subject:"Bug#892590\: graphite2\: CVE\-2018\-7999\: null pointer dereference in Segment\(\)"

Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()

2018-03-11 Thread Rene Engelhard

Hi,

On Sun, Mar 11, 2018 at 06:56:30PM +0100, Moritz Mühlenhoff wrote:
> On Sun, Mar 11, 2018 at 02:02:22PM +0100, Rene Engelhard wrote:
> > Hi,
> > 
> > On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote:
> > > CVE-2018-7999[0]:
> > > | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
> > > | vulnerability was found in Segment.cpp during a dumbRendering
> > > | operation, which may allow attackers to cause a denial of service or
> > > | possibly have unspecified other impact via a crafted .ttf file.
> > > 
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > > 
> > > For further information see:
> > > 
> > > [0] https://security-tracker.debian.org/tracker/CVE-2018-7999
> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999
> > > [1] https://github.com/silnrsi/graphite/issues/22
> > 
> > upstream fix backported. Uploaded to sid.
> > 
> > Merged this for jessie and stretch, too. See attached debdiffs. Want me
> > to upload for a DSA?
> 
> This doesn't warrant a DSA, we can either postpone until the next more
> severe graphite vulnerabity or fix it via a point update.

OK.

Regards,

Rene

Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()

2018-03-11 Thread Moritz Mühlenhoff

On Sun, Mar 11, 2018 at 02:02:22PM +0100, Rene Engelhard wrote:
> Hi,
> 
> On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote:
> > CVE-2018-7999[0]:
> > | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
> > | vulnerability was found in Segment.cpp during a dumbRendering
> > | operation, which may allow attackers to cause a denial of service or
> > | possibly have unspecified other impact via a crafted .ttf file.
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2018-7999
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999
> > [1] https://github.com/silnrsi/graphite/issues/22
> 
> upstream fix backported. Uploaded to sid.
> 
> Merged this for jessie and stretch, too. See attached debdiffs. Want me
> to upload for a DSA?

This doesn't warrant a DSA, we can either postpone until the next more
severe graphite vulnerabity or fix it via a point update.

Cheers,
Moritz

Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()

2018-03-11 Thread Rene Engelhard

Hi,

On Sun, Mar 11, 2018 at 02:02:22PM +0100, Rene Engelhard wrote:
> On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote:
> > CVE-2018-7999[0]:
> > | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
> > | vulnerability was found in Segment.cpp during a dumbRendering
> > | operation, which may allow attackers to cause a denial of service or
> > | possibly have unspecified other impact via a crafted .ttf file.
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2018-7999
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999
> > [1] https://github.com/silnrsi/graphite/issues/22
> 
> upstream fix backported. Uploaded to sid.
> 
> Merged this for jessie and stretch, too. See attached debdiffs. Want me
> to upload for a DSA?
> 
> (for the jessie branch I also had a embarassing typo fix pending.
> Included. If I should remove that one I can, though, too)

I'll remove that one, since stretch doesn't have it done either...

New diff attached.

Regards,
 
Rene
diff -Nru graphite2-1.3.10/debian/changelog graphite2-1.3.10/debian/changelog
--- graphite2-1.3.10/debian/changelog   2017-06-14 23:13:46.0 +0200
+++ graphite2-1.3.10/debian/changelog   2018-03-11 13:51:44.0 +0100
@@ -1,3 +1,10 @@
+graphite2 (1.3.10-1~deb8u2) jessie-security; urgency=medium
+
+  * backport upstream commit db132b4731a9b4c9534144ba3a18e65b390e9ff6
+to fix CVE-2018-7999 (closes: #892590)
+
+ -- Rene Engelhard   Sun, 11 Mar 2018 13:51:44 +0100
+
 graphite2 (1.3.10-1~deb8u1) jessie-security; urgency=high
 
