Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
On Mon Jul 09, 2007 at 17:43:47 -0700, Steve Langasek wrote: Ok, uploading. sigh -- please kick this one out, I just noticed I built it with stable-security as the target. I'd be happy to do that if you, or somebody else, could tell me how to do so.. Let me know if you would like me to re-roll -7 or prepare a -8 instead. I think we need a -8 if the -7 has been seen, right? Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
On Tue, Jul 10, 2007 at 11:11:05AM +0100, Steve Kemp wrote: On Mon Jul 09, 2007 at 17:43:47 -0700, Steve Langasek wrote: Ok, uploading. sigh -- please kick this one out, I just noticed I built it with stable-security as the target. I'd be happy to do that if you, or somebody else, could tell me how to do so.. Hmm. :/ I don't know enough about the structure of the security.d.o dak setup to say. 'dak process-accepted' or 'dak process-unchecked', maybe? Let me know if you would like me to re-roll -7 or prepare a -8 instead. I think we need a -8 if the -7 has been seen, right? Depends on the extent to which it's been seen; but anyway, if there's doubt I may as well go ahead with a -8 so that we're not stalled while -7 is being cleaned out of the wrong queue. I'm uploading -8 to oldstable-security now. Hopefully I got everything right this time. (Clearly I need to have security holes in my packages more frequently so that I become more adept at this!) -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
On Sat, Jul 07, 2007 at 07:23:38PM +0200, Moritz Muehlenhoff wrote: On May 30, 2007 at 10:59:15PM +0100, Steve Kemp wrote: I haven't yet looked into whether this bug affects the sarge version of the package, I'll do that next (unless somebody here already knows the answer). I was under the impression that it wasn't vulnerable, but I admit I've not yet checked. If we've not heard back by the time I make the upload I'll take a look myself. What has been the result? DSA 1302 doesn't mention Sarge. I've just checked, and the implementation of TT_Load_Simple_Glyph() in freetype 2.1.7 has the same lack of bounds checking that 2.2 does. I would say a security update is warranted after all. :/ -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
On Sat, Jul 07, 2007 at 07:23:38PM +0200, Moritz Muehlenhoff wrote: On May 30, 2007 at 10:59:15PM +0100, Steve Kemp wrote: I haven't yet looked into whether this bug affects the sarge version of the package, I'll do that next (unless somebody here already knows the answer). I was under the impression that it wasn't vulnerable, but I admit I've not yet checked. If we've not heard back by the time I make the upload I'll take a look myself. What has been the result? DSA 1302 doesn't mention Sarge. I've uploaded a freetype 2.1.7-7 package to http://people.debian.org/~vorlon/freetype/, signed and built for sarge. Let me know if you would like me to upload this to security.d.o (I promise I'll even use the embargoed queue this time, so you don't have to go hunting for the upload ;). Unfortunately, going back through my mail I see that there's another open security report against freetype, bug #426771. I have not investigated this at all to confirm which versions of freetype are affected. Please advise if you would like me to look into this for possible inclusion in 2.1.7-7. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
On Mon Jul 09, 2007 at 12:43:57 -0700, Steve Langasek wrote: I've uploaded a freetype 2.1.7-7 package to http://people.debian.org/~vorlon/freetype/, signed and built for sarge. Thanks. Let me know if you would like me to upload this to security.d.o (I promise I'll even use the embargoed queue this time, so you don't have to go hunting for the upload ;). That'd be grand, thanks. Unfortunately, going back through my mail I see that there's another open security report against freetype, bug #426771. I have not investigated this at all to confirm which versions of freetype are affected. Please advise if you would like me to look into this for possible inclusion in 2.1.7-7. :( I think that for the moment it would be best to push this out so that we're all on a level playing field. (Which reminds me some of the slower buildds have started catching up too..) Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
On Mon, Jul 09, 2007 at 09:38:53PM +0100, Steve Kemp wrote: On Mon Jul 09, 2007 at 12:43:57 -0700, Steve Langasek wrote: I've uploaded a freetype 2.1.7-7 package to http://people.debian.org/~vorlon/freetype/, signed and built for sarge. Thanks. Let me know if you would like me to upload this to security.d.o (I promise I'll even use the embargoed queue this time, so you don't have to go hunting for the upload ;). That'd be grand, thanks. Unfortunately, going back through my mail I see that there's another open security report against freetype, bug #426771. I have not investigated this at all to confirm which versions of freetype are affected. Please advise if you would like me to look into this for possible inclusion in 2.1.7-7. :( I think that for the moment it would be best to push this out so that we're all on a level playing field. (Which reminds me some of the slower buildds have started catching up too..) Ok, uploading. I'll let y'all know when I have something for bug #426771. Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
On Mon, Jul 09, 2007 at 02:21:15PM -0700, Steve Langasek wrote: On Mon, Jul 09, 2007 at 09:38:53PM +0100, Steve Kemp wrote: On Mon Jul 09, 2007 at 12:43:57 -0700, Steve Langasek wrote: I've uploaded a freetype 2.1.7-7 package to http://people.debian.org/~vorlon/freetype/, signed and built for sarge. Thanks. Let me know if you would like me to upload this to security.d.o (I promise I'll even use the embargoed queue this time, so you don't have to go hunting for the upload ;). That'd be grand, thanks. Unfortunately, going back through my mail I see that there's another open security report against freetype, bug #426771. I have not investigated this at all to confirm which versions of freetype are affected. Please advise if you would like me to look into this for possible inclusion in 2.1.7-7. :( I think that for the moment it would be best to push this out so that we're all on a level playing field. (Which reminds me some of the slower buildds have started catching up too..) Ok, uploading. sigh -- please kick this one out, I just noticed I built it with stable-security as the target. Let me know if you would like me to re-roll -7 or prepare a -8 instead. Also, I've looked into 426771 now and have confirmed it applies to 2.2.1; I assume it also applies to 2.1.7. So I can include that in -8 if that's easier. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
