https://bugzilla.redhat.com/show_bug.cgi?id=1262377
Bug ID: 1262377 Summary: freetype: Infinite loop in parse_encoding in t1load.c Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: behdad@fedoraproject.org, erik-fedora@vanpienbroek.nl, fedora-mingw@lists.fedoraproject.org, fonts-bugs@lists.fedoraproject.org, kevin@tigcc.ticalc.org, lfarkas@lfarkas.org, mkasik@redhat.com, rjones@redhat.com
If the Postscript stream contains a broken number-with-base (e.g. "8#garbage") the cursor doesn't advance and parse_encoding enters an infinite loop.
Upstream patch:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=df14e6c0b...
CVE request:
http://seclists.org/oss-sec/2015/q3/537
https://bugzilla.redhat.com/show_bug.cgi?id=1262377
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1262379
https://bugzilla.redhat.com/show_bug.cgi?id=1262377
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1262380 Depends On| |1262381 Depends On| |1262382
--- Comment #1 from Adam Mariš amaris@redhat.com ---
Created freetype tracking bugs for this issue:
Affects: fedora-all [bug 1262381]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1262380 [Bug 1262380] mingw-freetype: freetype: Infinite loop in parse_encoding in t1load.c [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1262381 [Bug 1262381] freetype: Infinite loop in parse_encoding in t1load.c [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1262382 [Bug 1262382] mingw-freetype: freetype: Infinite loop in parse_encoding in t1load.c [epel-7]
https://bugzilla.redhat.com/show_bug.cgi?id=1262377
--- Comment #2 from Adam Mariš amaris@redhat.com ---
Created mingw-freetype tracking bugs for this issue:
Affects: fedora-all [bug 1262380] Affects: epel-7 [bug 1262382]
https://bugzilla.redhat.com/show_bug.cgi?id=1262377
--- Comment #3 from Marek Kašík mkasik@redhat.com --- It seems to me that this is already fixed in all maintained versions of Fedora. Check it please.
https://bugzilla.redhat.com/show_bug.cgi?id=1262377 Bug 1262377 depends on bug 1262381, which changed state.
Bug 1262381 Summary: freetype: Infinite loop in parse_encoding in t1load.c [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1262381
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1262377 Bug 1262377 depends on bug 1262380, which changed state.
Bug 1262380 Summary: mingw-freetype: freetype: Infinite loop in parse_encoding in t1load.c [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1262380
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1262377 Bug 1262377 depends on bug 1262382, which changed state.
Bug 1262382 Summary: mingw-freetype: freetype: Infinite loop in parse_encoding in t1load.c [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1262382
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1262377
--- Comment #4 from Huzaifa S. Sidhpurwala huzaifas@redhat.com --- Upstream freetype git suggests that this issue was addressed in freetype-2.5.3.
Therefore this issue is already fixed in all the maintained versions of Fedora.
https://bugzilla.redhat.com/show_bug.cgi?id=1262377
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20140214, |impact=low,public=20140214, |reported=20150911,source=in |reported=20150911,source=in |ternet,rhel-5/freetype=affe |ternet,rhel-5/freetype=affe |cted,rhel-6/freetype=affect |cted,rhel-6/freetype=affect |ed,rhel-7/freetype=affected |ed,rhel-7/freetype=affected |,fedora-all/mingw-freetype= |,fedora-all/mingw-freetype= |affected,fedora-all/freetyp |notaffected,fedora-all/free |e=affected,epel-7/mingw-fre |type=notaffected,epel-7/min |etype=affected |gw-freetype=notaffected
https://bugzilla.redhat.com/show_bug.cgi?id=1262377
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20140214, |impact=low,public=20140214, |reported=20150911,source=in |reported=20150911,source=in |ternet,rhel-5/freetype=affe |ternet,rhel-5/freetype=wont |cted,rhel-6/freetype=affect |fix,rhel-6/freetype=wontfix |ed,rhel-7/freetype=affected |,rhel-7/freetype=wontfix,fe |,fedora-all/mingw-freetype= |dora-all/mingw-freetype=not |notaffected,fedora-all/free |affected,fedora-all/freetyp |type=notaffected,epel-7/min |e=notaffected,epel-7/mingw- |gw-freetype=notaffected |freetype=notaffected
https://bugzilla.redhat.com/show_bug.cgi?id=1262377
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Last Closed| |2015-09-14 03:25:24
https://bugzilla.redhat.com/show_bug.cgi?id=1262377
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2014-9745
https://bugzilla.redhat.com/show_bug.cgi?id=1262377
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|freetype: Infinite loop in |CVE-2014-9745 freetype: |parse_encoding in t1load.c |Infinite loop in | |parse_encoding in t1load.c
https://bugzilla.redhat.com/show_bug.cgi?id=1262377
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20140214, |impact=low,public=20140214, |reported=20150911,source=in |reported=20150911,source=in |ternet,rhel-5/freetype=wont |ternet,cvss2=2.1/AV:L/AC:L/ |fix,rhel-6/freetype=wontfix |Au:N/C:N/I:N/A:P,rhel-5/fre |,rhel-7/freetype=wontfix,fe |etype=wontfix,rhel-6/freety |dora-all/mingw-freetype=not |pe=wontfix,rhel-7/freetype= |affected,fedora-all/freetyp |wontfix,fedora-all/mingw-fr |e=notaffected,epel-7/mingw- |eetype=notaffected,fedora-a |freetype=notaffected |ll/freetype=notaffected,epe | |l-7/mingw-freetype=notaffec | |ted
https://bugzilla.redhat.com/show_bug.cgi?id=1262377
Ján Rusnačko jrusnack@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20140214, |impact=low,public=20140214, |reported=20150911,source=in |reported=20150911,source=in |ternet,cvss2=2.1/AV:L/AC:L/ |ternet,cvss2=2.1/AV:L/AC:L/ |Au:N/C:N/I:N/A:P,rhel-5/fre |Au:N/C:N/I:N/A:P,rhel-5/fre |etype=wontfix,rhel-6/freety |etype=wontfix,rhel-6/freety |pe=wontfix,rhel-7/freetype= |pe=wontfix,rhel-7/freetype= |wontfix,fedora-all/mingw-fr |wontfix,fedora-all/mingw-fr |eetype=notaffected,fedora-a |eetype=notaffected,fedora-a |ll/freetype=notaffected,epe |ll/freetype=notaffected,epe |l-7/mingw-freetype=notaffec |l-7/mingw-freetype=notaffec |ted |ted,cwe=CWE-835[auto]