Backport #41309 ( 8b281f83e ) to fix use of uninitialized data.

Bug #1449225 reported by Bungeman
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
freetype (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Utopic
Won't Fix
Undecided
Unassigned
Vivid
Fix Released
Undecided
Unassigned
Wily
Fix Released
Undecided
Unassigned

Bug Description

FreeType issue https://savannah.nongnu.org/bugs/?41309 was fixed with http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=8b281f83e8516535756f92dbf90940ac44bd45e1 . This change is not in any of the current FreeType packages (Precise freetype 2.4.8-1ubuntu2.2 nor Trusty freetype 2.5.2-1ubuntu2.4 ). This is a fix for a few use of uninitialized data bugs which were found by msan, and is in FreeType 2.5.3 (but comes after 2.5.2).

This is a request to backport http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=8b281f83e8516535756f92dbf90940ac44bd45e1 to all currently supported packages of FreeType, as all of them appear to be affected. Since this fixes reads of uninitialized memory in a widely used package, I'm marking this as a security related issue.

Tags: patch
Revision history for this message
Bungeman (bungeman) wrote :

Not sure how much it helps, but here is the git format-patch I made locally against the source of precise-security freetype 2.4.8-1ubuntu2.2 . I haven't patched the current Trusty freetype, but I have verified that it doesn't have the fix yet.

information type: Private Security → Public Security
Changed in freetype (Ubuntu Precise):
status: New → Confirmed
Changed in freetype (Ubuntu Trusty):
status: New → Confirmed
Changed in freetype (Ubuntu Utopic):
status: New → Confirmed
Changed in freetype (Ubuntu Vivid):
status: New → Confirmed
Changed in freetype (Ubuntu Wily):
status: New → Confirmed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "0001-Fix-Savannah-bug-41309.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freetype - 2.5.2-4ubuntu1

---------------
freetype (2.5.2-4ubuntu1) wily; urgency=medium

  * Merge from Debian unstable, remaining changes:
    - debian/patches-freetype/revert_scalable_fonts_metric.patch:
      revert commit "Fix metrics on size request for scalable fonts.",
      which breaks gtk underlining markups
    - Make libfreetype6-dev M-A: same.
    - Error out on the use of the freetype-config --libtool option.
    - Don't add multiarch libdirs for freetype-config --libs.
    - Install the freetype2/config headers into the multiarch include path
      and provide symlinks in /usr/include.
    - debian/patches-freetype/multi-thread-violations.patch: fix
      multithread violations
  * Dropped changes, included in Debian:
    - debian/patches-freetype/CVE-2014-96xx/*
  * debian/patches-freetype/savannah-bug-41309.patch: fix use of
    uninitialized data. (LP: #1449225)

