[CVE-2007-5503 security fix regression] firefox crashes after upgrading to libcairo2 1.4.10-1ubuntu4.1

Appends more specific output using gdb.

----
Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread -1221547440 (LWP 15216)]
0xb7499395 in ?? () from /usr/lib/libcairo.so.2
(gdb) thread apply all bt

Thread 11 (Thread -1320498288 (LWP 15228)):
#0 0xb1cf9a02 in ?? () from /usr/lib/firefox/components/libstoragecomps.so
#1 0x08b05920 in ?? ()
#2 0x01000001 in ?? ()
#3 0x088159c0 in ?? ()
#4 0xb1d06104 in ?? () from /usr/lib/firefox/components/libstoragecomps.so
#5 0x088159c0 in ?? ()
#6 0x0873f3b8 in ?? ()
#7 0xb14abc44 in ?? ()
#8 0xb1cbc9a1 in ?? () from /usr/lib/firefox/components/libstoragecomps.so
#9 0x08804d90 in ?? ()
#10 0x00000001 in ?? ()
#11 0xb14abc34 in ?? ()
#12 0xb1cf7ecc in ?? () from /usr/lib/firefox/components/libstoragecomps.so
#13 0xb1d06104 in ?? () from /usr/lib/firefox/components/libstoragecomps.so
#14 0x08820098 in ?? ()
#15 0xb14abc44 in ?? ()
#16 0xb1cf9aa2 in ?? () from /usr/lib/firefox/components/libstoragecomps.so
#17 0x08820098 in ?? ()
#18 0x00000017 in ?? ()
#19 0xb14abe84 in ?? ()
#20 0xb1cf1bde in ?? () from /usr/lib/firefox/components/libstoragecomps.so
---Type <return> to continue, or q <return> to quit---
#21 0x08820098 in ?? ()
#22 0x00000001 in ?? ()
#23 0xb14abe04 in ?? ()
#24 0xb1cf8134 in ?? () from /usr/lib/firefox/components/libstoragecomps.so
#25 0x00000250 in ?? ()
#26 0x00000001 in ?? ()
#27 0xb77e9140 in ?? () from /lib/tls/i686/cmov/libc.so.6
#28 0xb1cf8367 in ?? () from /usr/lib/firefox/components/libstoragecomps.so
#29 0x08675a98 in ?? ()
#30 0xb1d0490c in ?? () from /usr/lib/firefox/components/libstoragecomps.so
#31 0x00000000 in ?? ()

Thread 10 (Thread -1328890992 (LWP 15227)):
#0 0xffffe410 in __kernel_vsyscall ()
#1 0xb7deb8fc in pthread_cond_timedwait@@GLIBC_2.3.2 ()
   from /lib/tls/i686/cmov/libpthread.so.0
#2 0xb7e18fd3 in ?? () from /usr/lib/libnspr4.so.0d
#3 0x080e2634 in ?? ()
#4 0x080e25d0 in ?? ()
#5 0xb0cab2fc in ?? ()
#6 0xb7dec285 in pthread_getspecific ()
   from /lib/tls/i686/cmov/libpthread.so.0
#7 0xb7e19e11 in PR_WaitCondVar () from /usr/lib/libnspr4.so.0d
---Type <return> to continue, or q <return> to quit---
#8 0xb707f057 in ?? () from /usr/lib/firefox/components/libnecko.so
#9 0x080e2630 in ?? ()
#10 0x0000ea42 in ?? ()
#11 0x080e25d0 in ?? ()
#12 0x00000000 in ?? ()

Thread 7 (Thread -1312105584 (LWP 15224)):
#0 0xffffe410 in __kernel_vsyscall ()
#1 0xb7deb676 in pthread_cond_wait@@GLIBC_2.3.2 ()
   from /lib/tls/i686/cmov/libpthread.so.0
#2 0xb7e19ea1 in PR_WaitCondVar () from /usr/lib/libnspr4.so.0d
#3 0xb1cb2ce6 in ?? () from /usr/lib/firefox/components/libstoragecomps.so
#4 0x08899708 in ?? ()
#5 0xffffffff in ?? ()
#6 0x00000000 in ?? ()

Thread 6 (Thread -1293292656 (LWP 15223)):
#0 0xffffe410 in __kernel_vsyscall ()
#1 0xb7deb676 in pthread_cond_wait@@GLIBC_2.3.2 ()
   from /lib/tls/i686/cmov/libpthread.so.0
#2 0xb7e19ea1 in PR_WaitCondVar () from /usr/lib/libnspr4.so.0d
#3 0xb37c7983 in ?? () from /usr/lib/firefox/components/libpipnss.so
#4 0x087481c0 in ?? ()
---Type <return> to continue, or q <return> to quit---
#5 0xffffffff in ?? ()
#6 0x00000000 in ?? ()

Thread 5 (Thread -1284899952 (LWP 15222)):
#0 0...

