Bug 704612 - VUL-0: freetype: off-by-one / length checks missing in psaux/psobjs.c
VUL-0: freetype: off-by-one / length checks missing in psaux/psobjs.c
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:11.3:42323 maint:relea...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-07-08 11:38 UTC by Dirk Mueller
Modified: 2019-05-22 00:55 UTC (History)
6 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patch (2.27 KB, patch)
2011-07-08 15:09 UTC, Dirk Mueller
Details | Diff
patch for CVE-2011-0226 (6.46 KB, patch)
2011-07-19 20:10 UTC, Dirk Mueller
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Mueller 2011-07-08 11:38:54 UTC
executing xpdf http://www.jailbreakme.com/saffron/_/iPod_4.3.3_8J2.pdf

gives

Program received signal SIGSEGV, Segmentation fault.
0x0000002a96912fe6 in memcpy () from /lib64/tls/libc.so.6
0x0000002a956b5b59 in ps_table_add () from /usr/lib64/libfreetype.so.6
0x0000002a956caeec in parse_subrs () from /usr/lib64/libfreetype.so.6

this seems to be fixed in newer freetype versions:

--- freetype-2.1.7/./src/psaux/psobjs.c       2003-10-20 
+++ freetype-2.3.7/src/psaux/psobjs.c 
@@ -158,7 +169,7 @@
                 void*       object,
                 FT_PtrDist  length )
   {
-    if ( idx < 0 || idx > table->max_elems )
+    if ( idx < 0 || idx >= table->max_elems )
     {
       FT_ERROR(( "ps_table_add: invalid index\n" ));
       return PSaux_Err_Invalid_Argument;
@@ -181,7 +192,7 @@

but there are many changes in the length and integer overflow checks in freetype2 that are unpatched in that particular source code, so many more patches seem to be missing.
Comment 1 Dirk Mueller 2011-07-08 11:53:19 UTC
I think the actual patch is this: 


commit 9b00875093d1d646798a59d8f5793575fee93adf
Author: Werner Lemberg <wl@gnu.org>
Date:   Wed Apr 13 13:37:37 2011 +0200

    Fix Savannah bug #33047.
    
    Patch submitted by anonymous reporter.
    
    * src/psaux/psobjs.c (ps_table_add): Use FT_PtrDist for pointer
    difference.
--- a/src/psaux/psobjs.c
+++ b/src/psaux/psobjs.c
@@ -186,13 +185,13 @@
     /* grow the base block if needed */
     if ( table->cursor + length > table->capacity )
     {
-      FT_Error   error;
-      FT_Offset  new_size = table->capacity;
-      FT_Long    in_offset;
+      FT_Error    error;
+      FT_Offset   new_size = table->capacity;
+      FT_PtrDist  in_offset;
 
 
-      in_offset = (FT_Long)((FT_Byte*)object - table->block);
-      if ( (FT_ULong)in_offset >= table->capacity )
+      in_offset = (FT_Byte*)object - table->block;
+      if ( in_offset < 0 || (FT_Offset)in_offset >= table->capacity )
         in_offset = -1;
 
       while ( new_size < table->cursor + length )
Comment 2 Ismail Dönmez 2011-07-08 12:04:51 UTC
Freetype maintainer just committed this regarding this bug:

diff --git a/ChangeLog b/ChangeLog
index 25fb10c..c58d6bf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2011-07-08  Werner Lemberg  <wl@gnu.org>
+
+       [psaux] Add better argument check for `callothersubr'.
+
+       * src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+       <op_callothersubr>: Reject negative arguments.
+
 2011-07-07  Werner Lemberg  <wl@gnu.org>

       [sfnt] Try harder to find non-zero values for ascender and descender.
diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
index ea31c51..a60ec38 100644
--- a/src/psaux/t1decode.c
+++ b/src/psaux/t1decode.c
@@ -687,6 +686,9 @@
        subr_no = (FT_Int)( top[1] >> 16 );
        arg_cnt = (FT_Int)( top[0] >> 16 );