   * rebuild for jessie-security
diff -Nru 
graphite2-1.3.10/debian/patches/db132b4731a9b4c9534144ba3a18e65b390e9ff6.diff 
graphite2-1.3.10/debian/patches/db132b4731a9b4c9534144ba3a18e65b390e9ff6.diff
--- 
graphite2-1.3.10/debian/patches/db132b4731a9b4c9534144ba3a18e65b390e9ff6.diff   
1970-01-01 01:00:00.0 +0100
+++ 
graphite2-1.3.10/debian/patches/db132b4731a9b4c9534144ba3a18e65b390e9ff6.diff   
2018-03-11 13:50:58.0 +0100
@@ -0,0 +1,221 @@
+diff --git a/include/graphite2/Font.h b/include/graphite2/Font.h
+index efe2af9f..a4e35243 100644
+--- a/include/graphite2/Font.h
 b/include/graphite2/Font.h
+@@ -56,7 +56,7 @@ GR2_API void gr_engine_version(int *nMajor, int *nMinor, int 
*nBugFix);
+ enum gr_face_options {
+ /** No preload, no cmap caching, fail if the graphite tables are invalid 
*/
+ gr_face_default = 0,
+-/** Dumb rendering will be enabled if the graphite tables are invalid */
++/** Dumb rendering will be enabled if the graphite tables are invalid. 
DEPRECATED. */
+ gr_face_dumbRendering = 1,
+ /** preload glyphs at construction time */
+ gr_face_preloadGlyphs = 2,
+diff --git a/src/GlyphCache.cpp b/src/GlyphCache.cpp
+index c4ab807b..1acf7f98 100644
+--- a/src/GlyphCache.cpp
 b/src/GlyphCache.cpp
+@@ -84,7 +84,7 @@ const SlantBox SlantBox::empty = {0,0,0,0};
+ class GlyphCache::Loader
+ {
+ public:
+-Loader(const Face & face, const bool dumb_font);//return result 
indicates success. Do not use if failed.
++Loader(const Face & face);//return result indicates success. Do not 
use if failed.
+ 
+ operator bool () const throw();
+ unsigned short int units_per_em() const throw();
+@@ -115,7 +115,7 @@ class GlyphCache::Loader
+ 
+ 
+ GlyphCache::GlyphCache(const Face & face, const uint32 face_options)
+-: _glyph_loader(new Loader(face, bool(face_options & gr_face_dumbRendering))),
++: _glyph_loader(new Loader(face)),
+   _glyphs(_glyph_loader && *_glyph_loader && _glyph_loader->num_glyphs()
+ ? grzeroalloc(_glyph_loader->num_glyphs()) : 0),
+   _boxes(_glyph_loader && _glyph_loader->has_boxes() && 
_glyph_loader->num_glyphs()
+@@ -239,7 +239,7 @@ const GlyphFace *GlyphCache::glyph(unsigned short glyphid) 
const  //result m
+ 
+ 
+ 
+-GlyphCache::Loader::Loader(const Face & face, const bool dumb_font)
++GlyphCache::Loader::Loader(const Face & face)
+ : _head(face, Tag::head),
+   _hhea(face, Tag::hhea),
+   _hmtx(face, Tag::hmtx),
+@@ -265,52 +265,49 @@ GlyphCache::Loader::Loader(const Face & face, const bool 
dumb_font)
+ return;
+ }
+ 
+-if (!dumb_font)
++if ((m_pGlat = Face::Table(face, Tag::Glat, 0x0003)) == NULL
++|| (m_pGloc = Face::Table(face, Tag::Gloc)) == NULL
++|| m_pGloc.size() < 8)
+ {
+-if ((m_pGlat = Face::Table(face, Tag::Glat, 0x0003)) == NULL
+-|| (m_pGloc = Face::Table(face, Tag::Gloc)) == NULL
+-|| m_pGloc.size() < 8)
+-{
+-_head = Face::Table();
+-return;
+-}
+-const byte* p = m_pGloc;
+-int   version = be::read(p);
+-const uint16flags = be::read(p);
+-_num_attrs = be::read(p);
+-//

Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()

2018-03-11 Thread Rene Engelhard

Hi,

On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote:
> CVE-2018-7999[0]:
> | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
> | vulnerability was found in Segment.cpp during a dumbRendering
> | operation, which may allow attackers to cause a denial of service or
> | possibly have unspecified other impact via a crafted .ttf file.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2018-7999
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999
> [1] https://github.com/silnrsi/graphite/issues/22

upstream fix backported. Uploaded to sid.

Merged this for jessie and stretch, too. See attached debdiffs. Want me
to upload for a DSA?

(for the jessie branch I also had a embarassing typo fix pending.
Included. If I should remove that one I can, though, too)

Regards,

Rene
diff -Nru graphite2-1.3.10/debian/changelog graphite2-1.3.10/debian/changelog
--- graphite2-1.3.10/debian/changelog   2017-05-06 13:20:52.0 +0200
+++ graphite2-1.3.10/debian/changelog   2018-03-11 13:44:49.0 +0100
@@ -1,3 +1,10 @@
+graphite2 (1.3.10-1+deb9u1) stretch-security; urgency=medium
+
+  * backport upstream commit db132b4731a9b4c9534144ba3a18e65b390e9ff6
+to fix CVE-2018-7999 (closes: #892590)
+
+ -- Rene Engelhard   Sun, 11 Mar 2018 13:44:49 +0100
+
 graphite2 (1.3.10-1) unstable; urgency=medium
 
