[Pkg-fonts-devel] Bug#605537: marked as done (CVE-2010-4259: fontforge: buffer overflow when parsing CHARSET_REGISTRY header of .BDF files)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 04 Jun 2011 13:54:40 +0000
with message-id <E1QSrJI-0004Zb-KY@franck.debian.org>
and subject line Bug#605537: fixed in fontforge 0.0.20080429-1+lenny2
has caused the Debian Bug report #605537,
regarding CVE-2010-4259: fontforge: buffer overflow when parsing CHARSET_REGISTRY header of .BDF files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
605537: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605537
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: fontforge: buffer overflow when opening .BDF files
• From: Ulrik Persson <ddefrostt@gmail.com>
• Date: Wed, 1 Dec 2010 00:17:39 +0100
• Message-id: <AANLkTinkZVKzwKA=OdVxX0s0FP1MZNGaurWyVLk2fd=S@mail.gmail.com>

Subject: fontforge: buffer overflow when opening .BDF files
Package: fontforge
Version: 0.0.20100501-2
Severity: important
Tags: security

Hello,

I have found a buffer overflow in fontforge when opening .BDF files. It is
a stack-based buffer overflow with full control over EIP, and it occurs
when parsing too long "CHARSET_REGISTRY" lines.

To reproduce, start fontforge with the attached example file as a parameter,
or start fontforge and then open the same file in the graphical interface.

-- System Information:
Debian Release: squeeze/sid
 APT prefers testing
 APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages fontforge depends on:
ii  libc6                   2.11.2-7         Embedded GNU C Library: Shared lib
ii  libcairo2               1.8.10-6         The Cairo 2D vector graphics libra
ii  libfontconfig1          2.8.0-2.1        generic font configuration library
ii  libfontforge1           0.0.20100501-2   font editor - runtime library
ii  libfreetype6            2.4.2-2.1        FreeType 2 font engine, shared lib
ii  libgdraw4               0.0.20100501-2   font editor - runtime graphics and
ii  libgif4                 4.1.6-9          library for GIF images (library)
ii  libglib2.0-0            2.24.2-1         The GLib library of C routines
ii  libice6                 2:1.0.6-2        X11 Inter-Client Exchange library
ii  libjpeg62               6b1-1            The Independent JPEG Group's JPEG
ii  libpango1.0-0           1.28.3-1         Layout and rendering of internatio
ii  libpng12-0              1.2.44-1         PNG library - runtime
ii  libpython2.6            2.6.6-6          Shared Python runtime library (ver
ii  libsm6                  2:1.1.1-1        X11 Session Management library
ii  libspiro0               20071029-2       a library for curve design
ii  libtiff4                3.9.4-5          Tag Image File Format (TIFF) libra
ii  libuninameslist0        0.0.20091231-1   a library of Unicode annotation da
ii  libx11-6                2:1.3.3-4        X11 client-side library
ii  libxft2                 2.1.14-2         FreeType-based font drawing librar
ii  libxml2                 2.7.8.dfsg-1     GNOME XML library
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

fontforge recommends no packages.

Versions of packages fontforge suggests:
pn  autotrace                     <none>     (no description available)
pn  fontforge-doc                 <none>     (no description available)
pn  fontforge-extras              <none>     (no description available)
pn  potrace                       <none>     (no description available)
pn  python-fontforge              <none>     (no description available)

-- no debconf information

-- 
Ulrik | Underground Stockholm | http://underground-stockholm.com/

STARTFONT 2.1
FONT -gnu-unifont-medium-r-normal--16-160-75-75-c-80-iso10646-1
SIZE 16 75 75
CHARSET_REGISTRY AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
FONTBOUNDINGBOX 16 16 0 -2
STARTPROPERTIES 2
FONT_ASCENT 14
FONT_DESCENT 2
ENDPROPERTIES
CHARS 1
STARTCHAR U+0041
ENCODING 65
SWIDTH 500 0
DWIDTH 8 0
BBX 8 16 0 -2
BITMAP 
00
00
00
00
18
24
24
42
42
7E
42
42
42
42
00
00
ENDCHAR
ENDFONT

--- End Message ---

--- Begin Message ---

• To: 605537-close@bugs.debian.org
• Subject: Bug#605537: fixed in fontforge 0.0.20080429-1+lenny2
• From: Thijs Kinkhorst <thijs@debian.org>
• Date: Sat, 04 Jun 2011 13:54:40 +0000
• Message-id: <E1QSrJI-0004Zb-KY@franck.debian.org>

