On Thursday 17 August 2006 00:45, Drew Parsons wrote: > a security patch has been applied to libxfont in unstable (libxfont > 1:1.2.0-2). The bug relates to broken pcf font files and is referenced > in CVE-2006-3467. > > xfree86 in sarge is also affected, so the patch will want to be applied > there too I think. The patch is named 10_pcf_font.patch and found at > http://necrotic.deadbeast.net/svn/xorg-x11/tags/lib/libxfont/1:1.2.0-2/ >debian/patches/. > > The equivalent location in xfree86 is in xc/lib/font/. > > It may possibly be appropriate to consider applying > 10_freetype_buffer_overflow.patch as well. As sometime stable release manager for XFree86, I have prepared an update incorporating both patches. The debdiff against current stable is attached. Drew: - is it correct there is no CVE number associated with the second patch? - any way to test if the vulnerabilities are actually fixed? I had to modify the patches linked by Drew slightly to make them apply cleanly: - update line numbers for most hunks because of offsets - change the first hunk for lib/font/bitmap/pcfread.c because of a slightly different context The resulting version builds cleanly and is currently running happily on my laptop (though I'm not certain I actually use the modified code). If the security team is OK with these changes, please let me know and I'll commit them to the xfree86 Sarge branch of the XSF repo and create a final version ready for upload. Please respond ASAP as I plan to go on holiday in a few days... Cheers, FJP
diff -u xfree86-4.3.0.dfsg.1/debian/changelog xfree86-4.3.0.dfsg.1/debian/changelog
--- xfree86-4.3.0.dfsg.1/debian/changelog
+++ xfree86-4.3.0.dfsg.1/debian/changelog
@@ -1,3 +1,13 @@
+xfree86 (4.3.0.dfsg.1-14sarge2) stable-security; urgency=high
+
+ * Security update release. Resolves the following issues:
+ + CVE-2006-3467: integer overflow in FreeType before 2.2 allows remote
+ attackers to cause a denial of service (crash) and possibly execute
+ arbitrary code via unknown vectors.
+ + freetype buffer overflow (no known exploits).
+
+ -- Frans Pop <fjp@debian.org> Fri, 18 Aug 2006 23:13:32 +0200
+
xfree86 (4.3.0.dfsg.1-14sarge1) stable-security; urgency=high
* Security update release. Resolves the following issue:
@@ -7940,5 +7950,5 @@
xfree86-common package for the remainder of this changelog.
- $Id: changelog 2275 2005-06-01 05:03:54Z fabbione $
+ $Id: changelog 2297 2005-09-19 20:33:19Z fjp $
vim:set ai et sts=2 sw=2 tw=78:
+--- xc.before099zc/lib/font/bitmap/pcfread.c
++++ xc/lib/font/bitmap/pcfread.c
+@@ -45,6 +45,7 @@ from The Open Group.
+ #else
+ #include <varargs.h>
+ #endif
++#include <stdint.h>
+
+ void
+ #if NeedVarargsPrototypes
+@@ -143,6 +144,10 @@ pcfReadTOC(FontFilePtr file, int *countp
+ return (PCFTablePtr) NULL;
+ count = pcfGetLSB32(file);
+ if (IS_EOF(file)) return (PCFTablePtr) NULL;
++ if (count < 0 || count > INT32_MAX / sizeof(PCFTableRec)) {
++ pcfError("pcfReadTOC(): invalid file format\n");
++ return NULL;
++ }
+ tables = (PCFTablePtr) xalloc(count * sizeof(PCFTableRec));
+ if (!tables) {
+ pcfError("pcfReadTOC(): Couldn't allocate tables (%d*%d)\n", count, sizeof(PCFTableRec));
+@@ -262,6 +267,10 @@ pcfGetProperties(FontInfoPtr pFontInfo,
+ if (!PCF_FORMAT_MATCH(format, PCF_DEFAULT_FORMAT))
+ goto Bail;
+ nprops = pcfGetINT32(file, format);
++ if (nprops <= 0 || nprops > INT32_MAX / sizeof(FontPropRec)) {
++ pcfError("pcfGetProperties(): invalid nprops value (%d)\n", nprops);
++ goto Bail;
++ }
+ if (IS_EOF(file)) goto Bail;
+ props = (FontPropPtr) xalloc(nprops * sizeof(FontPropRec));
+ if (!props) {
+@@ -277,6 +286,13 @@ pcfGetProperties(FontInfoPtr pFontInfo,
+ props[i].name = pcfGetINT32(file, format);
+ isStringProp[i] = pcfGetINT8(file, format);
+ props[i].value = pcfGetINT32(file, format);
++ if (props[i].name < 0
