Stack buffer overflow in BDF file parsing
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
fontforge (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
Binary package hint: fontforge
[Description taken from Red Hat bug [3]]
Ulrik Persson reported a stack-based buffer overflow
flaw in the way FontForge font editor processed certain
Bitmap Distribution Format (BDF) font files, with
specially-crafted value of the CHARSET_REGISTRY header.
A remote attacker could create a specially-crafted BDF
font file and trick a local, unsuspecting user into
opening it in FontForge, which could lead to fontforge
executable crash or, potentially, arbitrary code execution
with the privileges of the user running the executable.
References:
[1] http://
Public PoC:
[2]
http://
[3] Red Hat bug: https:/
Flaw severity note:
On systems with compile time buffer checks (FORTIFY_SOURCE)
feature enabled, the impact of this flaw is mitigated to
be only crash.
CVE References
security vulnerability: | yes → no |
security vulnerability: | no → yes |
tags: | added: patch |
Changed in fontforge (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Low |
Attached is a unified format patch which should copy strings correctly within
their allocated buffers, for many fields in the BDF file format, including
CHARSET_REGISTRY.
I have tested FontForge before and after the patch; it does not crash
predictably anymore.