freetype (2.5.2-4) unstable; urgency=medium

  * Fix Savannah bug #43774. Closes #780143.
  * Release 2.5.2-4

freetype (2.5.2-3) unstable; urgency=medium

  * Fix Savannah bug #43535. CVE-2014-9675
  * [bdf] Fix Savannah bug #41692. CVE-2014-9675-fixup-1
  * src/base/ftobj.c (Mac_Read_POST_Resource): Additional overflow check
    in the summation of POST fragment lengths. CVE-2014-0674-part-2
  * src/base/ftobjs.c (Mac_Read_POST_Resource): Insert comments and fold
    too long tracing messages. CVS-2014-9674-fixup-2
  * src/base/ftobjs.c (Mac_Read_POST_Resource): Use unsigned long variables to read the lengths in POST fragments. CVE-2014-9674-fixup-1
  * Fix Savannah bug #43538. CVE-2014-9674-part-1
  * Fix Savannah bug #43539. CVE-2014-9673
  * src/base/ftobjs.c (Mac_Read_POST_Resource): Avoid memory leak by
    a broken POST table in resource-fork. CVE-2014-9673-fixup
  * Fix Savannah bug #43540. CVE-2014-9672
  * Fix Savannah bug #43547. CVE-2014-9671
  * Fix Savannah bug #43548. CVE-2014-9670
  * [sfnt] Fix Savannah bug #43588. CVE-2014-9669
  * [sfnt] Fix Savannah bug #43589. CVE-2014-9668
  * [sfnt] Fix Savannah bug #43590. CVE-2014-9667
  * [sfnt] Fix Savannah bug #43591. CVE-2014-9666
  * Change some fields in `FT_Bitmap' to unsigned type. CVE-2014-9665
  * Fix uninitialized variable warning. CVE-2014-9665-fixup-2
  * Make `FT_Bitmap_Convert' correctly handle negative `pitch' values.
    CVE-2014-9665-fixup
  * [type1, type42] Fix Savannah bug #43655. CVE-2014-9664
  * [sfnt] Fix Savannah bug #43656. CVE-2014-9663
  * [cff] Fix Savannah bug #43658. CVE-2014-9662
  * [type42] Allow only embedded TrueType fonts. CVE-2014-9661
  * [bdf] Fix Savannah bug #43660. CVE-2014-9660
  * [cff] Fix Savannah bug #43661. CVE-2014-9659
  * [sfnt] Fix Savannah bug #43672. CVE-2014-9658
  * [truetype] Fix Savannah bug #43679. CVE-2014-9657
  * [sfnt] Fix Savannah bug #43680. CVE-2014-9656
  * All CVEs patched. Closes: #777656.

 -- Marc Deslauriers <email address hidden> Fri, 22 May 2015 11:03:23 -0400

Changed in freetype (Ubuntu Wily):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freetype - 2.5.2-2ubuntu3.1

---------------
freetype (2.5.2-2ubuntu3.1) vivid-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory reads (LP: #1449225)
    - debian/patches-freetype/savannah-bug-41309.patch: fix use of
      uninitialized data in src/cid/cidload.c, src/psaux/psobjs.c,
      src/type1/t1load.c, src/type42/t42parse.c.
    - No CVE number
  * SECURITY UPDATE: denial of service via infinite loop in parse_encode
    (LP: #1492124)
    - debian/patches-freetype/savannah-bug-41590.patch: protect against
      invalid charcode in src/type1/t1load.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Thu, 10 Sep 2015 07:07:57 -0400

Changed in freetype (Ubuntu Vivid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freetype - 2.5.2-1ubuntu2.5

---------------
freetype (2.5.2-1ubuntu2.5) trusty-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory reads (LP: #1449225)
    - debian/patches-freetype/savannah-bug-41309.patch: fix use of
      uninitialized data in src/cid/cidload.c, src/psaux/psobjs.c,
      src/type1/t1load.c, src/type42/t42parse.c.
    - No CVE number
  * SECURITY UPDATE: denial of service via infinite loop in parse_encode
    (LP: #1492124)
    - debian/patches-freetype/savannah-bug-41590.patch: protect against
      invalid charcode in src/type1/t1load.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Thu, 10 Sep 2015 07:09:04 -0400

Changed in freetype (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freetype - 2.4.8-1ubuntu2.3

---------------
freetype (2.4.8-1ubuntu2.3) precise-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory reads (LP: #1449225)
    - debian/patches-freetype/savannah-bug-41309.patch: fix use of
      uninitialized data in src/cid/cidload.c, src/psaux/psobjs.c,
      src/type1/t1load.c, src/type42/t42parse.c.
    - No CVE number
  * SECURITY UPDATE: denial of service via infinite loop in parse_encode
    (LP: #1492124)
    - debian/patches-freetype/savannah-bug-41590.patch: protect against
      invalid charcode in src/type1/t1load.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Thu, 10 Sep 2015 07:10:41 -0400

Changed in freetype (Ubuntu Precise):
status: Confirmed → Fix Released
Changed in freetype (Ubuntu Utopic):
status: Confirmed → Won't Fix
lava (lavasanjay)
Changed in freetype (Ubuntu Trusty):
assignee: nobody → lava (lavasanjay)
Changed in freetype (Ubuntu Trusty):
assignee: lava (lavasanjay) → nobody
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.