infinite loop in parse_encoding (t1load.c)

Bug #1492124 reported by Lei Zhang on 2015-09-04
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
FreeType
Unknown
Unknown
freetype (Ubuntu)
Undecided
Marc Deslauriers
Precise
Undecided
Marc Deslauriers
Trusty
Undecided
Marc Deslauriers
Vivid
Undecided
Marc Deslauriers
Wily
Undecided
Marc Deslauriers

Bug Description

Ubuntu 14.04's libfreetype has not been patched with the fix for [1], thus applications that use libfreetype6 are vulnerable to infinite loops. e.g. Chromium / Google Chrome. [2] If you add a small patch to apply freetype commit
df14e6 [3], that should fix the problem. I verified this locally.

I have not checked other Ubuntu releases to see if they are affected.

[1] http://savannah.nongnu.org/bugs/index.php?41590
[2] https://code.google.com/p/chromium/issues/detail?id=459050
[3] http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=df14e6c0b9592cbb24d5381dfc6106b14f915e75

Seth Arnold (seth-arnold) wrote :

Do you know if a CVE has been assigned for this issue?

Thanks

information type: Public → Public Security
Lei Zhang (thestig-google) wrote :

From reading [1] [2] and [3], I don't believe a CVE has been assigned.

Changed in freetype (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in freetype (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in freetype (Ubuntu Vivid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in freetype (Ubuntu Wily):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in freetype (Ubuntu Precise):
status: New → Confirmed
Changed in freetype (Ubuntu Trusty):
status: New → Confirmed
Changed in freetype (Ubuntu Vivid):
status: New → Confirmed
Changed in freetype (Ubuntu Wily):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freetype - 2.5.2-2ubuntu3.1

---------------
freetype (2.5.2-2ubuntu3.1) vivid-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory reads (LP: #1449225)
    - debian/patches-freetype/savannah-bug-41309.patch: fix use of
      uninitialized data in src/cid/cidload.c, src/psaux/psobjs.c,
      src/type1/t1load.c, src/type42/t42parse.c.
    - No CVE number
  * SECURITY UPDATE: denial of service via infinite loop in parse_encode
    (LP: #1492124)
    - debian/patches-freetype/savannah-bug-41590.patch: protect against
      invalid charcode in src/type1/t1load.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Thu, 10 Sep 2015 07:07:57 -0400

Changed in freetype (Ubuntu Vivid):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freetype - 2.5.2-1ubuntu2.5

---------------
freetype (2.5.2-1ubuntu2.5) trusty-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory reads (LP: #1449225)
    - debian/patches-freetype/savannah-bug-41309.patch: fix use of
      uninitialized data in src/cid/cidload.c, src/psaux/psobjs.c,
      src/type1/t1load.c, src/type42/t42parse.c.
    - No CVE number
  * SECURITY UPDATE: denial of service via infinite loop in parse_encode
    (LP: #1492124)
    - debian/patches-freetype/savannah-bug-41590.patch: protect against
      invalid charcode in src/type1/t1load.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Thu, 10 Sep 2015 07:09:04 -0400

Changed in freetype (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freetype - 2.4.8-1ubuntu2.3

---------------
freetype (2.4.8-1ubuntu2.3) precise-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory reads (LP: #1449225)
    - debian/patches-freetype/savannah-bug-41309.patch: fix use of
      uninitialized data in src/cid/cidload.c, src/psaux/psobjs.c,
      src/type1/t1load.c, src/type42/t42parse.c.
    - No CVE number
  * SECURITY UPDATE: denial of service via infinite loop in parse_encode
    (LP: #1492124)
    - debian/patches-freetype/savannah-bug-41590.patch: protect against
      invalid charcode in src/type1/t1load.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Thu, 10 Sep 2015 07:10:41 -0400

Changed in freetype (Ubuntu Precise):
status: Confirmed → Fix Released
Lei Zhang (thestig-google) wrote :

Thanks for pushing out the update! I verified it fixed the infinite loop for Google Chrome.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freetype - 2.5.2-4ubuntu2

---------------
freetype (2.5.2-4ubuntu2) wily; urgency=medium

  * SECURITY UPDATE: denial of service via infinite loop in parse_encode
    (LP: #1492124)
    - debian/patches-freetype/savannah-bug-41590.patch: protect against
      invalid charcode in src/type1/t1load.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Thu, 10 Sep 2015 07:05:53 -0400

Changed in freetype (Ubuntu Wily):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.