Bug 1050195 - (CVE-2017-11575) VUL-0: CVE-2017-11575: fontforge: Buffer over-read in strnmatch (char.c)
(CVE-2017-11575)
VUL-0: CVE-2017-11575: fontforge: Buffer over-read in strnmatch (char.c)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/189036/
CVSSv2:SUSE:CVE-2017-11575:7.5:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-24 12:57 UTC by Johannes Segitz
Modified: 2020-07-09 14:55 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Reproducer (4.00 KB, application/vnd.oasis.opendocument.formula-template)
2017-12-06 08:23 UTC, Johannes Segitz
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-07-24 12:57:56 UTC
CVE-2017-11575

FontForge 20161012 is vulnerable to a buffer over-read in strnmatch (char.c)
resulting in DoS or code execution via a crafted otf file, related to a call
from the readttfcopyrights function in parsettf.c.

valgrind fontforge -lang=ff -c 'Open($1)' strnmatch-in-char.c-global-buffer-overflow.otf

SDK only

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11575
http://www.cvedetails.com/cve/CVE-2017-11575/
https://github.com/fontforge/fontforge/issues/3096
Comment 1 Liu Shukui 2017-11-13 06:35:39 UTC
it seems that the bug is not fixed:

# fontforge -lang=ff -c 'Open($1)' strnmatch-in-char.c-global-buffer-overflow.otf
......

Encoding subtable for platform=65522, specific=0 has an unsupported format -1.
Encoding subtable for platform=0, specific=0 has an unsupported format 96.
Encoding subtable for platform=0, specific=0 has a 0 length subtable.
Encoding subtable for platform=0, specific=0 has an unsupported format 96.
Encoding subtable for platform=0, specific=0 has a 0 length subtable.
Encoding subtable for platform=0, specific=0 has an unsupported format -1.
Encoding subtable for platform=1, specific=257 has an unsupported format -1.
Encoding subtable for platform=24404, specific=31088 has an unsupported format -1.
Encoding subtable for platform=12408, specific=12388 has an unsupported format -1.
Encoding subtable for platform=27648, specific=257 has an unsupported format -1.
Encoding subtable for platform=248, specific=15361 has an unsupported format -1.
Encoding subtable for platform=15875, specific=63511 has an unsupported format -1.
Encoding subtable for platform=64332, specific=64428 has an unsupported format -1.
Encoding subtable for platform=12538, specific=1541 has an unsupported format -1.
Encoding subtable for platform=7424, specific=56579 has an unsupported format -1.
Encoding subtable for platform=4352, specific=9218 has an unsupported format -1.
Encoding subtable for platform=9, specific=11 has an unsupported format -1.
Encoding subtable for platform=35, specific=42 has an unsupported format -1.
Encoding subtable for platform=65, specific=73 has an unsupported format -1.
Encoding subtable for platform=100, specific=109 has an unsupported format -1.
Could not find any valid encoding tables
Glyph 229 is called ".notdef", a singularly inept choice of name (only glyph 0
  may be called .notdef)
  FontForge will rename it.
Segmentation fault (core dumped)
Comment 2 Liu Shukui 2017-11-13 07:20:56 UTC
gdb backtrace with debuginfo package installed:

s12sp3:~/skliu # gdb  /usr/bin/fontforge 
GNU gdb (GDB; SUSE Linux Enterprise 12) 8.0.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-suse-linux".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://bugs.opensuse.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/fontforge...Reading symbols from /usr/lib/debug/usr/bin/fontforge.debug...done.
done.
(gdb) run -lang=ff -c 'Open($1)' strnmatch-in-char.c-global-buffer-overflow.otf

......

Glyph 229 is called ".notdef", a singularly inept choice of name (only glyph 0
  may be called .notdef)
  FontForge will rename it.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6a349a9 in StripToASCII (utf8_str=0xa4bbf4 '\363\277\277\277' <repeats 50 times>...) at ustring.c:942
942			(alt = unicode_alternates[ch>>8][ch&0xff])!=NULL ) {
Missing separate debuginfos, use: zypper install Mesa-libEGL1-debuginfo-17.0.5-117.5.1.x86_64 Mesa-libGL1-debuginfo-17.0.5-117.5.1.x86_64 Mesa-libglapi0-debuginfo-17.0.5-117.5.1.x86_64 fontconfig-debuginfo-2.11.1-7.1.x86_64 glibc-locale-debuginfo-2.22-61.3.x86_64 libX11-6-debuginfo-1.6.2-11.1.x86_64 libX11-xcb1-debuginfo-1.6.2-11.1.x86_64 libXau6-debuginfo-1.0.8-4.58.x86_64 libXdamage1-debuginfo-1.1.4-7.54.x86_64 libXext6-debuginfo-1.3.2-3.61.x86_64 libXfixes3-debuginfo-5.0.1-7.1.x86_64 libXft2-debuginfo-2.3.1-9.32.x86_64 libXi6-debuginfo-1.7.4-17.1.x86_64 libXrender1-debuginfo-0.9.8-7.1.x86_64 libXxf86vm1-debuginfo-1.1.3-3.54.x86_64 libbz2-1-debuginfo-1.0.6-29.2.x86_64 libcairo2-debuginfo-1.15.2-24.1.x86_64 libdatrie1-debuginfo-0.2.4-17.19.x86_64 libdrm2-debuginfo-2.4.76-1.14.x86_64 libexpat1-debuginfo-2.1.0-21.3.1.x86_64 libffi4-debuginfo-5.3.1+r233831-12.1.x86_64 libfreetype6-debuginfo-2.6.3-7.10.1.x86_64 libgbm1-debuginfo-17.0.5-117.5.1.x86_64 libgif6-debuginfo-5.0.5-12.1.x86_64 libglib-2_0-0-debuginfo-2.48.2-10.2.x86_64 libgobject-2_0-0-debuginfo-2.48.2-10.2.x86_64 libgraphite2-3-debuginfo-1.3.1-9.1.x86_64 libharfbuzz0-debuginfo-1.4.5-7.5.x86_64 libjbig2-debuginfo-2.0-12.13.x86_64 libjpeg8-debuginfo-8.0.2-30.3.x86_64 liblzma5-debuginfo-5.0.5-4.852.x86_64 libpango-1_0-0-debuginfo-1.40.1-9.5.x86_64 libpcre1-debuginfo-8.39-8.3.1.x86_64 libpixman-1-0-debuginfo-0.34.0-6.1.x86_64 libpng16-16-debuginfo-1.6.8-14.1.x86_64 libpython2_7-1_0-debuginfo-2.7.13-27.1.x86_64 libspiro0-debuginfo-0.0.1-7.28.x86_64 libthai0-debuginfo-0.1.25-4.2.x86_64 libtiff5-debuginfo-4.0.8-44.3.1.x86_64 libuninameslist0-debuginfo-20091231-5.28.x86_64 libxcb-dri2-0-debuginfo-1.10-3.1.x86_64 libxcb-dri3-0-debuginfo-1.10-3.1.x86_64 libxcb-glx0-debuginfo-1.10-3.1.x86_64 libxcb-present0-debuginfo-1.10-3.1.x86_64 libxcb-render0-debuginfo-1.10-3.1.x86_64 libxcb-shm0-debuginfo-1.10-3.1.x86_64 libxcb-sync1-debuginfo-1.10-3.1.x86_64 libxcb-xfixes0-debuginfo-1.10-3.1.x86_64 libxcb1-debuginfo-1.10-3.1.x86_64 libxml2-2-debuginfo-2.9.4-46.3.2.x86_64 libxshmfence1-debuginfo-1.1-1.28.x86_64 libz1-debuginfo-1.2.8-11.1.x86_64 python-base-debuginfo-2.7.13-27.1.x86_64
(gdb) bt
#0  0x00007ffff6a349a9 in StripToASCII (utf8_str=0xa4bbf4 '\363\277\277\277' <repeats 50 times>...) at ustring.c:942
#1  0x00007ffff7534a30 in ASCIIcheck (str=0x2679780) at parsettf.c:6088
#2  0x00007ffff753f842 in SFFillFromTTF (info=info@entry=0x7fffffffc0a0) at parsettf.c:6286
#3  0x00007ffff75416cc in _SFReadTTF (ttf=ttf@entry=0xa1a7f0, flags=flags@entry=0, openflags=openflags@entry=
    (unknown: 0), filename=filename@entry=0x99a0f0 "/root/skliu/strnmatch-in-char.c-global-buffer-overflow.otf", fd=fd@entry=0x0) at parsettf.c:6389
#4  0x00007ffff75e89dc in _ReadSplineFont (file=0xa1a7f0, 
    file@entry=0x0, filename=filename@entry=0x99a0f0 "/root/skliu/strnmatch-in-char.c-global-buffer-overflow.otf", openflags=openflags@entry=(unknown: 0))
    at splinefont.c:1076
#5  0x00007ffff75e9e3c in ReadSplineFont (filename=filename@entry=0x99a0f0 "/root/skliu/strnmatch-in-char.c-global-buffer-overflow.otf", openflags=openflags@entry=(unknown: 0)) at splinefont.c:1248
#6  0x00007ffff75e9f40 in LoadSplineFont (filename=0x99a0f0 "/root/skliu/strnmatch-in-char.c-global-buffer-overflow.otf", 
