Buffer overflow in Chromium affecting multiple packages

Welcome to the Snyk Monthly Vulnerability Profile. In this series, Snyk looks back on the vulnerabilities discovered by or reported to our Security Research Team. We choose one noteworthy vulnerability from the past month and tell the story behind the discovery, research, and disclosure of the vulnerability. We highlight the researchers, developers, and users who are helping identify and remediate vulnerabilities across the open source community.

This month we’re looking at a buffer overflow vulnerability discovered in the FreeType package used by Chromium and the subsequent work by Snyk to locate open source packages impacted by inclusion of vulnerable Chromium components.

Vulnerability: Buffer Overflow in FreeType

CVEs assigned: CVE-2020-15999

Snyk Analyst: Multiple

Discovered by: Sergei Glazunov of Google Project Zero

On November 2, 2020 CVE-2020-15999 was published to the National Vulnerability Database for a Buffer Overflow vulnerability that was discovered in the FreeType font rendering package used by the Chromium browser. According to a blog post published on the Chromium Project website, the initial report of the vulnerability was made on October 19, 2020. The initial description of the vulnerability states:

A vulnerability exists in the function `Load_SBit_Png`, which processes PNG images embedded into fonts. This function:

1) Obtains the image width and height from the header as 32-bit integers.

2) Truncates the obtained values to 16 bit and stores them in a `TT_SBit_Metrics` structure.

3) Uses the truncated values to calculate the bitmap size.

4) Allocates the backing store of that size.

5) Passes `png_struct` and the backing store to a libpng function.

The issue is that libpng uses the original 32-bit values, which are saved in `png_struct`. Therefore, if the original width and/or height are greater than 65535, the allocated buffer won't be able to fit the bitmap.

Buffer overflow vulnerabilities can allow an attacker to corrupt or manipulate heap memory. This creates the potential for the attacker to craft a malicious payload that results in the execution of arbitrary code on the vulnerable system.

Understanding the open source impact

The Snyk Security Research Team regularly monitors vulnerability reports and when there is potential impact to the open source community, investigates that impact. In the case of the Chromium browser, components published by the Chromium project are commonly leveraged within open source packages to provide web functionality. So upon disclosure of the buffer overflow vulnerability, the Snyk Research Team began searching for open source packages that contained the vulnerable versions of the Chromium component.

Ultimately, through their research, the Snyk team was able to identify six packages across multiple ecosystems that were impacted by the vulnerability in the FreeType package, and they are listed in the table below:

The four .Net components identified are controls that are available from the Chromium project directly. While updated versions of the components were released to fix the vulnerabilities, developers who use those components within their own applications or services would need to update to those new versions to remediate the vulnerability. 

Additionally, Snyk found that both the JavaScript and Java versions of the Electron framework also leverage vulnerable components from Chromium. Electron is a popular framework used in many high-profile applications including Discord. Updates were made to the Electronic framework and new versions of the framework were released in late October. Again, developers that leverage the framework would need to update to the new version to remove the vulnerability from their software.

In retrospect 

The story of the discovery of this buffer overflow vulnerability demonstrates yet another way in which the Snyk Security Research Team works to improve the overall security posture of the open source community. Seeking out where high-profile vulnerable packages, such as Chromium are used as dependencies in other projects helps ensure that the flaws are brought to light and open source maintainers can address them in their software.

Additionally, it allows Snyk to ensure that our Vulnerability Database has the most comprehensive information possible to ensure that developers can use open source security and be made aware when dependencies in their software contain vulnerabilities.