[Precise] FreeType is vulnerable to CVE-2012-1126 through CVE-2012-1144

Bug #963283 reported by Tyler Hicks on 2012-03-23
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
freetype (Ubuntu)
Medium
Tyler Hicks

Bug Description

Precise, along with Debian unstable and testing, currently use freetype version 2.4.8-1. Upstream FreeType recently released version 2.4.9, which addressed many security issues:

http://sourceforge.net/projects/freetype/files/freetype2/2.4.9/README/view

There have also been a few upstream commits, since the 2.4.9 release, that made improvements and/or corrections to the changes in 2.4.9.

I've addressed these issues in our stable releases, but Precise is still in need of an update. I will attach a debdiff of the fixes backported to 2.4.8-1.

The Ubuntu CVE Tracker has links to the related bugs and patches:

http://people.canonical.com/~ubuntu-security/cve/pkg/freetype.html

Tyler Hicks (tyhicks) wrote :

I've tested this debdiff using the QA Regression Testing framework and the reproducers attached to the upstream bugs.

description: updated
Changed in freetype (Ubuntu):
status: Triaged → Confirmed
visibility: private → public
Steve Langasek (vorlon) wrote :

Please note that there are regressions wrt ghostscript with freetype 2.4.9; these may be intertwined with the security patches, I haven't looked yet.

  https://savannah.nongnu.org/bugs/index.php?35847
  https://savannah.nongnu.org/bugs/index.php?35833

Tyler Hicks (tyhicks) wrote :

On 2012-03-23 17:52:04, Steve Langasek wrote:
> Please note that there are regressions wrt ghostscript with freetype
> 2.4.9; these may be intertwined with the security patches, I haven't
> looked yet.

They are intertwined with the security patches, but the attached debdiff
already accounts for them.

> https://savannah.nongnu.org/bugs/index.php?35847
> https://savannah.nongnu.org/bugs/index.php?35833

Fixes for both of these bugs are included, along with the original
CVE-2012-1132 fix, in CVE-2012-1132.patch

On Fri, Mar 23, 2012 at 06:14:55PM -0000, Tyler Hicks wrote:
> On 2012-03-23 17:52:04, Steve Langasek wrote:
> > Please note that there are regressions wrt ghostscript with freetype
> > 2.4.9; these may be intertwined with the security patches, I haven't
> > looked yet.

> They are intertwined with the security patches, but the attached debdiff
> already accounts for them.

> > https://savannah.nongnu.org/bugs/index.php?35847
> > https://savannah.nongnu.org/bugs/index.php?35833

> Fixes for both of these bugs are included, along with the original
> CVE-2012-1132 fix, in CVE-2012-1132.patch

Great, thanks!

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

Jamie Strandboge (jdstrand) wrote :

I tested this with QRT and all tests pass. I also booted into a precise VM and examined various menus, used libreoffice, used evince, and performed printing operations. Uploading to precise. This is not critical for beta-2, but it is fine if it ends up there.

Changed in freetype (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
milestone: none → ubuntu-12.04
status: Confirmed → In Progress
Jamie Strandboge (jdstrand) wrote :

Unsubscribing ubuntu-security-sponsors now that it is uploaded.

Changed in freetype (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (4.6 KiB)

This bug was fixed in the package freetype - 2.4.8-1ubuntu1

---------------
freetype (2.4.8-1ubuntu1) precise; urgency=low

  * SECURITY UPDATE: Denial of service via crafted BDF font (LP: #963283)
    - debian/patches-freetype/CVE-2012-1126.patch: Perform better input
      sanitization when parsing properties. Based on upstream patch.
    - CVE-2012-1126
  * SECURITY UPDATE: Denial of service via crafted BDF font
    - debian/patches-freetype/CVE-2012-1127.patch: Perform better input
      sanitization when parsing glyphs. Based on upstream patch.
    - CVE-2012-1127
  * SECURITY UPDATE: Denial of service via crafted TrueType font
    - debian/patches-freetype/CVE-2012-1128.patch: Improve loop logic to avoid
      NULL pointer dereference. Based on upstream patch.
    - CVE-2012-1128
  * SECURITY UPDATE: Denial of service via crafted Type42 font
    - debian/patches-freetype/CVE-2012-1129.patch: Perform better input
      sanitization when parsing SFNT strings. Based on upstream patch.
    - CVE-2012-1129
  * SECURITY UPDATE: Denial of service via crafted PCF font
    - debian/patches-freetype/CVE-2012-1130.patch: Allocate enough memory to
      properly NULL-terminate parsed properties strings. Based on upstream
      patch.
    - CVE-2012-1130
  * SECURITY UPDATE: Denial of service via crafted TrueType font
    - debian/patches-freetype/CVE-2012-1131.patch: Use appropriate data type to
      prevent integer truncation on 64 bit systems when rendering fonts. Based
      on upstream patch.
    - CVE-2012-1131
  * SECURITY UPDATE: Denial of service via crafted Type1 font
    - debian/patches-freetype/CVE-2012-1132.patch: Ensure strings are of
      appropriate length when loading Type1 fonts. Based on upstream patch.
    - CVE-2012-1132
  * SECURITY UPDATE: Denial of service and arbitrary code execution via
    crafted BDF font
    - debian/patches-freetype/CVE-2012-1133.patch: Limit range of negative
      glyph encoding values to prevent invalid array indexes. Based on
      upstream patch.
    - CVE-2012-1133
  * SECURITY UPDATE: Denial of service and arbitrary code execution via
    crafted Type1 font
    - debian/patches-freetype/CVE-2012-1134.patch: Enforce a minimum Type1
      private dictionary size to prevent writing past array bounds. Based on
      upstream patch.
    - CVE-2012-1134
  * SECURITY UPDATE: Denial of service via crafted TrueType font
    - debian/patches-freetype/CVE-2012-1135.patch: Perform proper bounds
      checks when interpreting TrueType bytecode. Based on upstream patch.
    - CVE-2012-1135
  * SECURITY UPDATE: Denial of service and arbitrary code execution via
    crafted BDF font
    - debian/patches-freetype/CVE-2012-1136.patch: Ensure encoding field is
      defined when parsing glyphs. Based on upstream patch.
    - CVE-2012-1136
  * SECURITY UPDATE: Denial of service via crafted BDF font
    - debian/patches-freetype/CVE-2012-1137.patch: Allocate sufficient number
      of array elements to prevent reading past array bounds. Based on
      upstream patch.
    - CVE-2012-1137
  * SECURITY UPDATE: Denial of service via crafted TrueType font
    - debian/patches-freetype/CVE-2012-1138.patch: Correct typo...

Read more...

Changed in freetype (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers