Closed Bug 1454359 Opened 2 years ago Closed 2 years ago

Cherry-pick more upstream FreeType oss-fuzz fixes

Categories

(Core :: Graphics: Text, defect, P1, critical)

defect

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox-esr52 --- disabled
firefox59 --- wontfix
firefox60 + fixed
firefox61 + fixed

People

(Reporter: RyanVM, Assigned: RyanVM)

Details

(Keywords: csectype-intoverflow, csectype-undefined, sec-low, Whiteboard: [adv-main60+][post-critsmash-triage])

Attachments

(1 file)

https://treeherder.mozilla.org/#/jobs?repo=try&revision=0006232e86669cc44bba7bc709c41a5f55b0b2a2

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
I have no idea, TBH. The issues were found by oss-fuzz and are referenced in the upstream commits (though access is restricted).

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
I left the commit message generic, but obviously someone is free to follow the link to the upstream commits to see that the fixes are likely security-related.

Which older supported branches are affected by this flaw?
All, though only 59+ in practice where we ship Android builds.

If not all supported branches, which bug introduced the flaw?
N/A

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Applies cleanly to Beta as-is.

How likely is this patch to cause regressions; how much testing does it need?
Seems highly unlikely. Android tests are green on the Try push.
Attachment #8968235 - Flags: sec-approval?
Attachment #8968235 - Flags: review?(jfkthame)
Based on the patch I suspect these fix 2 UBSAN errors and a timeout. That is, the integer overflows don't lead to a heap buffer overflow.
Comment on attachment 8968235 [details] [diff] [review]
cherry-pick more upstream oss-fuzz fixes

Review of attachment 8968235 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM, thanks.
Attachment #8968235 - Flags: review?(jfkthame) → review+
Priority: -- → P1
Talking to Dan, this seems to really be a sec-low. As such, it doesn't need sec-approval+ to go onto trunk.
Keywords: sec-low
Attachment #8968235 - Flags: sec-approval?
Comment on attachment 8968235 [details] [diff] [review]
cherry-pick more upstream oss-fuzz fixes

Same story as bug 1453653. More FreeType upstream security fixes.
Attachment #8968235 - Flags: approval-mozilla-beta+
...I didn't mean to set that to + there, but got Julien's blessing over IRC to just leave it.

https://hg.mozilla.org/releases/mozilla-beta/rev/41236d2e9c29
https://hg.mozilla.org/mozilla-central/rev/a31b222963a1
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Group: gfx-core-security → core-security-release
Whiteboard: [adv-main60+]
Flags: qe-verify-
Whiteboard: [adv-main60+] → [adv-main60+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.