It seems that this problem only occurs when using Korean fonts for Microsoft Windows, for example Gulim(gulim.ttc), Batang(batang.ttc), and etc.

You can download them using Google. Search 'gulim.ttc intitle:"index of"'.

Hi there
Thanks for your bug report. Please try to obtain a backtrace http://wiki.ubuntu.com/DebuggingProgramCrash and attach the file to the bug report. This will greatly help us in tracking down your problem.

Please pay special attention to the required libraries.

Thanks in advance

I read about this bug in many korean blogs about Ubuntu. And it seems like this bug is not related on firefox. Crash occurs in every software which use libcairo2, every time they print Gulim(gulim.ttc) or Batang(batang.ttc) font on screen, the software crash down.

with the debug symbols:

Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread -1222014384 (LWP 23604)]
0xb742f342 in _get_bitmap_surface (bitmap=0x8611334, own_buffer=0, font_options=0x8d011dc, surface=0xbfad6100) at /home/barosl/libcairo2/libcairo-1.4.10/src/cairo-ft-font.c:1026
1026 break;

(gdb) thread apply all backtrace
Thread 1 (Thread -1222395312 (LWP 23164)):
#0 0xb73d2342 in _get_bitmap_surface (bitmap=0x861131c, own_buffer=0, font_options=0x8d666ac, surface=0xbffed630) at /home/barosl/libcairo2/libcairo-1.4.10/src/cairo-ft-font.c:1026
#1 0xb73d2aa7 in _render_glyph_bitmap (face=0x852d9d0, font_options=0x8d666ac, surface=0xbffed630) at /home/barosl/libcairo2/libcairo-1.4.10/src/cairo-ft-font.c:1323
#2 0xb73d4655 in _cairo_ft_scaled_glyph_init (abstract_font=0x8d66590, scaled_glyph=0x88139c8, info=3) at /home/barosl/libcairo2/libcairo-1.4.10/src/cairo-ft-font.c:2236
#3 0xb73bfaa2 in _cairo_scaled_glyph_lookup (scaled_font=0x8d66590, index=71, info=3, scaled_glyph_ret=0xbffed6fc) at /home/barosl/libcairo2/libcairo-1.4.10/src/cairo-scaled-font.c:1537
#4 0xb73f64c7 in _cairo_xlib_surface_emit_glyphs (dst=0x8d8b5e0, glyphs=0xbffed9ec, num_glyphs=4, scaled_font=0x8d66590, op=CAIRO_OPERATOR_OVER, src=0x8e3cff8, attributes=0xbffed808) at /home/barosl/libcairo2/libcairo-1.4.10/src/cairo-xlib-surface.c:2914
#5 0xb73f6b80 in _cairo_xlib_surface_show_glyphs (abstract_dst=0x8d8b5e0, op=CAIRO_OPERATOR_OVER, src_pattern=0xbffed8ac, glyphs=0xbffed9ec, num_glyphs=4, scaled_font=0x8d66590) at /home/barosl/libcairo2/libcairo-1.4.10/src/cairo-xlib-surface.c:3144
#6 0xb73c3894 in _cairo_surface_show_glyphs (surface=0x8d8b5e0, op=CAIRO_OPERATOR_OVER, source=0xbffee1e4, glyphs=0xbffed9ec, num_glyphs=4, scaled_font=0x8d66590) at /home/barosl/libcairo2/libcairo-1.4.10/src/cairo-surface.c:1879
#7 0xb73b3bbd in _cairo_gstate_show_glyphs (gstate=0x880bd00, glyphs=0xbffee308, num_glyphs=4) at /home/barosl/libcairo2/libcairo-1.4.10/src/cairo-gstate.c:1585
#8 0xb73ab1b7 in cairo_show_glyphs (cr=0x8825520, glyphs=0xbffee308, num_glyphs=4) at /home/barosl/libcairo2/libcairo-1.4.10/src/cairo.c:2952
#9 0xb759c858 in ?? () from /usr/lib/libpangocairo-1.0.so.0
#10 0x08825520 in ?? ()
#11 0xbffee308 in ?? ()
#12 0x00000004 in ?? ()
#13 0xb73d1408 in _cairo_ft_unscaled_font_lock_face (unscaled=0x80832a0) at /home/barosl/libcairo2/libcairo-1.4.10/src/cairo-ft-font.c:524
#14 0xb757dbea in pango_renderer_draw_glyphs () from /usr/lib/libpango-1.0.so.0
#15 0xb759bd34 in ?? () from /usr/lib/libpangocairo-1.0.so.0
#16 0x080832a0 in ?? ()
#17 0x08d46428 in ?? ()
#18 0x08da1550 in ?? ()
#19 0x00000000 in ?? ()

