[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fwd: Wrong patch [SECURITY] [DSA 1095-1] New freetype packages fix several vulnerabilities

Hello debian-security,

Because there has been no reaction to this my post to security@debian.org
(see below) I am forwarding it to this mailing list. This bug has been
reported by several ppl by now. A patch is available (below). See Bug #373581.


----- Forwarded message from Stanislav Maslovski <stanislav.maslovski@gmail.com> -----

Date: Mon, 12 Jun 2006 15:47:13 +0400
From: Stanislav Maslovski <stanislav.maslovski@gmail.com>
To: Martin Schulze <joey@infodrom.org>
Cc: security@debian.org
Subject: Re: [SECURITY] [DSA 1095-1] New freetype packages fix several vulnerabilities
User-Agent: Mutt/1.5.9i

Hello,

I noticed random crashes of xfs and other apps on my system after upgrading
libfreetype on sarge. The reason is in the incorrect patch
400-CVE-2006-2493_integer-overflows.diff
which introduces division by zero in certain situations.

A patch that solves this problem is attached. It should be applied after all
other patches.

On Sat, Jun 10, 2006 at 07:22:33AM +0200, Martin Schulze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 1095-1                    security@debian.org
> http://www.debian.org/security/                             Martin Schulze
> June 10th, 2006                          http://www.debian.org/security/faq
> - --------------------------------------------------------------------------
> 
> Package        : freetype
> Vulnerability  : integer overflows
> Problem type   : local (remote)
> Debian-specific: no
> CVE IDs        : CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661
> CERT advisory  : 
> BugTraq ID     : 18034
> Debian Bug     : 
> 
> Several problems have been discovered in the FreeType 2 font engine.
> The Common vulnerabilities and Exposures project identifies the
> following problems:
> 

[ skipped ]

diff -urN a/src/raster/ftrend1.c b/src/raster/ftrend1.c
--- freetype-2.1.7.orig/src/raster/ftrend1.c	2006-06-12 14:10:19.000000000 +0400
+++ freetype-2.1.7/src/raster/ftrend1.c	2006-06-12 15:10:59.000000000 +0400
@@ -176,7 +176,7 @@
     bitmap->rows  = height;
     bitmap->pitch = pitch;
 
-    if ((FT_ULong)pitch > LONG_MAX/height)
+    if ( height == 0 || (FT_ULong)pitch > LONG_MAX/height )
       goto Exit;
 
     if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) )
diff -urN a/src/winfonts/winfnt.c b/src/winfonts/winfnt.c
--- freetype-2.1.7.orig/src/winfonts/winfnt.c	2006-06-12 14:10:19.000000000 +0400
+++ freetype-2.1.7/src/winfonts/winfnt.c	2006-06-12 15:15:16.000000000 +0400
@@ -616,7 +616,7 @@
 
       /* note: since glyphs are stored in columns and not in rows we */
       /*       can't use ft_glyphslot_set_bitmap                     */
-      if (pitch > LONG_MAX/bitmap->rows)
+      if ( bitmap->rows == 0 || pitch > LONG_MAX/bitmap->rows )
 	goto Exit;
 
       if ( FT_ALLOC( bitmap->buffer, pitch * bitmap->rows ) )


----- End forwarded message -----

-- 
Станислав
Reply to: