733512 - FreeType: Multiple security flaws to be fixed in v2.4.9

Status: VERIFIED FIXED

(Core :: Layout: Text and Fonts, defect)

Description

[Al Billings [:abillings - ex-MoCo]]

We received a forward of this FreeType security issue. Per Dveditz, this is still used in Mobile Firefox. We should take the FreeType update to 2.4.9 since it looks like we still use 2.4.3 on Central (see http://mxr.mozilla.org/mozilla-central/source/modules/freetype2/ChangeLog).

Date: Tue, 06 Mar 2012 20:57:12 +0100
From: Jan Lieskovsky <jlieskov@redhat.com>
Subject: [oss-security] CVE Request -- FreeType: Multiple security flaws to be fixed in v2.4.9

Hello Kurt, Steve, vendors,

we have been notified by Mateusz Jurczyk of the Google Security Team,
about the following FreeType security flaws, which are going to be fixed
in v2.4.9 version.

Credit: Mateusz Jurczyk, Google Security Team

Note: Though some the issues below might look like related / the same,
I have checked that each of them exclude themselves (IOW each of them
is different issue like the another. But was lazy to cross-reference
those, which of them is different from which another.

       Reproducers are attached to relevant upstream bug reports.

       Have Cc-ed Werner Lemberg of FreeType upstream on this post too,
       so he could collect CVE identifiers prior FreeType v2.4.9
       release.

       Yet, requesting CVE identifier even for the NULL ptr dereference
       and floating point exception / integer divide by zero issue
       below, even if Red Hat would not consider these to be security
       flaws. But other distributions might be doing so, thus will let
       Steve to decide, if these two desire CVE identifiers or not.

       And finally, due the count of the issues, not including full
       issues description under each entry (to shorten the request).
       Only particular Red Hat Bugzilla entry summary is included with
       relevant links to upstream bugs and commits. Further issue
       description can be found under particular Red Hat Bugzilla entry
       for each of them in initial comment (#c0).

Kurt, Steve, could you allocate CVE identifiers for these?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team


Issue #1:
=========
   freetype: Out-of heap-based buffer read by parsing, adding
properties in BDF fonts, or validating if property being an atom
(FU#35597, FU#35598)

Upstream bug reports:
[1] https://savannah.nongnu.org/bugs/?35597
[2] https://savannah.nongnu.org/bugs/?35598

Upstream patch:
[3] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=320d4976d1d010b5abe9d61a7423d8ca06bc34df

Red Hat Bugzilla entry:
[4] https://bugzilla.redhat.com/show_bug.cgi?id=800581

Issue #2:
=========
   freetype: Out-of heap-based buffer read by parsing glyph information
and bitmaps for BDF fonts (FU#35599, FU#35600)

Upstream bug reports:
[1] https://savannah.nongnu.org/bugs/?35599
[2] https://savannah.nongnu.org/bugs/?35600

Upstream patch:
[3] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0b1c0c6b20bf121096afff206d570f26183402b3

Red Hat Bugzilla entry:
[4] https://bugzilla.redhat.com/show_bug.cgi?id=800583

Issue #3:
=========
   freetype: NULL pointer dereference by moving zone2 pointer point for
certain TrueType font (FU#35601)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35601

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=96cddb8d1d32d6738b06552083db9d6cee5b5cb4

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800584

Issue #4:
=========
   freetype: Out-of heap-based buffer read when parsing certain SFNT
strings by Type42 font parser (FU#35602)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35602

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=82365c0dead99dd119d9e7117cf4f36ce1d1cbe1

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800585

Issue #5:
=========
   freetype: Out-of heap-based buffer read by loading properties of PCF
   fonts (FU#35603)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35603

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c776fc17bfeaa607405fc96620e9445e7a0965c3

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800587

Issue #6:
=========
   freetype (64-bit specific): Out-of heap-based buffer read by attempt
to record current cell into the cell table (FU#35604)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35604

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=fcbc82e69e7b114b0db75e955896107d611898e6

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800589

Issue #7:
=========
   freetype: Out-of heap-based buffer read flaw in Type1 font loader by
   parsing font dictionary entries (FU#35606)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35606

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=58cbc465d2ccd904dee755cff791fbb3a866646d

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800590

Issue #8:
=========
   freetype: Out-of heap-based buffer write by parsing BDF glyph
information and bitmaps (FU#35607)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35607

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=28dd2c45957278e962f95633157b6139de8170aa

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800591

Issue #9:
=========
   freetype: Out-of heap-based buffer write in Type1 font parser by
retrieving font's private dictionary (FU#35608)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35608

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=d9577add645c8c05460c7d60ad486c021394b82e

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800592

Issue #10:
==========
   freetype: Out-of heap-based buffer read in TrueType bytecode
interpreter by executing NPUSHB and NPUSHW instructions (FU#35640)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35640

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=5dddcc45a03b336860436a180aec5b358517336b

