Bug 1160236 - (CVE-2020-5496) VUL-1: CVE-2020-5496: fontforge: heap-based buffer overflow in Type2NotDefSplines() in splinesave.c
(CVE-2020-5496)
VUL-1: CVE-2020-5496: fontforge: heap-based buffer overflow in Type2NotDefSpl...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/250358/
CVSSv3:SUSE:CVE-2020-5496:5.4:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-01-07 11:57 UTC by Alexandros Toptsoglou
Modified: 2020-07-10 14:49 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
POC (1.75 KB, application/vnd.font-fontforge-sfd)
2020-01-07 12:00 UTC, Alexandros Toptsoglou
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Alexandros Toptsoglou 2020-01-07 12:00:40 UTC
Tracked SLE12 and SLE15 as affected. The POC is attached. To reproduce run: 

The upstream issue is still open and there is on going discussion. 

fontforge -lang ff -c 'Open("$POC"); Generate("test02.otf")'

OUTPUT:

==25157== Invalid read of size 8
==25157==    at 0x5E87B21: RSC2PS2.constprop.28 (splinesave.c:2957)
==25157==    by 0x5E8D9D1: SplineChar2PS2.isra.26.constprop.27 (splinesave.c:3044)
==25157==    by 0x5E8DEE5: SplineFont2ChrsSubrs2 (splinesave.c:3251)
==25157==    by 0x5F05631: dumptype2glyphs (tottf.c:2631)
==25157==    by 0x5F0BEAC: initTables (tottf.c:5733)
==25157==    by 0x5F0C3CF: _WriteTTFFont (tottf.c:6126)
==25157==    by 0x5F0C8C2: WriteTTFFont (tottf.c:6159)
==25157==    by 0x5DF0917: _DoSave (savefont.c:840)
==25157==    by 0x5DF1D08: GenerateScript (savefont.c:1249)
==25157==    by 0x5E0A20E: bGenerate (scripting.c:2010)
==25157==    by 0x5E0CD7D: docall (scripting.c:9596)
==25157==    by 0x5E0D5F5: handlename (scripting.c:9707)
==25157==  Address 0xed04c70 is 0 bytes after a block of size 96 alloc'd
==25157==    at 0x4C306B5: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==25157==    by 0x5EAF56D: SplinePointCreate (splineutil.c:164)
==25157==    by 0x5E83B58: Type2NotDefSplines.isra.15 (splinesave.c:3081)
==25157==    by 0x5E8DD5E: SplineFont2ChrsSubrs2 (splinesave.c:3232)
==25157==    by 0x5F05631: dumptype2glyphs (tottf.c:2631)
==25157==    by 0x5F0BEAC: initTables (tottf.c:5733)
==25157==    by 0x5F0C3CF: _WriteTTFFont (tottf.c:6126)
==25157==    by 0x5F0C8C2: WriteTTFFont (tottf.c:6159)
==25157==    by 0x5DF0917: _DoSave (savefont.c:840)
==25157==    by 0x5DF1D08: GenerateScript (savefont.c:1249)
==25157==    by 0x5E0A20E: bGenerate (scripting.c:2010)
==25157==    by 0x5E0CD7D: docall (scripting.c:9596)
Comment 2 Alexandros Toptsoglou 2020-01-07 12:00:55 UTC
Created attachment 827030 [details]
POC
Comment 4 Swamp Workflow Management 2020-01-16 17:12:42 UTC
SUSE-SU-2020:0118-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1160236
CVE References: CVE-2020-5395,CVE-2020-5496
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    fontforge-20170731-4.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Cliff Zhao 2020-01-17 01:09:36 UTC
Because the request has been accepted, so I will transfer this bug to our security team. thanks for reporting.
Comment 6 Swamp Workflow Management 2020-01-21 23:11:04 UTC
openSUSE-SU-2020:0089-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1160236
CVE References: CVE-2020-5395,CVE-2020-5496
Sources used:
openSUSE Leap 15.1 (src):    fontforge-20170731-lp151.4.3.1
Comment 7 Swamp Workflow Management 2020-02-18 17:13:05 UTC
SUSE-SU-2020:0393-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1160236
CVE References: CVE-2020-5395,CVE-2020-5496
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    fontforge-20170731-11.11.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    fontforge-20170731-11.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-04-22 09:20:10 UTC
This is an autogenerated message for OBS integration:
This bug (1160236) was mentioned in
https://build.opensuse.org/request/show/796236 Factory / fontforge
Comment 9 Alexandros Toptsoglou 2020-07-10 14:49:24 UTC
Done