This happens not only with Korean fonts!
I'm using Serene raster font from xfonts-bolkhov package for GUI interface. After upgrade to libcairo2 1.4.10-1ubuntu4.1 no gtk-based program could be started - all gave "Floating point exception". After logging out and logging back in, the Gnome session was totally unusable. Rolling back to libcairo2 1.4.10-1ubuntu4 solved the problem.

There is a number of reports in Ubuntu forum about firefox giving off "Floating point exception" at startup, and how disabling certain plugins makes it work. So it seems that it is not limited to fonts.

Many users cannot start GNOME because of this bug. I think the title name should change to "GNOME crashes after upgrading to libcairo2 1.4.10-1ubuntu4.1", and change importance high.

This looks like a serious regression caused by security update. Let's ping security team if they haven't noticed this yet.

also many Chinese user got this problem, include me~
see: http://forum.ubuntu.org.cn/viewtopic.php?t=93410

ubuntu 7.10 with Chinese fonts and msttcorefonts installed. after this upgrade, all applications window including title bar, maximize, minimize close icons disappeared. downgrade package:
sudo apt-get install libcairo2=1.4.10-1ubuntu4
problem solved.

Same happened here, but I found out that ANY newly font will cause this problem.
For example, I was using anorexia, one of artwiz fonts (available by apt-get) for Orage Clock in xfce-panel.
(For those who don't know, it's the clock application for Xubuntu, and I changed the font of time display)

After updating, xfce-panel just did not start on bootup, so for an end-user, the computer is completely broken.
(nothing can be done in X)
I had to delete my ~/.config, and took me a while to figure out why this happened.

So, from what I tried,
artwiz fonts
Gulim.ttc, Batang.ttc (Korean fonts)
cause this problem, but there were absolutely no problems before doing an update.

Adding onto severity of this situation:
Korean blogosphere is almost overloaded with warning messages telling readers:
"Do NOT update libcairo2!"

The majority of Korean users use Gulim.ttc and Batang.ttc, since using ones supplied with Ubuntu (Baekmuk) isn't so great with anti-aliasing.
This update rendered, probably thousands of users' computers unusable.
Some linux-savvy users would have figured it out that it was the font problem by checking logs etc,
but new users just can't do anything about it, and is left with absolutely no applications running
(all of them that use cairo is crashing with floating point exception whenever applicable font is used in application)

This "looks" like Firefox is the problem, but you have to realize that many Asian users use English version of OS, and only time they encounter their language is in a web browser, so that's why so many bugs are filed about Firefox crashing.

Assigning to Kees who did the upload, Debian did a new upload to fix the issue

Hardy still needs the CVE fixed. Dapper and Edgy got the correct patches, Feisty and Gutsy fixes are being published shortly.

libcairo (1.4.10-1ubuntu4.2) gutsy-security; urgency=low

  * Fix debian/patches/91_malloc-overflow-fixes.dpatch to avoid
    divide-by-zero; patch from upstream fixes (LP: #173861):
    http://gitweb.freedesktop.org/?p=cairo;a=commitdiff_plain;h=6020f67f1a49cfe3844c4938d4af24c63c8424cc;hp=c79fc9af334fd6f2d1078071d64178125561b187

 -- Kees Cook <email address hidden> Mon, 10 Dec 2007 09:08:57 -0800

libcairo (1.4.2-0ubuntu1.2) feisty-security; urgency=low

  * Fix debian/patches/91_malloc-overflow-fixes.dpatch to avoid
    divide-by-zero; patch from upstream fixes (LP: #173861):
    http://gitweb.freedesktop.org/?p=cairo;a=commitdiff_plain;h=6020f67f1a49cfe3844c4938d4af24c63c8424cc;hp=c79fc9af334fd6f2d1078071d64178125561b187

 -- Kees Cook <email address hidden> Mon, 10 Dec 2007 09:08:57 -0800

After upgrading libcairo (1.4.2-0ubuntu1.2), the crash was disappeared. But when people use 'gulim.ttc' or some other fonts, they will see blank instead of characters. This font bug is not fixed yet.

