Bugzilla – Bug 1036789
VUL-0: CVE-2017-7475: cairo: Denial-of-Service Attack due to Logical Problem in Program
Last modified: 2020-06-18 15:28:26 UTC
CVE-2017-7475 ## Overview I and my colleague have found a vulnerability of Cairo-1.15.4 when fuzzing HarfBuzz with AFL. HarBuzz is an OpenType text shaping engine and it contains a tool named hb-view which utilizes Cairo to give a graphical view of text using a font provided by user. This vulnerability is due to logical problem in program, and can cause a Denial-of-Service attack with a crafted font file. The attachment is a zip file which includes my detail analysis report and a PoC file. In order to avoid disclosing it before patch is released, I have encrypted it. The developers can communicate with me to get the password. ## Author name: Jiaqi Peng, Bingchang Liu @VARAS of IIE email: pjqruc@gmail.com References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7475 http://seclists.org/oss-sec/2017/q2/151 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7475 https://bugs.freedesktop.org/show_bug.cgi?id=100763
Created attachment 723146 [details] cairo_report_poc.zip cairo_report_poc.zip from gnome bugzilla
(zip archive has a password)
hmm, eval pending more knowledge
Created attachment 723812 [details] cairo_crash_report.pdf cairo_crash_report.pdf in the zip file
Created attachment 723813 [details] 1.ttf QA REPRODUCER: (get hb-view from harfbuzz) hb-view 1.ttf hello
from gnome bugzilla: Chris Wilson 2017-05-04 12:09:12 UTC That was a lot of rigmarole where the simple gdb bt would suffice. Issue stems from commit 79d975f84bcc32e91db517d71a7312e2e1d653d4 Author: Behdad Esfahbod <behdad@behdad.org> Date: Wed Sep 12 17:45:11 2007 -0400 [cairo-ft-font] Ignore FT_Load_Glyph errors other than out-of-memory Same for FT_Render_Glyph. When the user asks us to render a glyph that is not available in the font, it's mostly an unavoidable kind of error for them, as in, they can't avoid such a call. So it's not nice to put cairo_t in an error state and refuse any further drawying. Many PDF files are created using buggy software and cause such glpyh-not-fou nd errors for CID 0 for example. Eventually we should propagate these kind of errors up and return it from the function call causing it, but that needs API change to add return value to all text functions, so for now we just ignore these errors.
79d975f84bcc32e91db517d71a7312e2e1d653d4 is in 1.5.10
I sent this patch https://bugs.freedesktop.org/show_bug.cgi?id=100763#c6 to upstream for their approval. It's simple and I tested that it fixes the problem in the meantime while better error propagation is implemented in cairo.
There's no response from upstream after a month so I submitted the proposed fix to Factory (http://build.opensuse.org/request/show/501654) and SLE12 SP2 (https://build.suse.de/request/show/133788)
SUSE-SU-2017:1671-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1007255,1036789 CVE References: CVE-2016-9082,CVE-2017-7475 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): cairo-1.15.2-24.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): cairo-1.15.2-24.1 SUSE Linux Enterprise Server 12-SP2 (src): cairo-1.15.2-24.1 SUSE Linux Enterprise Desktop 12-SP2 (src): cairo-1.15.2-24.1
The fix was already released so I'm closing the bug report
Reopening and reassigning to security-team so they can close the issue
openSUSE-SU-2017:1799-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1007255,1036789 CVE References: CVE-2016-9082,CVE-2017-7475 Sources used: openSUSE Leap 42.2 (src): cairo-1.15.2-5.3.1
released
Forgot to set maintainer, please see previous comment
Antonio - can you submit the same fix for SLE11.
I just submitted https://build.suse.de/request/show/165508 to fix this (together with https://build.suse.de/request/show/134478 which was accepted but wasn't released yet)
SUSE-SU-2018:1453-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1007255,1036789,1049092 CVE References: CVE-2016-9082,CVE-2017-7475,CVE-2017-9814 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): cairo-1.8.8-2.3.7.1 SUSE Linux Enterprise Server 11-SP4 (src): cairo-1.8.8-2.3.7.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): cairo-1.8.8-2.3.7.1