++ || (isStringProp[i] != 0 && isStringProp[i] != 1)
++ || (isStringProp[i] && props[i].value < 0)) {
++ pcfError("pcfGetProperties(): invalid file format %d %d %d\n",
++ props[i].name, isStringProp[i], props[i].value);
++ goto Bail;
++ }
+ if (IS_EOF(file)) goto Bail;
+ }
+ /* pad the property array */
+@@ -292,6 +308,7 @@ pcfGetProperties(FontInfoPtr pFontInfo,
+ }
+ if (IS_EOF(file)) goto Bail;
+ string_size = pcfGetINT32(file, format);
++ if (string_size < 0) goto Bail;
+ if (IS_EOF(file)) goto Bail;
+ strings = (char *) xalloc(string_size);
+ if (!strings) {
+@@ -432,6 +449,10 @@ pcfReadFont(FontPtr pFont, FontFilePtr f
+ else
+ nmetrics = pcfGetINT16(file, format);
+ if (IS_EOF(file)) goto Bail;
++ if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) {
++ pcfError("pcfReadFont(): invalid file format\n");
++ goto Bail;
++ }
+ metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec));
+ if (!metrics) {
+ pcfError("pcfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec));
+@@ -457,7 +478,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f
+ nbitmaps = pcfGetINT32(file, format);
+ if (nbitmaps != nmetrics || IS_EOF(file))
+ goto Bail;
+-
++ /* nmetrics is alreadt ok, so nbitmap also is */
+ offsets = (CARD32 *) xalloc(nbitmaps * sizeof(CARD32));
+ if (!offsets) {
+ pcfError("pcfReadFont(): Couldn't allocate offsets (%d*%d)\n", nbitmaps, sizeof(CARD32));
+@@ -471,6 +492,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f
+ for (i = 0; i < GLYPHPADOPTIONS; i++) {
+ bitmapSizes[i] = pcfGetINT32(file, format);
+ if (IS_EOF(file)) goto Bail;
++ if (bitmapSizes[i] < 0) goto Bail;
+ }
+
+ sizebitmaps = bitmapSizes[PCF_GLYPH_PAD_INDEX(format)];
+@@ -546,6 +568,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f
+ if (IS_EOF(file)) goto Bail;
+ if (nink_metrics != nmetrics)
+ goto Bail;
++ /* nmetrics already checked */
+ ink_metrics = (xCharInfo *) xalloc(nink_metrics * sizeof(xCharInfo));
+ if (!ink_metrics) {
+ pcfError("pcfReadFont(): Couldn't allocate ink_metrics (%d*%d)\n", nink_metrics, sizeof(xCharInfo));
+@@ -819,6 +842,10 @@ pmfReadFont(FontPtr pFont, FontFilePtr f
+ else
+ nmetrics = pcfGetINT16(file, format);
+ if (IS_EOF(file)) goto Bail;
++ if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) {
++ pcfError("pmfReadFont(): invalid file format\n");
++ goto Bail;
++ }
+ metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec));
+ if (!metrics) {
+ pcfError("pmfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec));
only in patch2:
unchanged:
--- xfree86-4.3.0.dfsg.1.orig/debian/patches/099zb_SECURITY_freetype_buffer_overflow.diff
+++ xfree86-4.3.0.dfsg.1/debian/patches/099zb_SECURITY_freetype_buffer_overflow.diff
@@ -0,0 +1,32 @@
+From: Matthieu Herrb <matthieu.herrb@laas.fr>
+Date: Thu, 13 Jul 2006 14:18:38 +0000 (-0400)
+Subject: Bug #7397: Fix a buffer overflow in Freetype font support.
+X-Git-Url: http://gitweb.freedesktop.org/?p=xorg/lib/libXfont.git;a=commitdiff;h=1bf657186d19887a0916340b544b5534e29da081
+
+Bug #7397: Fix a buffer overflow in Freetype font support.
+---
+
+--- xc.before099za/lib/font/FreeType/fttools.c
++++ xc/lib/font/FreeType/fttools.c
+@@ -66,7 +66,7 @@ FTu2a(int slen, FT_Byte *from, char *to,
+
+ n = 0;
+ for (i = 0; i < slen; i += 2) {
+- if(n >= max)
++ if(n >= max - 1)
+ break;
+ if(HIBYTE(from+i, byte)!=0)
+ *to++='?';
+@@ -132,9 +132,10 @@ FTGetEnglishName(FT_Face face, int nid,
+ /* Pretend that Apple Roman is ISO 8859-1. */
+ if(FTGetName(face, nid, TT_PLATFORM_MACINTOSH, TT_MAC_ID_ROMAN, &name)) {
+ len = name.string_len;
+- if(len > name_len)
+- len = name_len;
++ if(len > name_len - 1)
++ len = name_len - 1;
+ memcpy(name_return, name.string, len);
++ name_return[len] = '\0'; /* ensure nul terminaison */
+ return len;
+ }
+
Attachment:
pgpwZXybIa8W6.pgp
Description: PGP signature