    filename@entry=0x9fb980 "strnmatch-in-char.c-global-buffer-overflow.otf", openflags=openflags@entry=(unknown: 0)) at splinefont.c:1321
#7  0x00007ffff759afcf in bOpen (c=0x7fffffffca60) at scripting.c:1694
#8  0x00007ffff759d8f1 in docall (c=c@entry=0x7fffffffd0b0, name=name@entry=0x7fffffffccc0 "Open", val=val@entry=0x7fffffffd040) at scripting.c:8798
#9  0x00007ffff759deae in handlename (c=c@entry=0x7fffffffd0b0, val=val@entry=0x7fffffffd040) at scripting.c:8882
#10 0x00007ffff759f14a in term (c=c@entry=0x7fffffffd0b0, val=val@entry=0x7fffffffd040) at scripting.c:9125
#11 0x00007ffff759f365 in mul (c=c@entry=0x7fffffffd0b0, val=val@entry=0x7fffffffd040) at scripting.c:9270
#12 0x00007ffff759f539 in add (c=c@entry=0x7fffffffd0b0, val=val@entry=0x7fffffffd040) at scripting.c:9315
#13 0x00007ffff759f869 in comp (c=c@entry=0x7fffffffd0b0, val=val@entry=0x7fffffffd040) at scripting.c:9390
#14 0x00007ffff759fabd in _and (c=c@entry=0x7fffffffd0b0, val=val@entry=0x7fffffffd040) at scripting.c:9433
#15 0x00007ffff759fc3e in _or (val=0x7fffffffd040, c=0x7fffffffd0b0) at scripting.c:9464
#16 0x00007ffff759fc3e in assign (c=c@entry=0x7fffffffd0b0, val=val@entry=0x7fffffffd040) at scripting.c:9496
#17 0x00007ffff759cda5 in expr (val=0x7fffffffd040, c=0x7fffffffd0b0) at scripting.c:9574
#18 0x00007ffff759cda5 in ff_statement (c=c@entry=0x7fffffffd0b0) at scripting.c:9783
#19 0x00007ffff75a0550 in ProcessNativeScript (argc=argc@entry=5, argv=argv@entry=0x7fffffffe168, script=script@entry=0x0) at scripting.c:9894
#20 0x00007ffff75a0cbe in _CheckIsScript (argv=0x7fffffffe168, argc=5) at scripting.c:10008
#21 0x00007ffff75a0cbe in CheckIsScript (argc=argc@entry=5, argv=argv@entry=0x7fffffffe168) at scripting.c:10024
#22 0x0000000000421f1e in main (argc=5, argv=0x7fffffffe168) at startui.c:1257
(gdb)
Comment 3 Cliff Zhao 2017-11-13 08:35:16 UTC
okay, Thanks!
I will deal with this as soon as possible.
Comment 4 Johannes Segitz 2017-12-06 08:23:20 UTC
Created attachment 751659 [details]
Reproducer
Comment 6 Cliff Zhao 2018-01-19 03:56:26 UTC
Hi Johannes:
I am looking at it all these time, except being interrupted by some high priority issues.
I know this issue has wait for a long time, and you are always watching me.
the latest release of Fontforge doesn't have this problem,  but after I porting the security fixed code, Fontforge leads to this crash.
I am finding the root reason. so please give me a little more time.
Comment 7 Johannes Segitz 2018-01-19 07:07:46 UTC
(In reply to Zhao Qiang 赵强 from comment #6)
Thank you for the update. Please don't feel rushed, I just wanted to check for the current state
Comment 10 Cliff Zhao 2018-03-08 11:52:18 UTC
I think this crash is mainly caused by function "SFFillFromTTF" get an error information structure. This led to the function "StripToASCII" mistakenly executed more than 50 times.
when the pointer moved out of the scope of the characters and move to an unauthorized area. program crashed. but I found that a lot of code has involved in the generation procedure of struct info. So it's hard to say which is the culprit.and I have tried to replace all the functions in the crash function stack with the final edition during the time I leave the office. but the program still crashed. I think this can be used as an example to prove the above conclusion.
So I re-submitted other security fixes together, this problem needs more investigation. I will submit it with new security fixes if I get the answer.
Comment 14 George Gkioulis 2018-06-12 15:19:11 UTC
It seems that the issue is still not fixed:

BEFORE
~~~~~

	--20334-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
	--20334-- si_code=80;  Faulting address: 0x0;  sp: 0x4028a5df0

	valgrind: the 'impossible' happened:
	   Killed by fatal signal
	==20334==    at 0x3803F1AF: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
	==20334==    by 0x38003C1C: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
	==20334==    by 0x38004049: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
	==20334==    by 0x3807BAD5: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
	==20334==    by 0x380A81B7: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)

	sched status:
	  running_tid=1

	Thread 1: status = VgTs_Runnable
	==20334==    at 0x4C29F09: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
	==20334==    by 0x7E10D69: _nl_make_l10nflist (in /lib64/libc-2.11.3.so)
	==20334==    by 0x7E0EEA4: _nl_find_domain (in /lib64/libc-2.11.3.so)
	==20334==    by 0x7E0E85B: __dcigettext (in /lib64/libc-2.11.3.so)
	==20334==    by 0x4F7B4EF: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==20334==    by 0x4F7E53A: _SFReadTTF (in /usr/lib64/libfontforge.so.1.0.0)
	==20334==    by 0x4FEBD51: ReadSplineFont (in /usr/lib64/libfontforge.so.1.0.0)
	==20334==    by 0x4FECFBB: LoadSplineFont (in /usr/lib64/libfontforge.so.1.0.0)
	==20334==    by 0x4FAF7BF: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==20334==    by 0x4FB65D8: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==20334==    by 0x4FB6B7D: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==20334==    by 0x4FB7FD0: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==20334==    by 0x4FB8174: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==20334==    by 0x4FB83E8: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==20334==    by 0x4FB8748: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==20334==    by 0x4FB89AD: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==20334==    by 0x4FB8B5C: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==20334==    by 0x4FB92A9: ff_statement (in /usr/lib64/libfontforge.so.1.0.0)
	==20334==    by 0x4FBA033: ProcessNativeScript (in /usr/lib64/libfontforge.so.1.0.0)
	==20334==    by 0x4FBA500: CheckIsScript (in /usr/lib64/libfontforge.so.1.0.0)
	==20334==    by 0x544409: main (in /usr/bin/fontforge)


	Note: see also the FAQ in the source distribution.
	It contains workarounds to several common problems.
	In particular, if Valgrind aborted or crashed after
	identifying problems in your program, there's a good chance
	that fixing those problems will prevent Valgrind aborting or
	crashing, especially if it happened in m_mallocfree.c.

	If that doesn't help, please report this bug to: www.valgrind.org

	In the bug report, send all the above text, the valgrind


AFTER
~~~~~

