Bug#909499: libfontconfig1:amd64: bizarre and broken way to resolve symlinks manually

Marc Lehmann debian-reportbug at plan9.de
Mon Sep 24 15:02:01 BST 2018 

Package: libfontconfig1
Version: 2.13.0-5
Severity: normal

Dear Maintainer,

after upgrading my version of libfontconfig1, I started getting lots of these messages in some applications:

   Fontconfig error: failed reading config file

It wasn't clear what config file it couldn't read, but strace showed that it uses a bizarre way of resolving
symlinks itself rather than just trying to read files:

   [pid  8503] access("/etc/fonts/conf.d/65-0-fonts-beng-extra.conf", R_OK) = 0
   [pid  8503] access("/etc/fonts/conf.d/65-0-fonts-beng-extra.conf", R_OK) = 0
   [pid  8503] readlink("/etc/fonts/conf.d/65-0-fonts-beng-extra.conf", "../conf.avail/65-0-fonts-beng-ex"..., 4095) = 40
   [pid  8503] stat("../conf.avail/65-0-fonts-beng-extra.conf", 0x7fffffff3460) = -1 ENOENT (No such file or directory)
   [pid  8503] openat(AT_FDCWD, "/etc/fonts/conf.d/65-0-fonts-beng-extra.conf", O_RDONLY|O_CLOEXEC) = 15
   Fontconfig error: failed reading config file

That is, instead of trying to read the config file(s) it readlinks them
and then uses the target as if it were absolute paths, even if the path is
relative (it does manage to then open the correct file, but still I get
a message for every relative path). Indeed, running affected programs in
/etc/fonts/conf.d makes the messages go away.

I don't know a way to exploit this (it probably isn't exploitable), but
this could potentially be a security issue if fontconfig can be tricked
into reading the wrong files merely by running a program in the wrong
directory.

-- System Information:
Debian Release: 9.5
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.70-041470-generic (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages libfontconfig1:amd64 depends on:
ii  fontconfig-config  2.13.0-5
ii  libc6              2.27-6
ii  libexpat1          2.2.0-2+deb9u1
ii  libfreetype6       2.8.1-2
ii  libuuid1           2.29.2-1+deb9u1

libfontconfig1:amd64 recommends no packages.

libfontconfig1:amd64 suggests no packages.

-- no debconf information

More information about the Pkg-freedesktop-maintainers mailing list