Source: fontforge
Source-Version: 0.0.20080429-1+lenny2

We believe that the bug you reported is fixed in the latest version of
fontforge, which is due to be installed in the Debian FTP archive:

fontforge-doc_0.0.20080429-1+lenny2_all.deb
  to main/f/fontforge/fontforge-doc_0.0.20080429-1+lenny2_all.deb
fontforge_0.0.20080429-1+lenny2.diff.gz
  to main/f/fontforge/fontforge_0.0.20080429-1+lenny2.diff.gz
fontforge_0.0.20080429-1+lenny2.dsc
  to main/f/fontforge/fontforge_0.0.20080429-1+lenny2.dsc
fontforge_0.0.20080429-1+lenny2_amd64.deb
  to main/f/fontforge/fontforge_0.0.20080429-1+lenny2_amd64.deb
python-fontforge_0.0.20080429-1+lenny2_amd64.deb
  to main/f/fontforge/python-fontforge_0.0.20080429-1+lenny2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 605537@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated fontforge package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 31 May 2011 21:18:28 +0200
Source: fontforge
Binary: fontforge fontforge-doc python-fontforge
Architecture: source amd64 all
Version: 0.0.20080429-1+lenny2
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Fonts Task Force <pkg-fonts-devel@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 fontforge  - Font editor for PS, TrueType and OpenType fonts
 fontforge-doc - Documentation for FontForge
 python-fontforge - Python bindings for FontForge
Closes: 605537
Changes: 
 fontforge (0.0.20080429-1+lenny2) oldstable-security; urgency=low
 .
   * Non-maintainer upload.
   * No-changes rebuild because lenny is now oldstable.
 .
 fontforge (0.0.20080429-1+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload during Security Team meeting
   * CVE-2010-4259 (closes: #605537).
Checksums-Sha1: 
 e46d4ef980f7334f20332bee75c9ea27c6c26478 1890 fontforge_0.0.20080429-1+lenny2.dsc
 26ad73678167cc0573c480b2f319e7d9dd11ba0b 8267439 fontforge_0.0.20080429.orig.tar.gz
 27b608937f9c1aeeb54db47ab80f043a116511f8 15847 fontforge_0.0.20080429-1+lenny2.diff.gz
 49b0e1e0945aff73d96abd347a5301492edd3ca0 5289946 fontforge_0.0.20080429-1+lenny2_amd64.deb
 17c87b20066773d63a5197c79dcfce940474f67a 42284 python-fontforge_0.0.20080429-1+lenny2_amd64.deb
 c476b6698c25c3c36277f0a0e819c6096c9b880e 3171772 fontforge-doc_0.0.20080429-1+lenny2_all.deb
Checksums-Sha256: 
 9bc2d3027118adec8eb8d0067da815a25bdb7a66b9b24c18194a1baa8678158e 1890 fontforge_0.0.20080429-1+lenny2.dsc
 33304f7d5b684d2ad41aaf6e00d3da06b783918c94f6b29558d64b5819293391 8267439 fontforge_0.0.20080429.orig.tar.gz
 57a0de0f40292121f2dfe127f6700adbc52935e91ca9ebfa98824a47741c64c3 15847 fontforge_0.0.20080429-1+lenny2.diff.gz
 b28e0bef1d25b682dca6fd886e0cb98f1614f14cd50c397a1677488d69026fdb 5289946 fontforge_0.0.20080429-1+lenny2_amd64.deb
 188a41a66cf0bd4ec09883cdf07d4886fc97a47350ce285c7615a38cad7d6c02 42284 python-fontforge_0.0.20080429-1+lenny2_amd64.deb
 aa62c92de1baf01a117b14e8cb88bdbaeb477bee839e66cbd9c7cde46d37a0c2 3171772 fontforge-doc_0.0.20080429-1+lenny2_all.deb
Files: 
 e42f6470f3d12fd5a81f7da57908ebe2 1890 graphics optional fontforge_0.0.20080429-1+lenny2.dsc
 f987b2dbf33ebf795c915020ad0e0c89 8267439 graphics optional fontforge_0.0.20080429.orig.tar.gz
 0ed73cab29a43b147b3ec702df12c8f0 15847 graphics optional fontforge_0.0.20080429-1+lenny2.diff.gz
 8d99c3292a814c33c6e9e253af65d5bd 5289946 graphics optional fontforge_0.0.20080429-1+lenny2_amd64.deb
 48ccf360b2090e1074badf34d6d8a8fa 42284 python optional python-fontforge_0.0.20080429-1+lenny2_amd64.deb
 413a1fd5ca894dfa1cd5838f79359207 3171772 doc optional fontforge-doc_0.0.20080429-1+lenny2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJN5UafAAoJEOxfUAG2iX57lb4IALYDEiJS9/DQHoEjwcycesp1
90/j1VO/0muEM/dNBTVNFOkxPellkA+kYBwlyRmFt3X/TbhHUbXxf0bj/VDvYs4G
wj4UGJ8YPXuPlBtLANoVwuCXDSkmeGjKxbzf3ETdApO93MJ6Q9bbJS0lQD08akAj
whfbFW8PQrUE5OPR1uuozaJEj4bfucJXEUKXUehwFrC2RzvcRYviKGUYShoXpIqP
DQNTDjOk9nX/NOyObZ3O8tgeWlZWfdMosd5TXhilU5cuV70bwFySB7tiYWPi75KR
1i0W7fyI8Oyu0aQjAzzdqrfrE9gZlu3mISRNQv/lYjqd1KeAwv9R9l1LSHZifoY=
=o1ZT
-----END PGP SIGNATURE-----

--- End Message ---