oss-sec mailing list archives

CVE Request -- FontForge: Stack-based buffer overflow by processing specially-crafted CHARSET_REGISTRY font file header

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 02 Dec 2010 17:21:29 +0100

Hello Steve, vendors,

  Ulrik Persson reported a stack-based buffer overflow
flaw in the way FontForge font editor processed certain
Bitmap Distribution Format (BDF) font files, with
specially-crafted value of the CHARSET_REGISTRY header.
A remote attacker could create a specially-crafted BDF
font file and trick a local, unsuspecting user into
opening it in FontForge, which could lead to fontforge
executable crash or, potentially, arbitrary code execution
with the privileges of the user running the executable.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605537
[2] https://bugzilla.redhat.com/show_bug.cgi?id=659359

Public PoC:
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=fontforge-overflow.txt;att=1;bug=605537

Flaw severity note:
On systems with compile time buffer checks (FORTIFY_SOURCE)
feature enabled, the impact of this flaw is mitigated to
be only crash.

Could you allocate a CVE id for this issue?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- FontForge: Stack-based buffer overflow by processing specially-crafted CHARSET_REGISTRY font file header Jan Lieskovsky (Dec 02)
- Re: CVE Request -- FontForge: Stack-based buffer overflow by processing specially-crafted CHARSET_REGISTRY font file header Josh Bressers (Dec 02)