Bug 1160220 – VUL-1: CVE-2020-5395: fontforge: use-after-free in SFD_GetFontMetaData in sfd.c

Bug 1160220 - (CVE-2020-5395) VUL-1: CVE-2020-5395: fontforge: use-after-free in SFD_GetFontMetaData in sfd.c

(CVE-2020-5395)
Summary:	VUL-1: CVE-2020-5395: fontforge: use-after-free in SFD_GetFontMetaData in sfd.c

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/250344/
Whiteboard:	CVSSv3:SUSE:CVE-2020-5395:5.4:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-01-07 10:43 UTC by Alexandros Toptsoglou
Modified:	2020-12-04 20:20 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
POC (2.07 KB, application/vnd.font-fontforge-sfd) 2020-01-07 10:57 UTC, Alexandros Toptsoglou	Details
log of before updating (108.59 KB, text/plain) 2020-02-07 08:43 UTC, Liu Shukui	Details
log of after updating (144.84 KB, text/plain) 2020-02-07 08:44 UTC, Liu Shukui	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2020-01-07 10:43:08 UTC

CVE-2020-5395

FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5395
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-5395.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5395
https://github.com/fontforge/fontforge/issues/4084

Comment 1 Alexandros Toptsoglou 2020-01-07 10:57:10 UTC

Tracked SLE12 and SLE15 as affected. The POC can be found attached. To reproduce the issue simply run in GUI mode the following: 

valgrind fontforge $POC

OUTPUT:

==19620== Invalid write of size 8
==19620==    at 0x4C35717: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41857: UnknownInlinedFun (string_fortified.h:71)
==19620==    by 0x5E41857: SFD_GetFontMetaData (sfd.c:7826)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)
==19620==  Address 0x117a65b8 is 24 bytes before a block of size 24 alloc'd
==19620==    at 0x4C308BF: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41828: SFD_GetFontMetaData (sfd.c:7825)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)
==19620== 
==19620== Invalid write of size 8
==19620==    at 0x4C3571A: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41857: UnknownInlinedFun (string_fortified.h:71)
==19620==    by 0x5E41857: SFD_GetFontMetaData (sfd.c:7826)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)
==19620==  Address 0x117a65c0 is 16 bytes before a block of size 24 alloc'd
==19620==    at 0x4C308BF: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41828: SFD_GetFontMetaData (sfd.c:7825)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)
==19620== 
==19620== Invalid write of size 8
==19620==    at 0x4C3571E: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41857: UnknownInlinedFun (string_fortified.h:71)
==19620==    by 0x5E41857: SFD_GetFontMetaData (sfd.c:7826)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)
==19620==  Address 0x117a65c8 is 8 bytes before a block of size 24 alloc'd
==19620==    at 0x4C308BF: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41828: SFD_GetFontMetaData (sfd.c:7825)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)

Comment 2 Alexandros Toptsoglou 2020-01-07 10:57:34 UTC

Created attachment 827025 [details]
POC

Comment 4 Swamp Workflow Management 2020-01-16 17:12:35 UTC

SUSE-SU-2020:0118-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1160236
CVE References: CVE-2020-5395,CVE-2020-5496
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    fontforge-20170731-4.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 5 Cliff Zhao 2020-01-17 01:09:10 UTC

Because the request has been accepted, so I will transfer this bug to our security team. thanks for reporting.

Comment 6 Swamp Workflow Management 2020-01-21 23:10:57 UTC

openSUSE-SU-2020:0089-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1160236
CVE References: CVE-2020-5395,CVE-2020-5496
Sources used:
openSUSE Leap 15.1 (src):    fontforge-20170731-lp151.4.3.1

Comment 7 Liu Shukui 2020-02-07 08:43:39 UTC

Created attachment 829598 [details]
log of before updating

Comment 8 Liu Shukui 2020-02-07 08:44:44 UTC

Created attachment 829599 [details]
log of after updating

Comment 9 Liu Shukui 2020-02-07 08:46:39 UTC

Hi, there are still a lot of errors after updating while runing "valgrind fontforge  test01.sfd". Is this acceptable?

Please see the above logs.

Comment 10 Liu Shukui 2020-02-18 09:41:48 UTC

(In reply to Liu Shukui from comment #9)
> Hi, there are still a lot of errors after updating while runing "valgrind
> fontforge  test01.sfd". Is this acceptable?
> 
> Please see the above logs.

new bug 1164079 is reported.

Comment 11 Swamp Workflow Management 2020-02-18 17:12:58 UTC

SUSE-SU-2020:0393-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1160236
CVE References: CVE-2020-5395,CVE-2020-5496
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    fontforge-20170731-11.11.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    fontforge-20170731-11.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2020-04-22 09:20:06 UTC

This is an autogenerated message for OBS integration:
This bug (1160220) was mentioned in
https://build.opensuse.org/request/show/796236 Factory / fontforge

Comment 13 Alexandros Toptsoglou 2020-07-10 14:49:10 UTC

Done

Comment 14 Swamp Workflow Management 2020-11-29 20:29:48 UTC

openSUSE-SU-2020:2111-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1178308
CVE References: CVE-2020-25690,CVE-2020-5395
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    fontforge-20170731-lp151.4.6.1

Comment 15 Swamp Workflow Management 2020-12-04 20:20:52 UTC

SUSE-SU-2020:3628-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1178308
CVE References: CVE-2020-25690,CVE-2020-5395
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    fontforge-20170731-11.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.