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800593

Issue #11:
==========
   freetype: Out-of heap-based buffer write by parsing BDF glyph and
bitmaps information with missing ENCODING field (FU#35641)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35641

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=4086fb7caf41e33137e548e43a49a97b127cd369

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800594

Issue #12:
==========
   freetype: Out-of heap-based buffer read by parsing BDF font header
(FU#35643)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35643

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=cee5d593582801f65c5e127d9de9ca24ebcdc747

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800595

Issue #13:
==========
   freetype: Out-of heap-based buffer read in the TrueType bytecode
   interpreter by executing the MIRP instruction (FU#35646)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35646

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a33c013fe2dc6e65de2879682201d9c155292349

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800597

Issue #14:
==========
   freetype: Array index error, leading to out-of stack based buffer
   read by parsing BDF font glyph information (FU#35656)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35656

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=6ac022dc750d95296a6f731b9594f2e751d997fa

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800598

Issue #15:
==========
   freetype: Out-of heap-based buffer read by conversion of PostScript
font objects (FU#35657)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35657

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=292144b44a15c1a72f2ef76475d65b7a3a3fba67

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800600

Issue #16:
==========
   freetype: Out-of heap-based buffer read flaw by conversion of an
ASCII string into a signed short integer by processing BDF fonts
(FU#35658)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35658

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=d9c1659610f9cd5e103790cb5963483d65cf0d2d

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800602

Issue #17:
==========
   freetype: Out-of heap-based buffer write by retrieval of advance
values for glyph outlines (FU#35659)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35659

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=7d35a7dc7cc621538a1f4a63c83ebf223aace0b0

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800604

Issue #18:
==========
   freetype: Integer divide by zero by performing arithmetic
   computations for certain fonts (FU#35660)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35660

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=ba67957d5ead443f4b6b31805d6e780d54361ca4

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800606

Issue #19:
==========
   freetype: Out-of heap-based buffer write in the TrueType bytecode
   interpreter by moving zone2 pointer point (FU#35689)

Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35689

Upstream patch:
[2] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0fc8debeb6c2f6a8a9a2b97332a7c8a0a1bd9e85

Red Hat Bugzilla entry:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=800607

Comment 1

[Johnny Stenback (:jst)]

Given the number of listed issues, and the severity of some of them, I'm marking this sg:critical. Probably only affects mobile though...

Comment 2

[Jet Villegas (inactive)]

Jonathan: similar fix to bug 553433 needed here. Can you take this one?

Comment 3

[Jonathan Kew [:jfkthame]]

Attachment: patch, update freetype to release 2.4.9

This simply updates our in-tree freetype to the 2.4.9 release. Currently awaiting tryserver android results (https://tbpl.mozilla.org/?tree=Try&rev=54ae9d8f051c), to check that it builds & runs ok.

Comment 4

[Doug Turner (:dougt)]

Comment on attachment 604362 [details] [diff] [review]
patch, update freetype to release 2.4.9

rs=me

Comment 5

[Jonathan Kew [:jfkthame]]

Pushed to inbound:
https://hg.mozilla.org/integration/mozilla-inbound/rev/52e691cfec84

Comment 6

[Jonathan Kew [:jfkthame]]

Comment on attachment 604362 [details] [diff] [review]
patch, update freetype to release 2.4.9

[Approval Request Comment]
Regression caused by (bug #): no regression - security update for freetype
User impact if declined: firefox mobile will be vulnerable to a number of known bugs, which are publicly disclosed as a result of the new freetype release (if not before) and might be exploitable via malicious downloadable fonts
Testing completed (on m-c, etc.): only used in the mobile product; tryserver run for android and android-xul was fully green; currently on -inbound
Risk to taking this patch (and alternatives if risky): low risk, this is simply updating to the current freetype release; the alternative would be trying to backport individual bugfixes to the old release we're using, but that would be far trickier/riskier
String changes made by this patch: updated freetype copyright year in toolkit/content/license.html

Comment 7

[Jonathan Kew [:jfkthame]]

https://hg.mozilla.org/mozilla-central/rev/52e691cfec84

Comment 8

[Alex Keybl [:akeybl]]

Comment on attachment 604362 [details] [diff] [review]
patch, update freetype to release 2.4.9

[Triage Comment]
Approved for Aurora 12 (soon to be Beta 12). Please land asap.

Comment 9

[Jonathan Kew [:jfkthame]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/8f4aeb506495

Comment 10

[Lukas Blakk [:lsblakk] use ?needinfo]

Comment on attachment 604362 [details] [diff] [review]
patch, update freetype to release 2.4.9

[Triage Comment]
Please go ahead and land on ESR, see https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for details.

Comment 11

[Jonathan Kew [:jfkthame]]

https://hg.mozilla.org/releases/mozilla-esr10/rev/206da25f1059

Comment 12

[u279076]

Is this something QA can verify?

Comment 13

[Al Billings [:abillings - ex-MoCo]]

Anthony, this is a library update. You just need to make sure that the new version (2.4.9) was checked in. I've done this for trunk.