+        if ( arg_cnt < 0 || subr_no < 0 )
+          goto Unexpected_OtherSubr;
+
        /***********************************************************/
        /*                                                         */
        /* remove all operands to callothersubr from the stack     */
Comment 3 Dirk Mueller 2011-07-08 15:09:49 UTC
Created attachment 439015 [details]
patch

this patch fixes the crash for me.
Comment 4 Marcus Meissner 2011-07-11 09:24:22 UTC
also check this thread:

https://lists.nongnu.org/archive/html/freetype-devel/2011-07/msg00014.html
Comment 5 Ludwig Nussel 2011-07-18 07:45:30 UTC
CVE-2011-0226
Comment 8 Swamp Workflow Management 2011-07-18 11:20:55 UTC
The SWAMPID for this issue is 42234.
This issue was rated as important.
Please submit fixed packages until 2011-07-25.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 10 Ismail Dönmez 2011-07-19 13:49:22 UTC
Great analysis of the bug here: http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit , will attach the font used.
Comment 11 Ismail Dönmez 2011-07-19 13:50:19 UTC
Created attachment 440862 [details]
The font used in the exploit
Comment 12 Dirk Mueller 2011-07-19 20:10:13 UTC
Created attachment 440920 [details]
patch for CVE-2011-0226

It seems this is the patch based from that (according to the upstream git commits)
Comment 13 Karl Eichwalder 2011-07-21 06:14:57 UTC
Created attachment 441251 [details]
Modified 440920: patch for CVE-2011-0226

The provided patch (#440920) does not apply cleanly on our version 2.3.7 (9 of 12 hunks fail).  I modified it to make it apply, but this please needs close checking by C experts.

You can see it here: https://build.suse.de/package/show?package=freetype2&project=home%3Akeichwa%3Abranches%3ASUSE%3ASLE-11-SP1%3AUpdate%3ATest

Once approved, I'll change it for SLE10 and SLE9 accordingly.
Comment 14 Karl Eichwalder 2011-07-21 09:04:08 UTC
Created attachment 441360 [details]
Modified 440920: patch for CVE-2011-0226

The provided patch (#440920) does not apply cleanly on our version 2.3.12 coming with opensuse 11.3 (1 of 12 hunks fail).  I modified it to make it apply, but this please needs close checking by C experts.

You can see it here:
https://build.suse.de/package/show?package=freetype2&project=home%3Akeichwa%3Abranches%3AopenSUSE.org%3AopenSUSE%3A11.3%3AUpdate%3ATest
Comment 15 Michael Schröder 2011-07-21 18:10:45 UTC
Untested packages submitted. SLE10 doesn't seem to be affected (wild guess, please confirm).
Comment 16 Karl Eichwalder 2011-07-22 07:37:33 UTC
(In reply to comment #15)
> Untested packages submitted. SLE10 doesn't seem to be affected (wild guess,
> please confirm).

On SLE10 we ship 2.1.10 and on SLE9 2.1.7.  I guess they are affected as well (the patch applies at least partially).

Then there the Factory update is still missing.  Can I submit it straight to the OBS?
Comment 17 Michael Schröder 2011-07-22 09:03:52 UTC
Note that I used a different patch (bnc704612_othersubr.diff). You may want to use the same one for factory for consistency. Note also that you have to add it to both specfiles.

SLE10: a partially applying patch doesn't mean that SLES10 is affected. The SLES10 freetype2 does neither do those <<16 >>16 shifts, nor does it have that "wish me luck" part.
Comment 18 Karl Eichwalder 2011-07-22 11:58:16 UTC
Ok, thanks a lot.  I now also submitted a SR to factory: #76760.

I consider it done.
Comment 19 Marcus Meissner 2011-07-22 12:14:43 UTC
please reassign security bugs back to the security team for tracking.

i am not sure what you submitted, let see
Comment 20 P Linnell 2011-07-23 14:34:28 UTC
https://build.opensuse.org/request/show/76843  forwarded to Factory.
Comment 21 Sebastian Krahmer 2011-07-25 08:54:01 UTC
FWIW, Werner pointed me to this description why the fix
is doing the weird casting:


http://lists.gnu.org/archive/html/freetype-devel/2011-07/msg00034.html
http://lists.gnu.org/archive/html/freetype-devel/2011-07/msg00037.html
Comment 22 Marcus Meissner 2011-07-25 15:04:24 UTC
i am not sure that the patch fixes the issue. :/

and that oS 11.3 and 11.4 are the only ones affected. :(
Comment 23 Marcus Meissner 2011-07-25 15:25:19 UTC
sle11 sp1 patchinfo submitted too
Comment 24 Swamp Workflow Management 2011-07-27 14:58:01 UTC
Update released for: freetype2-devel, libfreetype6
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 25 Marcus Meissner 2011-07-27 15:00:16 UTC
The active part of the patch is the added new test in the default: case.

This default: case is empty and falls through to SyntaxError in SLES 10 and older
distributions, so they are not affected.

Updates were released.