It still seems to affect people using .ttc or .ttf fonts on any part of their GUI element. Bug is still most apparent in firefox.

It did, however, fix the crashing issue as Masoris said. But the system is still quite broken to those that want to use those fonts.

libcairo (1.4.10-1ubuntu6) hardy; urgency=low

  * Fix debian/patches/91_malloc-overflow-fixes.dpatch to avoid
    divide-by-zero; patch from upstream fixes (LP: #173861):
    http://gitweb.freedesktop.org/?p=cairo;a=commitdiff_plain;h=6020f67f1a49cfe3844c4938d4af24c63c8424cc;hp=c79fc9af334fd6f2d1078071d64178125561b187

 -- Sebastien Bacher <email address hidden> Tue, 11 Dec 2007 09:51:17 +0100

Some bold font was disappeared while regular font has no problem.

Many Chinese user got the problem, bold font disappeared on the title of many applications and their tabs, e.g. firefox, thunderbird, etc.

On 12/11/07, Sanhe <email address hidden> wrote:
>
> Many Chinese user got the problem, bold font disappeared on the title of
> many applications and their tabs, e.g. firefox, thunderbird, etc.
>
> I'm experiencing the same problems with snap (an Artwiz font), english
> character set, pcf (bitmapped) filetype.
>
> --R
>

For any rendering issues, please see bug 175573. Steps to reproduce, including fonts, URLs, firefox configurations, etc, are needed in that bug.

Here is a reproducer for the crasher, not the rendering bug:

$ sudo apt-get install xfonts-bolkhov-75dpi gnome-terminal firefox
$ sudo dpkg-reconfigure fontconfig-config (and enable bitmapped fonts by default)
$ sudo fc-cache -fv
$ gconftool-2 --set /apps/gnome-terminal/profiles/Default/use_system_font --type bool false
$ gconftool-2 --set /apps/gnome-terminal/profiles/Default/font --type string "Courier 10"
$ gnome-terminal --window-with-profile=Default

Note, this courier is not from xfonts-75dpi but from xfonts-bolkhov-75dpi. Might have to coax gnome-terminal into crashing by trying to change the font.

Can get firefox to crash too by changing using:
Fonts for: Western
Sans-serif and serif fonts to 'Serene'
fixed width to 'Courier'
Default character encoding to be ISO-8859-1

For the rendering bug on a Gutsy desktop:
$ sudo apt-get install xfonts-bolkhov-75dpi
$ sudo dpkg-reconfigure fontconfig-config (and enable bitmapped fonts by default)
$ sudo fc-cache -fv

Now go to System/Preferences/Appearance/Fonts

Change the Window Title Font to Serene. Pre-patched libcairo2 will show the 'Preview text', patched libcairo2 will not.

Dapper is a little defferent:
$ sudo apt-get install xfonts-bolkhov-75dpi
$ sudo dpkg-reconfigure fontconfig-config (and enable bitmapped fonts by default)
$ sudo fc-cache -fv
$ mkdir ~/.fonts ; cp /usr/X11R6/lib/X11/fonts/75dpi/lu* ~/.fonts

Now go to System/Preferences/Appearance/Fonts

Sorry, the dpkg-reconfigure should be:
sudo dpkg-reconfigure fontconfig (and enable bitmapped fonts by default)

I'd like to re-open this bug. I'm using kubuntu-8.04-kde4.

I didn't actually install any new fonts. I was just playing around on my system and ran fc-cache -f -v. After rebooting, I tried to run firefox and got floating point exception. Any gtk2 app appears to give me the same problem.

I tried copying all the .font type dirs and configs out of another user's home directory (different system, probably ubuntu 7), and no good. In fact, the same home directory (mine) works just fine on a different installation, so it's something that's happened to this install rather than things in my home.

Comparing one install to another, I do notice that there's an additional directory in /usr/share/fonts called cmap (aside from truetype, true1, X11).

I also tried copying /etc/fonts/* to my local system from the other one. No luck.