Hello debian-security, Because there has been no reaction to this my post to [EMAIL PROTECTED] (see below) I am forwarding it to this mailing list. This bug has been reported by several ppl by now. A patch is available (below). See Bug #373581.
----- Forwarded message from Stanislav Maslovski <[EMAIL PROTECTED]> ----- Date: Mon, 12 Jun 2006 15:47:13 +0400 From: Stanislav Maslovski <[EMAIL PROTECTED]> To: Martin Schulze <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Subject: Re: [SECURITY] [DSA 1095-1] New freetype packages fix several vulnerabilities User-Agent: Mutt/1.5.9i Hello, I noticed random crashes of xfs and other apps on my system after upgrading libfreetype on sarge. The reason is in the incorrect patch 400-CVE-2006-2493_integer-overflows.diff which introduces division by zero in certain situations. A patch that solves this problem is attached. It should be applied after all other patches. On Sat, Jun 10, 2006 at 07:22:33AM +0200, Martin Schulze wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - -------------------------------------------------------------------------- > Debian Security Advisory DSA 1095-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > June 10th, 2006 http://www.debian.org/security/faq > - -------------------------------------------------------------------------- > > Package : freetype > Vulnerability : integer overflows > Problem type : local (remote) > Debian-specific: no > CVE IDs : CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 > CERT advisory : > BugTraq ID : 18034 > Debian Bug : > > Several problems have been discovered in the FreeType 2 font engine. > The Common vulnerabilities and Exposures project identifies the > following problems: > [ skipped ] diff -urN a/src/raster/ftrend1.c b/src/raster/ftrend1.c --- freetype-2.1.7.orig/src/raster/ftrend1.c 2006-06-12 14:10:19.000000000 +0400 +++ freetype-2.1.7/src/raster/ftrend1.c 2006-06-12 15:10:59.000000000 +0400 @@ -176,7 +176,7 @@ bitmap->rows = height; bitmap->pitch = pitch; - if ((FT_ULong)pitch > LONG_MAX/height) + if ( height == 0 || (FT_ULong)pitch > LONG_MAX/height ) goto Exit; if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) ) diff -urN a/src/winfonts/winfnt.c b/src/winfonts/winfnt.c --- freetype-2.1.7.orig/src/winfonts/winfnt.c 2006-06-12 14:10:19.000000000 +0400 +++ freetype-2.1.7/src/winfonts/winfnt.c 2006-06-12 15:15:16.000000000 +0400 @@ -616,7 +616,7 @@ /* note: since glyphs are stored in columns and not in rows we */ /* can't use ft_glyphslot_set_bitmap */ - if (pitch > LONG_MAX/bitmap->rows) + if ( bitmap->rows == 0 || pitch > LONG_MAX/bitmap->rows ) goto Exit; if ( FT_ALLOC( bitmap->buffer, pitch * bitmap->rows ) ) ----- End forwarded message ----- -- Станислав
