Bug 1160220 - (CVE-2020-5395) VUL-1: CVE-2020-5395: fontforge: use-after-free in SFD_GetFontMetaData in sfd.c
(CVE-2020-5395)
VUL-1: CVE-2020-5395: fontforge: use-after-free in SFD_GetFontMetaData in sfd.c
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/250344/
CVSSv3:SUSE:CVE-2020-5395:5.4:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-01-07 10:43 UTC by Alexandros Toptsoglou
Modified: 2020-12-04 20:20 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
POC (2.07 KB, application/vnd.font-fontforge-sfd)
2020-01-07 10:57 UTC, Alexandros Toptsoglou
Details
log of before updating (108.59 KB, text/plain)
2020-02-07 08:43 UTC, Liu Shukui
Details
log of after updating (144.84 KB, text/plain)
2020-02-07 08:44 UTC, Liu Shukui
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Alexandros Toptsoglou 2020-01-07 10:57:10 UTC
Tracked SLE12 and SLE15 as affected. The POC can be found attached. To reproduce the issue simply run in GUI mode the following: 

valgrind fontforge $POC

OUTPUT:

==19620== Invalid write of size 8
==19620==    at 0x4C35717: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41857: UnknownInlinedFun (string_fortified.h:71)
==19620==    by 0x5E41857: SFD_GetFontMetaData (sfd.c:7826)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)
==19620==  Address 0x117a65b8 is 24 bytes before a block of size 24 alloc'd
==19620==    at 0x4C308BF: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41828: SFD_GetFontMetaData (sfd.c:7825)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)
==19620== 
==19620== Invalid write of size 8
==19620==    at 0x4C3571A: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41857: UnknownInlinedFun (string_fortified.h:71)
==19620==    by 0x5E41857: SFD_GetFontMetaData (sfd.c:7826)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)
==19620==  Address 0x117a65c0 is 16 bytes before a block of size 24 alloc'd
==19620==    at 0x4C308BF: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41828: SFD_GetFontMetaData (sfd.c:7825)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)
==19620== 
==19620== Invalid write of size 8
==19620==    at 0x4C3571E: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41857: UnknownInlinedFun (string_fortified.h:71)
==19620==    by 0x5E41857: SFD_GetFontMetaData (sfd.c:7826)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)
==19620==  Address 0x117a65c8 is 8 bytes before a block of size 24 alloc'd
==19620==    at 0x4C308BF: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19620==    by 0x5E41828: SFD_GetFontMetaData (sfd.c:7825)
==19620==    by 0x5E456A0: SFD_GetFont (sfd.c:8320)
==19620==    by 0x5E47AF3: SFD_Read (sfd.c:8895)
==19620==    by 0x5E606AA: _ReadSplineFont (splinefont.c:1149)
==19620==    by 0x5E6117F: LoadSplineFont (splinefont.c:1346)
==19620==    by 0x5D1997B: ViewPostScriptFont (fontviewbase.c:1341)
==19620==    by 0x5004DBA: fontforge_main (startui.c:1353)
==19620==    by 0x55ACF89: (below main) (in /lib64/libc-2.26.so)
Comment 2 Alexandros Toptsoglou 2020-01-07 10:57:34 UTC
Created attachment 827025 [details]
POC
Comment 4 Swamp Workflow Management 2020-01-16 17:12:35 UTC
SUSE-SU-2020:0118-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1160236
CVE References: CVE-2020-5395,CVE-2020-5496
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    fontforge-20170731-4.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Cliff Zhao 2020-01-17 01:09:10 UTC
Because the request has been accepted, so I will transfer this bug to our security team. thanks for reporting.
Comment 6 Swamp Workflow Management 2020-01-21 23:10:57 UTC
openSUSE-SU-2020:0089-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1160236
CVE References: CVE-2020-5395,CVE-2020-5496
Sources used:
openSUSE Leap 15.1 (src):    fontforge-20170731-lp151.4.3.1
Comment 7 Liu Shukui 2020-02-07 08:43:39 UTC
Created attachment 829598 [details]
log of before updating
Comment 8 Liu Shukui 2020-02-07 08:44:44 UTC
Created attachment 829599 [details]
log of after updating
Comment 9 Liu Shukui 2020-02-07 08:46:39 UTC
Hi, there are still a lot of errors after updating while runing "valgrind fontforge  test01.sfd". Is this acceptable?

Please see the above logs.
Comment 10 Liu Shukui 2020-02-18 09:41:48 UTC
(In reply to Liu Shukui from comment #9)
> Hi, there are still a lot of errors after updating while runing "valgrind
> fontforge  test01.sfd". Is this acceptable?
> 
> Please see the above logs.

new bug 1164079 is reported.
Comment 11 Swamp Workflow Management 2020-02-18 17:12:58 UTC
SUSE-SU-2020:0393-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1160236
CVE References: CVE-2020-5395,CVE-2020-5496
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    fontforge-20170731-11.11.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    fontforge-20170731-11.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-04-22 09:20:06 UTC
This is an autogenerated message for OBS integration:
This bug (1160220) was mentioned in
https://build.opensuse.org/request/show/796236 Factory / fontforge
Comment 13 Alexandros Toptsoglou 2020-07-10 14:49:10 UTC
Done
Comment 14 Swamp Workflow Management 2020-11-29 20:29:48 UTC
openSUSE-SU-2020:2111-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1178308
CVE References: CVE-2020-25690,CVE-2020-5395
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    fontforge-20170731-lp151.4.6.1
Comment 15 Swamp Workflow Management 2020-12-04 20:20:52 UTC
SUSE-SU-2020:3628-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1178308
CVE References: CVE-2020-25690,CVE-2020-5395
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    fontforge-20170731-11.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.