Bug 628213 – VUL-0: freetype2: FreeType vulnerability being exploited in the wild (CVE-2010-1797)

Bug 628213 - (CVE-2010-1797) VUL-0: freetype2: FreeType vulnerability being exploited in the wild (CVE-2010-1797)

(CVE-2010-1797)
Summary:	VUL-0: freetype2: FreeType vulnerability being exploited in the wild (CVE-201...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General
Version:	unspecified
Hardware:	Other Other

Priority:	P1 - Urgent Severity: Critical
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:11.1:35113 maint:relea...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2010-08-04 07:45 UTC by Thomas Biege
Modified:	2019-05-22 00:53 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Development
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Biege 2010-08-04 07:45:31 UTC

Hi.
There is a security bug in package 'freetype2'.

This information is from 'vendor-sec'.

This bug is NOT PUBLIC.

There is no coordinated release date (CRD) set.

More information can be found here:
	http://www.apple.com/support/security/

CVE number: CVE-2010-1797
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1797

Original posting:


----------  Weitergeleitete Nachricht  ----------

Betreff: [vendor-sec] FreeType vulnerability being exploited in the wild 
(CVE-2010-1797)
Datum: Dienstag, 3. August 2010, 21:20:48
Von: Braden Thomas <bthomas@apple.com>
An:  vendor-sec@lst.de

Hello Vendor-Sec,

We've discovered a FreeType security vulnerability that is actively being 
exploited in the wild.

This issue has been confirmed in FreeType 2.4.1.  This issue is occurring 
because some CFF opcodes (cff_op_random and cff_op_dup) increment the args 
array more than they consume without any stack overflow checks.  We've 
addressed this issue by adding stack overflow checks to these two opcodes.  
Also affected is the cff_op_pop opcode, but we addressed this issue by 
changing the req_args number for this opcode (in cff_argument_counts) from 0 
to 1, because this matches what we believe to expected behavior for this 
opcode.

We have a proposed patch that we have confirmed addresses the issue:

diff -u -r freetype-2.4.1/src/cff/cffgload.c 
freetype-2.4.1_patched/src/cff/cffgload.c
--- freetype-2.4.1/src/cff/cffgload.c	2010-07-15 09:26:45.000000000 -0700
+++ freetype-2.4.1_patched/src/cff/cffgload.c	2010-08-03 12:18:02.000000000 
-0700
@@ -204,7 +204,7 @@
     2, /* hsbw */
     0,
     0,
-    0,
+    1,
     5, /* seac */
     4, /* sbw */
     2  /* setcurrentpoint */
@@ -2041,6 +2041,9 @@
             if ( Rand >= 0x8000L )
               Rand++;
 
+            if ( args - stack >= CFF_MAX_OPERANDS )
+                goto Stack_Overflow;
+			  
             args[0] = Rand;
             seed    = FT_MulFix( seed, 0x10000L - seed );
             if ( seed == 0 )
@@ -2166,6 +2169,9 @@
         case cff_op_dup:
           FT_TRACE4(( " dup\n" ));
 
+          if ( args + 1 - stack >= CFF_MAX_OPERANDS )
+            goto Stack_Overflow;
+                
           args[1] = args[0];
           args += 2;
           break;


We've assigned CVE-2010-1797 to this issue.

We have an exploit for this issue available if you would like it for testing.  
We've contacted Werner Lemberg regarding this issue at wl@gnu.org, but have 
not received a response yet.  If anyone has another security contact for 
FreeType, please let us know.

Best regards,

Braden Thomas
Apple Product Security team
http://www.apple.com/support/security/
PGP Key: https://www.apple.com/support/security/pgp/
-------------------------------------------------------------
-- 
 Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Comment 6 Thomas Biege 2010-08-04 09:56:05 UTC

Hello dear maint-coord,
can we fix this bug and bnc#619562 with a version upgrade? Jürgen tries to figure out if the API changed or not.

Comment 7 Swamp Workflow Management 2010-08-04 10:01:30 UTC

The SWAMPID for this issue is 34955.
This issue was rated as critical.
Please submit fixed packages until 2010-08-06.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 8 Christian Dengler 2010-08-04 10:23:57 UTC

(In reply to comment #6)
> Hello dear maint-coord,
> can we fix this bug and bnc#619562 with a version upgrade? Jürgen tries to
> figure out if the API changed or not.

Which codestreams are affected by this issue? All?

What are the changes between the old version and the aimed version? Additional features or only bugfixes?

Comment 11 Thomas Biege 2010-08-05 07:03:12 UTC

Juergen,
with the reproducer from Braden you can test which versions are affected. (see comment #8) HTH

Comment 12 Marcus Meissner 2010-08-06 13:25:36 UTC

we cannot major upgrade freetype2 versions in my opinion, except perhaps for 11.3.