   * New upstream version 1.3.10
diff -Nru 
graphite2-1.3.10/debian/patches/db132b4731a9b4c9534144ba3a18e65b390e9ff6.diff 
graphite2-1.3.10/debian/patches/db132b4731a9b4c9534144ba3a18e65b390e9ff6.diff
--- 
graphite2-1.3.10/debian/patches/db132b4731a9b4c9534144ba3a18e65b390e9ff6.diff   
1970-01-01 01:00:00.0 +0100
+++ 
graphite2-1.3.10/debian/patches/db132b4731a9b4c9534144ba3a18e65b390e9ff6.diff   
2018-03-11 13:44:16.0 +0100
@@ -0,0 +1,221 @@
+diff --git a/include/graphite2/Font.h b/include/graphite2/Font.h
+index efe2af9f..a4e35243 100644
+--- a/include/graphite2/Font.h
 b/include/graphite2/Font.h
+@@ -56,7 +56,7 @@ GR2_API void gr_engine_version(int *nMajor, int *nMinor, int 
*nBugFix);
+ enum gr_face_options {
+ /** No preload, no cmap caching, fail if the graphite tables are invalid 
*/
+ gr_face_default = 0,
+-/** Dumb rendering will be enabled if the graphite tables are invalid */
++/** Dumb rendering will be enabled if the graphite tables are invalid. 
DEPRECATED. */
+ gr_face_dumbRendering = 1,
+ /** preload glyphs at construction time */
+ gr_face_preloadGlyphs = 2,
+diff --git a/src/GlyphCache.cpp b/src/GlyphCache.cpp
+index c4ab807b..1acf7f98 100644
+--- a/src/GlyphCache.cpp
 b/src/GlyphCache.cpp
+@@ -84,7 +84,7 @@ const SlantBox SlantBox::empty = {0,0,0,0};
+ class GlyphCache::Loader
+ {
+ public:
+-Loader(const Face & face, const bool dumb_font);//return result 
indicates success. Do not use if failed.
++Loader(const Face & face);//return result indicates success. Do not 
use if failed.
+ 
+ operator bool () const throw();
+ unsigned short int units_per_em() const throw();
+@@ -115,7 +115,7 @@ class GlyphCache::Loader
+ 
+ 
+ GlyphCache::GlyphCache(const Face & face, const uint32 face_options)
+-: _glyph_loader(new Loader(face, bool(face_options & gr_face_dumbRendering))),
++: _glyph_loader(new Loader(face)),
+   _glyphs(_glyph_loader && *_glyph_loader && _glyph_loader->num_glyphs()
+ ? grzeroalloc(_glyph_loader->num_glyphs()) : 0),
+   _boxes(_glyph_loader && _glyph_loader->has_boxes() && 
_glyph_loader->num_glyphs()
+@@ -239,7 +239,7 @@ const GlyphFace *GlyphCache::glyph(unsigned short glyphid) 
const  //result m
+ 
+ 
+ 
+-GlyphCache::Loader::Loader(const Face & face, const bool dumb_font)
++GlyphCache::Loader::Loader(const Face & face)
+ : _head(face, Tag::head),
+   _hhea(face, Tag::hhea),
+   _hmtx(face, Tag::hmtx),
+@@ -265,52 +265,49 @@ GlyphCache::Loader::Loader(const Face & face, const bool 
dumb_font)
+ return;
+ }
+ 
+-if (!dumb_font)
++if ((m_pGlat = Face::Table(face, Tag::Glat, 0x0003)) == NULL
++|| (m_pGloc = Face::Table(face, Tag::Gloc)) == NULL
++|| m_pGloc.size() < 8)
+ {
+-if ((m_pGlat = Face::Table(face, Tag::Glat, 0x0003)) == NULL
+-|| (m_pGloc = Face::Table(face, Tag::Gloc)) == NULL
+-|| m_pGloc.size() < 8)
+-{
+-_head = Face::Table();
+-return;
+-}
+-const byte* p = m_pGloc;
+-int   version = be::read(p);
+-const uint16flags = be::read(p);
+-_num_attrs = be::read(p);
+-// We can accurately calculate the number of attributed glyphs by
+-//  subtracting the length of the attribids array (numAttribs long if 
present)
+-//  and dividing by either 2 or 4 depending on

Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()

2018-03-10 Thread Salvatore Bonaccorso

Source: graphite2
Version: 1.3.10-8
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/silnrsi/graphite/issues/22
Control: found -1 1.3.11-1

Hi,

the following vulnerability was published for graphite2.

CVE-2018-7999[0]:
| In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
| vulnerability was found in Segment.cpp during a dumbRendering
| operation, which may allow attackers to cause a denial of service or
| possibly have unspecified other impact via a crafted .ttf file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7999
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999
[1] https://github.com/silnrsi/graphite/issues/22

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()

Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()

Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()

Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()

Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()

5 matches

Site Navigation

Mail list logo

Footer information