Closed
Bug 553433
(CVE-2009-0946)
Opened 13 years ago
Closed 13 years ago
Multiple integer overflows in FreeType 2.3.9 and earlier
Categories
(Core :: Layout: Text and Fonts, defect)
Core
Layout: Text and Fonts
Tracking
()
RESOLVED
FIXED
People
(Reporter: reed, Assigned: jfkthame)
References
()
Details
(Whiteboard: [sg:critical?] not sure if affects us yet)
Attachments
(2 files)
|
401.76 KB,
patch
|
blassey
:
review+
|
Details | Diff | Splinter Review |
|
914 bytes,
patch
|
blassey
:
review+
|
Details | Diff | Splinter Review |
CVE-2009-0946 Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c. We have FreeType 2.3.7 on 1.9.1, 1.9.2, and trunk (1.9.3). Need to see if these issues affect us, and if so, get them patched in our code (or even see about doing a complete FreeType upgrade). http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0545ec1ca36b27cb928128870a83e5f668980bc5 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=79972af4f0485a11dcb19551356c45245749fc5b http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a18788b14db60ae3673f932249cd02d33a227c4e
|
Reporter | |
Updated•13 years ago
|
Severity: normal → critical
|
||
Comment 1•13 years ago
|
||
Jonathan: can you please renominate if we can confirm that we're affected by this?
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
blocking2.0: ? → ---
|
||
Comment 2•13 years ago
|
||
we haven't shipped a release that uses this code on 1.9.1 or 1.9.2, so I don't think we need to care about it there. We plan to ship off of trunk using it though, so I think we should just update trunk to 2.3.12
|
Assignee | |
Comment 3•13 years ago
|
||
Don't our Linux releases use it? Or secondary platforms such as OS/2?
|
|
||
Comment 4•13 years ago
|
||
to my knowledge, only windows mobile and android use it. Our linux platforms use system fontconf/freetype
|
|
Assignee | |
Comment 5•13 years ago
|
||
I'll look into updating our freetype, if nobody else has jumped in already. Should be pretty straightforward, I hope.
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 6•13 years ago
|
||
Seems like a painless upgrade. Maemo builds OK on tryserver; I don't have other FT2-using build environments on hand at the moment. I think it makes sense to do this first, then look into bug 553273 again. Patch is compressed (.bz2) because otherwise it exceeds bugzilla's limit for attachment size.
Attachment #434907 -
Flags: review?(bugmail)
|
|
Assignee | |
Updated•13 years ago
|
Attachment #434907 -
Attachment is patch: true
Attachment #434907 -
Attachment mime type: application/octet-stream → text/plain
|
|
||
Comment 7•13 years ago
|
||
maemo doesn't build this, so I tried building android with this patch and got the following error: ../../../modules/freetype2/src/autofit/aflatin2.c:19:10: error: #include expects "FILENAME" or <FILENAME> which is from: #include FT_ADVANCES_H
|
|
||
Comment 8•13 years ago
|
||
adding ftheader.h as an additional forced include fixes this for me. still trying to confirm that everything still renders correctly.
|
|
||
Comment 9•13 years ago
|
||
text renders fine, looking over the patch now
|
|
||
Comment 10•13 years ago
|
||
Comment on attachment 434907 [details] [diff] [review] update freetype sources to v2.3.12 (from http://savannah.nongnu.org/download/freetype/) looks fine, just change the Makefile.in to be: -DEFINES += -DFT2_BUILD_LIBRARY -DFT_OPTION_AUTOFIT2 -FI $(srcdir)/include/freetype/config/ftstdlib.h +DEFINES += -DFT2_BUILD_LIBRARY -DFT_OPTION_AUTOFIT2 + +ifdef _MSC_VER +DEFINES += -FI $(srcdir)/include/freetype/config/ftstdlib.h -FI $(srcdir)/include/freetype/config/ftheader.h +else +DEFINES += -include $(srcdir)/include/freetype/config/ftstdlib.h -include $(srcdir)/include/freetype/config/ftheader.h +endif
Attachment #434907 -
Flags: review?(bugmail) → review+
|
|
Assignee | |
Comment 11•13 years ago
|
||
OK, thanks. Pushed this, with the Makefile.in fix. http://hg.mozilla.org/mozilla-central/rev/228a9faee7e8
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 12•13 years ago
|
||
I updated the date in the freetype license notice as part of the 2.3.12 update, and also added maemo to the platforms mentioned there; this was incorrect, but we should instead mention android (see comment #7).
Attachment #435171 -
Flags: review?(bugmail)
|
|
||
Comment 13•13 years ago
|
||
Comment on attachment 435171 [details] [diff] [review] followup to correct freetype notice in about:license its not clear to me that OS/2 still uses freetype, but that portion of this dates to pre-1.9.0.
Attachment #435171 -
Flags: review?(bugmail) → review+
|
|
Assignee | |
Comment 14•13 years ago
|
||
Pushed followup: http://hg.mozilla.org/mozilla-central/rev/9edc337f49f9 (The gfxOS2Fonts code uses freetype, so unless the platform or another package provides it, I presume we're still building it there. If this is out-of-date, the OS/2 people can fix it separately.)
|
||
Updated•8 years ago
|
Group: core-security → core-security-release
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•