(judging from Wine the freetype API changes quite a a bit over time, and we would never really know if it works in the end.) Such a version upgrade would also require ECO paperwork etc, and might even be rejected due to risks.

Comment 13 Juergen Weigert 2010-08-06 17:03:39 UTC

Build with the above patch, and testing ftbench against the above otf file.

ibs: home:jnweiger:branches:SUSE:SLE-11:Update:Test ft2demos
ibs: home:jnweiger:branches:SUSE:SLE-11:Update:Test freetype2

obs: home:jnweiger:branches:openSUSE:11.3:Update:Test freetype2
obs: home:jnweiger:branches:M17N freetype2

More next week.

Comment 17 Thomas Biege 2010-08-11 11:43:08 UTC

Does our freetype2 package use CFF rendering?

Comment 18 Thomas Biege 2010-08-17 14:00:38 UTC

CVE-2010-1797: CVSS v2 Base Score: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVE-2010-1797: Buffer Errors (CWE-119)

Comment 19 Juergen Weigert 2010-08-18 22:23:41 UTC

hand over to security-team@suse.de
Answer to comment#17 not known, possibly yes.

Comment 20 Swamp Workflow Management 2010-08-25 08:49:33 UTC

Update released for: libfreetype6
Products:
openSUSE 11.3 (debug, i586, x86_64)

Comment 21 Swamp Workflow Management 2010-08-25 08:49:34 UTC

Update released for: freetype2, freetype2-debuginfo, freetype2-debuginfo-32bit, freetype2-debuginfo-x86, freetype2-debugsource, freetype2-devel
Products:
openSUSE 11.1 (debug, i586, ppc, ppc64, x86_64)
openSUSE 11.2 (debug, i586, x86_64)

Comment 22 Swamp Workflow Management 2010-08-25 11:57:31 UTC

Update released for: freetype2, freetype2-32bit, freetype2-debuginfo, freetype2-debuginfo-32bit, freetype2-debuginfo-64bit, freetype2-debuginfo-x86, freetype2-debugsource, freetype2-devel, freetype2-devel-32bit, freetype2-x86
Products:
SLE-DEBUGINFO 11 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11 (i386, x86_64)
SLE-SDK 11 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11 (i386, ia64, ppc64, s390x, x86_64)

Comment 23 Swamp Workflow Management 2010-08-25 12:08:32 UTC

Update released for: freetype2, freetype2-32bit, freetype2-debuginfo, freetype2-debuginfo-32bit, freetype2-debuginfo-64bit, freetype2-debuginfo-x86, freetype2-debugsource, freetype2-devel, freetype2-devel-32bit, freetype2-x86
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)

Comment 24 Thomas Biege 2010-08-26 11:31:04 UTC

released

Comment 25 Swamp Workflow Management 2010-08-26 13:55:24 UTC

Update released for: freetype2, freetype2-32bit, freetype2-64bit, freetype2-debuginfo, freetype2-devel, freetype2-devel-32bit, freetype2-devel-64bit, freetype2-x86
Products:
SLE-DESKTOP 10-SP3 (i386, x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)

Comment 26 Swamp Workflow Management 2010-08-26 14:08:18 UTC

Update released for: freetype2, freetype2-devel
Products:
Novell-Linux-POS 9 (i386)
Open-Enterprise-Server 9 (i386)
SUSE-CORE 9 (i386, ia64, ppc, s390, s390x, x86_64)

Comment 27 Swamp Workflow Management 2010-09-15 13:08:21 UTC

Update released for: freetype2, freetype2-debuginfo, freetype2-debuginfo-32bit, freetype2-debuginfo-x86, freetype2-debugsource, freetype2-devel
Products:
SUSE-MOBLIN 2.0 (i386)
SUSE-MOBLIN 2.0-DEBUG (i386)

Comment 28 Swamp Workflow Management 2010-09-15 16:20:37 UTC

Update released for: freetype2, freetype2-debuginfo, freetype2-debuginfo-32bit, freetype2-debuginfo-x86, freetype2-debugsource, freetype2-devel
Products:
SUSE-MOBLIN 2.1 (i386)
SUSE-MOBLIN 2.1-DEBUG (i386)

Comment 29 Swamp Workflow Management 2012-04-23 12:53:18 UTC

Update released for: freetype2, freetype2-32bit, freetype2-debuginfo, freetype2-devel, freetype2-devel-32bit, ft2demos, ft2demos-debuginfo
Products:
SLE-SERVER 10-SP2-LTSS (i386, s390x, x86_64)

Comment 30 Bernhard Wiedemann 2016-04-15 12:55:04 UTC

This is an autogenerated message for OBS integration:
This bug (628213) was mentioned in
https://build.opensuse.org/request/show/45461 Factory / freetype2