Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()
Hi, On Sun, Mar 11, 2018 at 06:56:30PM +0100, Moritz Mühlenhoff wrote: > On Sun, Mar 11, 2018 at 02:02:22PM +0100, Rene Engelhard wrote: > > Hi, > > > > On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote: > > > CVE-2018-7999[0]: > > > | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference > > > | vulnerability was found in Segment.cpp during a dumbRendering > > > | operation, which may allow attackers to cause a denial of service or > > > | possibly have unspecified other impact via a crafted .ttf file. > > > > > > If you fix the vulnerability please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > > > For further information see: > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2018-7999 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999 > > > [1] https://github.com/silnrsi/graphite/issues/22 > > > > upstream fix backported. Uploaded to sid. > > > > Merged this for jessie and stretch, too. See attached debdiffs. Want me > > to upload for a DSA? > > This doesn't warrant a DSA, we can either postpone until the next more > severe graphite vulnerabity or fix it via a point update. OK. Regards, Rene
Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()
On Sun, Mar 11, 2018 at 02:02:22PM +0100, Rene Engelhard wrote: > Hi, > > On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote: > > CVE-2018-7999[0]: > > | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference > > | vulnerability was found in Segment.cpp during a dumbRendering > > | operation, which may allow attackers to cause a denial of service or > > | possibly have unspecified other impact via a crafted .ttf file. > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2018-7999 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999 > > [1] https://github.com/silnrsi/graphite/issues/22 > > upstream fix backported. Uploaded to sid. > > Merged this for jessie and stretch, too. See attached debdiffs. Want me > to upload for a DSA? This doesn't warrant a DSA, we can either postpone until the next more severe graphite vulnerabity or fix it via a point update. Cheers, Moritz
Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()
Hi, On Sun, Mar 11, 2018 at 02:02:22PM +0100, Rene Engelhard wrote: > On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote: > > CVE-2018-7999[0]: > > | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference > > | vulnerability was found in Segment.cpp during a dumbRendering > > | operation, which may allow attackers to cause a denial of service or > > | possibly have unspecified other impact via a crafted .ttf file. > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2018-7999 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999 > > [1] https://github.com/silnrsi/graphite/issues/22 > > upstream fix backported. Uploaded to sid. > > Merged this for jessie and stretch, too. See attached debdiffs. Want me > to upload for a DSA? > > (for the jessie branch I also had a embarassing typo fix pending. > Included. If I should remove that one I can, though, too) I'll remove that one, since stretch doesn't have it done either... New diff attached. Regards, Rene diff -Nru graphite2-1.3.10/debian/changelog graphite2-1.3.10/debian/changelog --- graphite2-1.3.10/debian/changelog 2017-06-14 23:13:46.0 +0200 +++ graphite2-1.3.10/debian/changelog 2018-03-11 13:51:44.0 +0100 @@ -1,3 +1,10 @@ +graphite2 (1.3.10-1~deb8u2) jessie-security; urgency=medium + + * backport upstream commit db132b4731a9b4c9534144ba3a18e65b390e9ff6 +to fix CVE-2018-7999 (closes: #892590) + + -- Rene EngelhardSun, 11 Mar 2018 13:51:44 +0100 + graphite2 (1.3.10-1~deb8u1) jessie-security; urgency=high * rebuild for jessie-security diff -Nru graphite2-1.3.10/debian/patches/db132b4731a9b4c9534144ba3a18e65b390e9ff6.diff graphite2-1.3.10/debian/patches/db132b4731a9b4c9534144ba3a18e65b390e9ff6.diff --- graphite2-1.3.10/debian/patches/db132b4731a9b4c9534144ba3a18e65b390e9ff6.diff 1970-01-01 01:00:00.0 +0100 +++ graphite2-1.3.10/debian/patches/db132b4731a9b4c9534144ba3a18e65b390e9ff6.diff 2018-03-11 13:50:58.0 +0100 @@ -0,0 +1,221 @@ +diff --git a/include/graphite2/Font.h b/include/graphite2/Font.h +index efe2af9f..a4e35243 100644 +--- a/include/graphite2/Font.h b/include/graphite2/Font.h +@@ -56,7 +56,7 @@ GR2_API void gr_engine_version(int *nMajor, int *nMinor, int *nBugFix); + enum gr_face_options { + /** No preload, no cmap caching, fail if the graphite tables are invalid */ + gr_face_default = 0, +-/** Dumb rendering will be enabled if the graphite tables are invalid */ ++/** Dumb rendering will be enabled if the graphite tables are invalid. DEPRECATED. */ + gr_face_dumbRendering = 1, + /** preload glyphs at construction time */ + gr_face_preloadGlyphs = 2, +diff --git a/src/GlyphCache.cpp b/src/GlyphCache.cpp +index c4ab807b..1acf7f98 100644 +--- a/src/GlyphCache.cpp b/src/GlyphCache.cpp +@@ -84,7 +84,7 @@ const SlantBox SlantBox::empty = {0,0,0,0}; + class GlyphCache::Loader + { + public: +-Loader(const Face & face, const bool dumb_font);//return result indicates success. Do not use if failed. ++Loader(const Face & face);//return result indicates success. Do not use if failed. + + operator bool () const throw(); + unsigned short int units_per_em() const throw(); +@@ -115,7 +115,7 @@ class GlyphCache::Loader + + + GlyphCache::GlyphCache(const Face & face, const uint32 face_options) +-: _glyph_loader(new Loader(face, bool(face_options & gr_face_dumbRendering))), ++: _glyph_loader(new Loader(face)), + _glyphs(_glyph_loader && *_glyph_loader && _glyph_loader->num_glyphs() + ? grzeroalloc(_glyph_loader->num_glyphs()) : 0), + _boxes(_glyph_loader && _glyph_loader->has_boxes() && _glyph_loader->num_glyphs() +@@ -239,7 +239,7 @@ const GlyphFace *GlyphCache::glyph(unsigned short glyphid) const //result m + + + +-GlyphCache::Loader::Loader(const Face & face, const bool dumb_font) ++GlyphCache::Loader::Loader(const Face & face) + : _head(face, Tag::head), + _hhea(face, Tag::hhea), + _hmtx(face, Tag::hmtx), +@@ -265,52 +265,49 @@ GlyphCache::Loader::Loader(const Face & face, const bool dumb_font) + return; + } + +-if (!dumb_font) ++if ((m_pGlat = Face::Table(face, Tag::Glat, 0x0003)) == NULL ++|| (m_pGloc = Face::Table(face, Tag::Gloc)) == NULL ++|| m_pGloc.size() < 8) + { +-if ((m_pGlat = Face::Table(face, Tag::Glat, 0x0003)) == NULL +-|| (m_pGloc = Face::Table(face, Tag::Gloc)) == NULL +-|| m_pGloc.size() < 8) +-{ +-_head = Face::Table(); +-return; +-} +-const byte* p = m_pGloc; +-int version = be::read(p); +-const uint16flags = be::read(p); +-_num_attrs = be::read(p); +-//
Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()
Hi, On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote: > CVE-2018-7999[0]: > | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference > | vulnerability was found in Segment.cpp during a dumbRendering > | operation, which may allow attackers to cause a denial of service or > | possibly have unspecified other impact via a crafted .ttf file. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2018-7999 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999 > [1] https://github.com/silnrsi/graphite/issues/22 upstream fix backported. Uploaded to sid. Merged this for jessie and stretch, too. See attached debdiffs. Want me to upload for a DSA? (for the jessie branch I also had a embarassing typo fix pending. Included. If I should remove that one I can, though, too) Regards, Rene diff -Nru graphite2-1.3.10/debian/changelog graphite2-1.3.10/debian/changelog --- graphite2-1.3.10/debian/changelog 2017-05-06 13:20:52.0 +0200 +++ graphite2-1.3.10/debian/changelog 2018-03-11 13:44:49.0 +0100 @@ -1,3 +1,10 @@ +graphite2 (1.3.10-1+deb9u1) stretch-security; urgency=medium + + * backport upstream commit db132b4731a9b4c9534144ba3a18e65b390e9ff6 +to fix CVE-2018-7999 (closes: #892590) + + -- Rene EngelhardSun, 11 Mar 2018 13:44:49 +0100 + graphite2 (1.3.10-1) unstable; urgency=medium * New upstream version 1.3.10 diff -Nru graphite2-1.3.10/debian/patches/db132b4731a9b4c9534144ba3a18e65b390e9ff6.diff graphite2-1.3.10/debian/patches/db132b4731a9b4c9534144ba3a18e65b390e9ff6.diff --- graphite2-1.3.10/debian/patches/db132b4731a9b4c9534144ba3a18e65b390e9ff6.diff 1970-01-01 01:00:00.0 +0100 +++ graphite2-1.3.10/debian/patches/db132b4731a9b4c9534144ba3a18e65b390e9ff6.diff 2018-03-11 13:44:16.0 +0100 @@ -0,0 +1,221 @@ +diff --git a/include/graphite2/Font.h b/include/graphite2/Font.h +index efe2af9f..a4e35243 100644 +--- a/include/graphite2/Font.h b/include/graphite2/Font.h +@@ -56,7 +56,7 @@ GR2_API void gr_engine_version(int *nMajor, int *nMinor, int *nBugFix); + enum gr_face_options { + /** No preload, no cmap caching, fail if the graphite tables are invalid */ + gr_face_default = 0, +-/** Dumb rendering will be enabled if the graphite tables are invalid */ ++/** Dumb rendering will be enabled if the graphite tables are invalid. DEPRECATED. */ + gr_face_dumbRendering = 1, + /** preload glyphs at construction time */ + gr_face_preloadGlyphs = 2, +diff --git a/src/GlyphCache.cpp b/src/GlyphCache.cpp +index c4ab807b..1acf7f98 100644 +--- a/src/GlyphCache.cpp b/src/GlyphCache.cpp +@@ -84,7 +84,7 @@ const SlantBox SlantBox::empty = {0,0,0,0}; + class GlyphCache::Loader + { + public: +-Loader(const Face & face, const bool dumb_font);//return result indicates success. Do not use if failed. ++Loader(const Face & face);//return result indicates success. Do not use if failed. + + operator bool () const throw(); + unsigned short int units_per_em() const throw(); +@@ -115,7 +115,7 @@ class GlyphCache::Loader + + + GlyphCache::GlyphCache(const Face & face, const uint32 face_options) +-: _glyph_loader(new Loader(face, bool(face_options & gr_face_dumbRendering))), ++: _glyph_loader(new Loader(face)), + _glyphs(_glyph_loader && *_glyph_loader && _glyph_loader->num_glyphs() + ? grzeroalloc(_glyph_loader->num_glyphs()) : 0), + _boxes(_glyph_loader && _glyph_loader->has_boxes() && _glyph_loader->num_glyphs() +@@ -239,7 +239,7 @@ const GlyphFace *GlyphCache::glyph(unsigned short glyphid) const //result m + + + +-GlyphCache::Loader::Loader(const Face & face, const bool dumb_font) ++GlyphCache::Loader::Loader(const Face & face) + : _head(face, Tag::head), + _hhea(face, Tag::hhea), + _hmtx(face, Tag::hmtx), +@@ -265,52 +265,49 @@ GlyphCache::Loader::Loader(const Face & face, const bool dumb_font) + return; + } + +-if (!dumb_font) ++if ((m_pGlat = Face::Table(face, Tag::Glat, 0x0003)) == NULL ++|| (m_pGloc = Face::Table(face, Tag::Gloc)) == NULL ++|| m_pGloc.size() < 8) + { +-if ((m_pGlat = Face::Table(face, Tag::Glat, 0x0003)) == NULL +-|| (m_pGloc = Face::Table(face, Tag::Gloc)) == NULL +-|| m_pGloc.size() < 8) +-{ +-_head = Face::Table(); +-return; +-} +-const byte* p = m_pGloc; +-int version = be::read(p); +-const uint16flags = be::read(p); +-_num_attrs = be::read(p); +-// We can accurately calculate the number of attributed glyphs by +-// subtracting the length of the attribids array (numAttribs long if present) +-// and dividing by either 2 or 4 depending on
Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()
Source: graphite2 Version: 1.3.10-8 Severity: important Tags: patch security upstream Forwarded: https://github.com/silnrsi/graphite/issues/22 Control: found -1 1.3.11-1 Hi, the following vulnerability was published for graphite2. CVE-2018-7999[0]: | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference | vulnerability was found in Segment.cpp during a dumbRendering | operation, which may allow attackers to cause a denial of service or | possibly have unspecified other impact via a crafted .ttf file. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-7999 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999 [1] https://github.com/silnrsi/graphite/issues/22 Please adjust the affected versions in the BTS as needed. Regards, Salvatore