	--23981-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
	--23981-- si_code=80;  Faulting address: 0x0;  sp: 0x4028a5df0

	valgrind: the 'impossible' happened:
	   Killed by fatal signal
	==23981==    at 0x3803F1AF: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
	==23981==    by 0x38003C1C: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
	==23981==    by 0x38004049: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
	==23981==    by 0x3807BAD5: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
	==23981==    by 0x380A81B7: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)

	sched status:
	  running_tid=1

	Thread 1: status = VgTs_Runnable
	==23981==    at 0x4C29F09: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
	==23981==    by 0x7E11D69: _nl_make_l10nflist (in /lib64/libc-2.11.3.so)
	==23981==    by 0x7E0FEA4: _nl_find_domain (in /lib64/libc-2.11.3.so)
	==23981==    by 0x7E0F85B: __dcigettext (in /lib64/libc-2.11.3.so)
	==23981==    by 0x4F7B547: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==23981==    by 0x4F7E5FA: _SFReadTTF (in /usr/lib64/libfontforge.so.1.0.0)
	==23981==    by 0x4FEBEA1: ReadSplineFont (in /usr/lib64/libfontforge.so.1.0.0)
	==23981==    by 0x4FED10B: LoadSplineFont (in /usr/lib64/libfontforge.so.1.0.0)
	==23981==    by 0x4FAF90F: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==23981==    by 0x4FB6728: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==23981==    by 0x4FB6CCD: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==23981==    by 0x4FB8120: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==23981==    by 0x4FB82C4: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==23981==    by 0x4FB8538: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==23981==    by 0x4FB8898: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==23981==    by 0x4FB8AFD: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==23981==    by 0x4FB8CAC: ??? (in /usr/lib64/libfontforge.so.1.0.0)
	==23981==    by 0x4FB93F9: ff_statement (in /usr/lib64/libfontforge.so.1.0.0)
	==23981==    by 0x4FBA183: ProcessNativeScript (in /usr/lib64/libfontforge.so.1.0.0)
	==23981==    by 0x4FBA650: CheckIsScript (in /usr/lib64/libfontforge.so.1.0.0)
	==23981==    by 0x544409: main (in /usr/bin/fontforge)


	Note: see also the FAQ in the source distribution.
	It contains workarounds to several common problems.
	In particular, if Valgrind aborted or crashed after
	identifying problems in your program, there's a good chance
	that fixing those problems will prevent Valgrind aborting or
	crashing, especially if it happened in m_mallocfree.c.

	If that doesn't help, please report this bug to: www.valgrind.org

	In the bug report, send all the above text, the valgrind
	version, and what OS and version you are using.  Thanks.


-->NOT FIXED
Comment 23 Karol Babioch 2018-12-21 10:05:10 UTC
So there is an upstream commit addressing this, could we try to apply it to our codestream, please?

https://github.com/fontforge/fontforge/issues/3096
https://github.com/fontforge/fontforge/commit/4de0c58a01e5e30610c200e9aea98bc7db12c7ac
Comment 26 Swamp Workflow Management 2019-08-28 13:19:26 UTC
SUSE-SU-2019:2236-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1050161,1050181,1050185,1050187,1050193,1050194,1050195,1050196,1050200
CVE References: CVE-2017-11568,CVE-2017-11569,CVE-2017-11571,CVE-2017-11572,CVE-2017-11573,CVE-2017-11574,CVE-2017-11575,CVE-2017-11576,CVE-2017-11577
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    fontforge-20170731-11.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Alexandros Toptsoglou 2020-07-09 14:55:37 UTC
Done