Stack buffer overflow in BDF file parsing
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| fontforge (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Bug Description
Binary package hint: fontforge
[Description taken from Red Hat bug [3]]
Ulrik Persson reported a stack-based buffer overflow
flaw in the way FontForge font editor processed certain
Bitmap Distribution Format (BDF) font files, with
specially-crafted value of the CHARSET_REGISTRY header.
A remote attacker could create a specially-crafted BDF
font file and trick a local, unsuspecting user into
opening it in FontForge, which could lead to fontforge
executable crash or, potentially, arbitrary code execution
with the privileges of the user running the executable.
References:
[1] http://
Public PoC:
[2]
http://
[3] Red Hat bug: https:/
Flaw severity note:
On systems with compile time buffer checks (FORTIFY_SOURCE)
feature enabled, the impact of this flaw is mitigated to
be only crash.
CVE References
| Louis Simard (louis-simard-deactivatedaccount) wrote | #1 |
| visibility: | private → public |
| Louis Simard (louis-simard-deactivatedaccount) wrote | #2 |
| security vulnerability: | yes → no |
| security vulnerability: | no → yes |
| tags: | added: patch |
| Changed in fontforge (Ubuntu): | |
| status: | New → Confirmed |
| importance: | Undecided → Low |
| Jamie Strandboge (jdstrand) wrote | #3 |
| Changed in fontforge (Ubuntu): | |
| status: | Confirmed → Fix Released |
Attached is a unified format patch which should copy strings correctly within
their allocated buffers, for many fields in the BDF file format, including
CHARSET_REGISTRY.
I have tested FontForge before and after the patch; it does not crash
predictably anymore.