infinite loop in parse_encoding (t1load.c)

Bug #1492124 reported by Lei Zhang
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
FreeType
Unknown
Unknown
freetype (Ubuntu)
Fix Released
Undecided
Marc Deslauriers
Precise
Fix Released
Undecided
Marc Deslauriers
Trusty
Fix Released
Undecided
Marc Deslauriers
Vivid
Fix Released
Undecided
Marc Deslauriers
Wily
Fix Released
Undecided
Marc Deslauriers

Bug Description

Ubuntu 14.04's libfreetype has not been patched with the fix for [1], thus applications that use libfreetype6 are vulnerable to infinite loops. e.g. Chromium / Google Chrome. [2] If you add a small patch to apply freetype commit
df14e6 [3], that should fix the problem. I verified this locally.

I have not checked other Ubuntu releases to see if they are affected.

[1] http://savannah.nongnu.org/bugs/index.php?41590
[2] https://code.google.com/p/chromium/issues/detail?id=459050
[3] http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=df14e6c0b9592cbb24d5381dfc6106b14f915e75

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Do you know if a CVE has been assigned for this issue?

Thanks

information type: Public → Public Security
Revision history for this message
Lei Zhang (thestig-google) wrote :

From reading [1] [2] and [3], I don't believe a CVE has been assigned.

Changed in freetype (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in freetype (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in freetype (Ubuntu Vivid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in freetype (Ubuntu Wily):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in freetype (Ubuntu Precise):
status: New → Confirmed
Changed in freetype (Ubuntu Trusty):
status: New → Confirmed
Changed in freetype (Ubuntu Vivid):
status: New → Confirmed
Changed in freetype (Ubuntu Wily):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freetype - 2.5.2-2ubuntu3.1

---------------
freetype (2.5.2-2ubuntu3.1) vivid-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory reads (LP: #1449225)
    - debian/patches-freetype/savannah-bug-41309.patch: fix use of
      uninitialized data in src/cid/cidload.c, src/psaux/psobjs.c,
      src/type1/t1load.c, src/type42/t42parse.c.
    - No CVE number
  * SECURITY UPDATE: denial of service via infinite loop in parse_encode
    (LP: #1492124)
    - debian/patches-freetype/savannah-bug-41590.patch: protect against
      invalid charcode in src/type1/t1load.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Thu, 10 Sep 2015 07:07:57 -0400

Changed in freetype (Ubuntu Vivid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freetype - 2.5.2-1ubuntu2.5

---------------
freetype (2.5.2-1ubuntu2.5) trusty-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory reads (LP: #1449225)
    - debian/patches-freetype/savannah-bug-41309.patch: fix use of
      uninitialized data in src/cid/cidload.c, src/psaux/psobjs.c,
      src/type1/t1load.c, src/type42/t42parse.c.
    - No CVE number
  * SECURITY UPDATE: denial of service via infinite loop in parse_encode
    (LP: #1492124)
    - debian/patches-freetype/savannah-bug-41590.patch: protect against
      invalid charcode in src/type1/t1load.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Thu, 10 Sep 2015 07:09:04 -0400

Changed in freetype (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freetype - 2.4.8-1ubuntu2.3

---------------
freetype (2.4.8-1ubuntu2.3) precise-security; urgency=medium

  * SECURITY UPDATE: uninitialized memory reads (LP: #1449225)
    - debian/patches-freetype/savannah-bug-41309.patch: fix use of
      uninitialized data in src/cid/cidload.c, src/psaux/psobjs.c,
      src/type1/t1load.c, src/type42/t42parse.c.
    - No CVE number
  * SECURITY UPDATE: denial of service via infinite loop in parse_encode
    (LP: #1492124)
    - debian/patches-freetype/savannah-bug-41590.patch: protect against
      invalid charcode in src/type1/t1load.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Thu, 10 Sep 2015 07:10:41 -0400

Changed in freetype (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Lei Zhang (thestig-google) wrote :

Thanks for pushing out the update! I verified it fixed the infinite loop for Google Chrome.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freetype - 2.5.2-4ubuntu2

---------------
freetype (2.5.2-4ubuntu2) wily; urgency=medium

  * SECURITY UPDATE: denial of service via infinite loop in parse_encode
    (LP: #1492124)
    - debian/patches-freetype/savannah-bug-41590.patch: protect against
      invalid charcode in src/type1/t1load.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Thu, 10 Sep 2015 07:05:53 -0400

Changed in freetype (Ubuntu Wily):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.