On May 30, 2007 at 10:59:15PM +0100, Steve Kemp wrote: I haven't yet looked into whether this bug affects the sarge version of the package, I'll do that next (unless somebody here already knows the answer). I was under the impression that it wasn't vulnerable, but I admit I've not yet checked. If we've not heard back by the time I make the upload I'll take a look myself. What has been the result? DSA 1302 doesn't mention Sarge. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
On Tue, May 29, 2007 at 12:15:41PM +0100, Steve Kemp wrote: On Sun May 27, 2007 at 12:47:58 +0200, Moritz Muehlenhoff wrote: I guess we should fix this, it's indirectly remotely exploitable at least by providing someone a malformed TTF font file. As libfreetype is an important infrastructure library there might also be unforeseen indirect attack vectors, like embedding TTFs in other document types, etc. Agreed. Steve Kemp wanted to work on a DSA, so you should probably check back with him before preparing an upload. I was planning on handling this yes, so if there were a fixed package available for Etch then I'd appreciate seeing it. Signed package for etch is on its way up to http://people.debian.org/~vorlon/freetype/ right now (built with -sa, so should indeed be ready for upload straight to security-master). Changelog is: freetype (2.2.1-5+etch1) stable-security; urgency=high * debian/patches-freetype/CVE-2007-2754_ttgfload: address CVE-2007-2754, a bug allowing execution of arbitrary code via a crafted TTF image by way of an integer overflow. Closes: #425625. -- Steve Langasek [EMAIL PROTECTED] Wed, 23 May 2007 03:26:25 -0700 (hmm, date's wrong, that's what I get for just editing the existing -6 changelog entry and renumbering it. :) Let me know if there's anything else you need from me for etch. I haven't yet looked into whether this bug affects the sarge version of the package, I'll do that next (unless somebody here already knows the answer). Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
On Wed May 30, 2007 at 06:19:29 -0700, Steve Langasek wrote: Signed package for etch is on its way up to http://people.debian.org/~vorlon/freetype/ right now (built with -sa, so should indeed be ready for upload straight to security-master). Thanks a lot, Steve. Let me know if there's anything else you need from me for etch. Looks good, thanks. I'll upload tomorrow with an aim of getting it released on Friday. I haven't yet looked into whether this bug affects the sarge version of the package, I'll do that next (unless somebody here already knows the answer). I was under the impression that it wasn't vulnerable, but I admit I've not yet checked. If we've not heard back by the time I make the upload I'll take a look myself. Steve -- http://www.steve.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
On Sun May 27, 2007 at 12:47:58 +0200, Moritz Muehlenhoff wrote: I guess we should fix this, it's indirectly remotely exploitable at least by providing someone a malformed TTF font file. As libfreetype is an important infrastructure library there might also be unforeseen indirect attack vectors, like embedding TTFs in other document types, etc. Agreed. Steve Kemp wanted to work on a DSA, so you should probably check back with him before preparing an upload. I was planning on handling this yes, so if there were a fixed package available for Etch then I'd appreciate seeing it. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
Hi Steve, Steve Langasek wrote: Security team, I'm not sure if this warrants a DSA; I definitely don't see much risk of a remote exploit the way the CVE claims, I don't know of any applications that will load untrusted truetype fonts provided remotely across the network. If you do think a DSA is warranted here, let me know and I'll be happy to prepare an upload. I guess we should fix this, it's indirectly remotely exploitable at least by providing someone a malformed TTF font file. As libfreetype is an important infrastructure library there might also be unforeseen indirect attack vectors, like embedding TTFs in other document types, etc. Steve Kemp wanted to work on a DSA, so you should probably check back with him before preparing an upload. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
# no patch is included in this bug report tags 425625 -patch thanks Hi Stefan, On Tue, May 22, 2007 at 11:01:51PM +0200, Stefan Fritsch wrote: Package: libfreetype6 Version: 2.2.1-5 Severity: grave Tags: security patch Justification: user security hole A vulnerability has been found in freetype. CVE-2007-2754: Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow. Ok, I've prepared a stopgap 2.2.1-6 upload for unstable to fix this bug since I don't have the latest upstream version ready yet. Security team, I'm not sure if this warrants a DSA; I definitely don't see much risk of a remote exploit the way the CVE claims, I don't know of any applications that will load untrusted truetype fonts provided remotely across the network. If you do think a DSA is warranted here, let me know and I'll be happy to prepare an upload. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
Package: libfreetype6 Version: 2.2.1-5 Severity: grave Tags: security patch Justification: user security hole A vulnerability has been found in freetype. CVE-2007-2754: Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow. A patch is at [1]. Please mention the CVE id in the changelog. [1] http://cvs.savannah.nongnu.org/viewvc/freetype2/src/truetype/ttgload.c?root=freetyper1=1.177r2=1.178 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]