
SUSE-SU-2020:0393-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1160236
CVE References: CVE-2020-5395,CVE-2020-5496
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    fontforge-20170731-11.11.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    fontforge-20170731-11.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-04-22 09:20:06 UTC
This is an autogenerated message for OBS integration:
This bug (1160220) was mentioned in
https://build.opensuse.org/request/show/796236 Factory / fontforge
Comment 13 Alexandros Toptsoglou 2020-07-10 14:49:10 UTC
Done
Comment 14 Swamp Workflow Management 2020-11-29 20:29:48 UTC
openSUSE-SU-2020:2111-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1178308
CVE References: CVE-2020-25690,CVE-2020-5395
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    fontforge-20170731-lp151.4.6.1
Comment 15 Swamp Workflow Management 2020-12-04 20:20:52 UTC
SUSE-SU-2020:3628-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1178308
CVE References: CVE-2020-25690,CVE-2020-5395
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    fontforge-20170731-11.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.