Ubuntu
freetype package

[Precise] FreeType is vulnerable to CVE-2012-1126 through CVE-2012-1144

Bug #963283 reported by Tyler Hicks
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
freetype (Ubuntu)
Fix Released
Medium
Tyler Hicks
Ubuntu ubuntu-12.04

Bug Description

Precise, along with Debian unstable and testing, currently use freetype version 2.4.8-1. Upstream FreeType recently released version 2.4.9, which addressed many security issues:

http://sourceforge.net/projects/freetype/files/freetype2/2.4.9/README/view

There have also been a few upstream commits, since the 2.4.9 release, that made improvements and/or corrections to the changes in 2.4.9.

I've addressed these issues in our stable releases, but Precise is still in need of an update. I will attach a debdiff of the fixes backported to 2.4.8-1.

The Ubuntu CVE Tracker has links to the related bugs and patches:

http://people.canonical.com/~ubuntu-security/cve/pkg/freetype.html

See original description
Revision history for this message
Tyler Hicks (tyhicks) wrote :

I've tested this debdiff using the QA Regression Testing framework and the reproducers attached to the upstream bugs.

description: updated
Changed in freetype (Ubuntu):
status: Triaged → Confirmed
visibility: private → public
Revision history for this message
Steve Langasek (vorlon) wrote :

Please note that there are regressions wrt ghostscript with freetype 2.4.9; these may be intertwined with the security patches, I haven't looked yet.

  https://savannah.nongnu.org/bugs/index.php?35847
  https://savannah.nongnu.org/bugs/index.php?35833

Revision history for this message
Tyler Hicks (tyhicks) wrote :

On 2012-03-23 17:52:04, Steve Langasek wrote:
> Please note that there are regressions wrt ghostscript with freetype
> 2.4.9; these may be intertwined with the security patches, I haven't
> looked yet.

They are intertwined with the security patches, but the attached debdiff
already accounts for them.

> https://savannah.nongnu.org/bugs/index.php?35847
> https://savannah.nongnu.org/bugs/index.php?35833

Fixes for both of these bugs are included, along with the original
CVE-2012-1132 fix, in CVE-2012-1132.patch

Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 963283]

On Fri, Mar 23, 2012 at 06:14:55PM -0000, Tyler Hicks wrote:
> On 2012-03-23 17:52:04, Steve Langasek wrote:
> > Please note that there are regressions wrt ghostscript with freetype
> > 2.4.9; these may be intertwined with the security patches, I haven't
> > looked yet.

> They are intertwined with the security patches, but the attached debdiff
> already accounts for them.

> > https://savannah.nongnu.org/bugs/index.php?35847
> > https://savannah.nongnu.org/bugs/index.php?35833

> Fixes for both of these bugs are included, along with the original
> CVE-2012-1132 fix, in CVE-2012-1132.patch

Great, thanks!

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I tested this with QRT and all tests pass. I also booted into a precise VM and examined various menus, used libreoffice, used evince, and performed printing operations. Uploading to precise. This is not critical for beta-2, but it is fine if it ends up there.

Changed in freetype (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
milestone: none → ubuntu-12.04
status: Confirmed → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Unsubscribing ubuntu-security-sponsors now that it is uploaded.

Changed in freetype (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.6 KiB)

This bug was fixed in the package freetype - 2.4.8-1ubuntu1

---------------
freetype (2.4.8-1ubuntu1) precise; urgency=low

  * SECURITY UPDATE: Denial of service via crafted BDF font (LP: #963283)
    - debian/patches-freetype/CVE-2012-1126.patch: Perform better input
      sanitization when parsing properties. Based on upstream patch.
    - CVE-2012-1126
  * SECURITY UPDATE: Denial of service via crafted BDF font
    - debian/patches-freetype/CVE-2012-1127.patch: Perform better input
      sanitization when parsing glyphs. Based on upstream patch.
    - CVE-2012-1127
  * SECURITY UPDATE: Denial of service via crafted TrueType font
    - debian/patches-freetype/CVE-2012-1128.patch: Improve loop logic to avoid
      NULL pointer dereference. Based on upstream patch.
    - CVE-2012-1128
  * SECURITY UPDATE: Denial of service via crafted Type42 font
    - debian/patches-freetype/CVE-2012-1129.patch: Perform better input
      sanitization when parsing SFNT strings. Based on upstream patch.
    - CVE-2012-1129
  * SECURITY UPDATE: Denial of service via crafted PCF font
    - debian/patches-freetype/CVE-2012-1130.patch: Allocate enough memory to
      properly NULL-terminate parsed properties strings. Based on upstream
      patch.
    - CVE-2012-1130
  * SECURITY UPDATE: Denial of service via crafted TrueType font
    - debian/patches-freetype/CVE-2012-1131.patch: Use appropriate data type to
      prevent integer truncation on 64 bit systems when rendering fonts. Based
      on upstream patch.
    - CVE-2012-1131
  * SECURITY UPDATE: Denial of service via crafted Type1 font
    - debian/patches-freetype/CVE-2012-1132.patch: Ensure strings are of
      appropriate length when loading Type1 fonts. Based on upstream patch.
    - CVE-2012-1132
  * SECURITY UPDATE: Denial of service and arbitrary code execution via
    crafted BDF font
    - debian/patches-freetype/CVE-2012-1133.patch: Limit range of negative
      glyph encoding values to prevent invalid array indexes. Based on
      upstream patch.
    - CVE-2012-1133
  * SECURITY UPDATE: Denial of service and arbitrary code execution via
    crafted Type1 font
    - debian/patches-freetype/CVE-2012-1134.patch: Enforce a minimum Type1
      private dictionary size to prevent writing past array bounds. Based on
      upstream patch.
    - CVE-2012-1134
  * SECURITY UPDATE: Denial of service via crafted TrueType font
    - debian/patches-freetype/CVE-2012-1135.patch: Perform proper bounds
      checks when interpreting TrueType bytecode. Based on upstream patch.
    - CVE-2012-1135
  * SECURITY UPDATE: Denial of service and arbitrary code execution via
    crafted BDF font
    - debian/patches-freetype/CVE-2012-1136.patch: Ensure encoding field is
      defined when parsing glyphs. Based on upstream patch.
    - CVE-2012-1136
  * SECURITY UPDATE: Denial of service via crafted BDF font
    - debian/patches-freetype/CVE-2012-1137.patch: Allocate sufficient number
      of array elements to prevent reading past array bounds. Based on
      upstream patch.
    - CVE-2012-1137
  * SECURITY UPDATE: Denial of service via crafted TrueType font
    - debian/patches-freetype/CVE-2012-1138.patch: Correct typo...

Read more...

Changed in freetype (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.