Closed Bug 553433 (CVE-2009-0946) Opened 10 years ago Closed 10 years ago

Multiple integer overflows in FreeType 2.3.9 and earlier

Categories

(Core :: Layout: Text and Fonts, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
status2.0 --- ?
status1.9.2 --- ?
status1.9.1 --- ?

People

(Reporter: reed, Assigned: jfkthame)

References

()

Details

(Whiteboard: [sg:critical?] not sure if affects us yet)

Attachments

(2 files)

CVE-2009-0946

Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c.

We have FreeType 2.3.7 on 1.9.1, 1.9.2, and trunk (1.9.3). Need to see if these issues affect us, and if so, get them patched in our code (or even see about doing a complete FreeType upgrade).

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0545ec1ca36b27cb928128870a83e5f668980bc5
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=79972af4f0485a11dcb19551356c45245749fc5b
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a18788b14db60ae3673f932249cd02d33a227c4e
Severity: normal → critical
Jonathan: can you please renominate if we can confirm that we're affected by this?
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
blocking2.0: ? → ---
we haven't shipped a release that uses this code on 1.9.1 or 1.9.2, so I don't think we need to care about it there.  We plan to ship off of trunk using it though, so I think we should  just update trunk to 2.3.12
Don't our Linux releases use it? Or secondary platforms such as OS/2?
to my knowledge, only windows mobile and android use it.  Our linux platforms use system fontconf/freetype
I'll look into updating our freetype, if nobody else has jumped in already. Should be pretty straightforward, I hope.
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Seems like a painless upgrade. Maemo builds OK on tryserver; I don't have other FT2-using build environments on hand at the moment.

I think it makes sense to do this first, then look into bug 553273 again.

Patch is compressed (.bz2) because otherwise it exceeds bugzilla's limit for attachment size.
Attachment #434907 - Flags: review?(bugmail)
Attachment #434907 - Attachment is patch: true
Attachment #434907 - Attachment mime type: application/octet-stream → text/plain
Blocks: 553273
maemo doesn't build this, so I tried building android with this patch and got the following error:

../../../modules/freetype2/src/autofit/aflatin2.c:19:10: error: #include expects "FILENAME" or <FILENAME>

which is from:
#include FT_ADVANCES_H
adding ftheader.h as an additional forced include fixes this for me. still trying to confirm that everything still renders correctly.
text renders fine, looking over the patch now
Comment on attachment 434907 [details] [diff] [review]
update freetype sources to v2.3.12 (from http://savannah.nongnu.org/download/freetype/)

looks fine, just change the Makefile.in to be:

-DEFINES += -DFT2_BUILD_LIBRARY -DFT_OPTION_AUTOFIT2 -FI $(srcdir)/include/freetype/config/ftstdlib.h
+DEFINES += -DFT2_BUILD_LIBRARY -DFT_OPTION_AUTOFIT2
+
+ifdef _MSC_VER
+DEFINES += -FI $(srcdir)/include/freetype/config/ftstdlib.h -FI $(srcdir)/include/freetype/config/ftheader.h
+else
+DEFINES += -include $(srcdir)/include/freetype/config/ftstdlib.h -include $(srcdir)/include/freetype/config/ftheader.h
+endif
Attachment #434907 - Flags: review?(bugmail) → review+
OK, thanks. Pushed this, with the Makefile.in fix.
http://hg.mozilla.org/mozilla-central/rev/228a9faee7e8
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
I updated the date in the freetype license notice as part of the 2.3.12 update, and also added maemo to the platforms mentioned there; this was incorrect, but we should instead mention android (see comment #7).
Attachment #435171 - Flags: review?(bugmail)
Comment on attachment 435171 [details] [diff] [review]
followup to correct freetype notice in about:license

its not clear to me that OS/2 still uses freetype, but that portion of this dates to pre-1.9.0.
Attachment #435171 - Flags: review?(bugmail) → review+
Pushed followup:
http://hg.mozilla.org/mozilla-central/rev/9edc337f49f9

(The gfxOS2Fonts code uses freetype, so unless the platform or another package provides it, I presume we're still building it there. If this is out-of-date, the OS/2 people can fix it separately.)
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.