Closed
Bug 1454359
Opened 6 years ago
Closed 6 years ago
Cherry-pick more upstream FreeType oss-fuzz fixes
Categories
(Core :: Graphics: Text, defect, P1)
Core
Graphics: Text
Tracking
()
RESOLVED
FIXED
mozilla61
People
(Reporter: RyanVM, Assigned: RyanVM)
Details
(Keywords: csectype-intoverflow, csectype-undefined, sec-low, Whiteboard: [adv-main60+][post-critsmash-triage])
Attachments
(1 file)
4.53 KB,
patch
|
jfkthame
:
review+
RyanVM
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #1453653 +++ More upstream fixes landed over the weekend for various issues reported by oss-fuzz. http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=827ca3bcf25b9e4dc2edf31381c0774e1d227285 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=235b1e2fe6ca325f449c5a73c75432d62d73f524 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=70ac167c47f5ca966fb578b1f215430f46915a49
Assignee | ||
Comment 1•6 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=0006232e86669cc44bba7bc709c41a5f55b0b2a2 [Security approval request comment] How easily could an exploit be constructed based on the patch? I have no idea, TBH. The issues were found by oss-fuzz and are referenced in the upstream commits (though access is restricted). Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? I left the commit message generic, but obviously someone is free to follow the link to the upstream commits to see that the fixes are likely security-related. Which older supported branches are affected by this flaw? All, though only 59+ in practice where we ship Android builds. If not all supported branches, which bug introduced the flaw? N/A Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Applies cleanly to Beta as-is. How likely is this patch to cause regressions; how much testing does it need? Seems highly unlikely. Android tests are green on the Try push.
Attachment #8968235 -
Flags: sec-approval?
Attachment #8968235 -
Flags: review?(jfkthame)
Comment 2•6 years ago
|
||
Based on the patch I suspect these fix 2 UBSAN errors and a timeout. That is, the integer overflows don't lead to a heap buffer overflow.
Comment 3•6 years ago
|
||
Comment on attachment 8968235 [details] [diff] [review] cherry-pick more upstream oss-fuzz fixes Review of attachment 8968235 [details] [diff] [review]: ----------------------------------------------------------------- LGTM, thanks.
Attachment #8968235 -
Flags: review?(jfkthame) → review+
Assignee | ||
Updated•6 years ago
|
Priority: -- → P1
Comment 4•6 years ago
|
||
Talking to Dan, this seems to really be a sec-low. As such, it doesn't need sec-approval+ to go onto trunk.
Keywords: sec-low
Updated•6 years ago
|
Attachment #8968235 -
Flags: sec-approval?
Assignee | ||
Comment 5•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a31b222963a1
Assignee | ||
Comment 6•6 years ago
|
||
Comment on attachment 8968235 [details] [diff] [review] cherry-pick more upstream oss-fuzz fixes Same story as bug 1453653. More FreeType upstream security fixes.
Attachment #8968235 -
Flags: approval-mozilla-beta+
Assignee | ||
Comment 7•6 years ago
|
||
uplift |
...I didn't mean to set that to + there, but got Julien's blessing over IRC to just leave it. https://hg.mozilla.org/releases/mozilla-beta/rev/41236d2e9c29
Comment 8•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a31b222963a1
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Updated•6 years ago
|
Group: gfx-core-security → core-security-release
Updated•6 years ago
|
Whiteboard: [adv-main60+]
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main60+] → [adv-main60+][post-critsmash-triage]
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•