RE: [ft-devel] Digital signatures

[Turner, David]

Hi George,

It's a well-known fact that the TrueType engine is placed in the Windows
kernel since NT 4 (more precisely, it's in the file WIN32K.SYS, which
is the kernel-mode driver of the Win32 sub-system).

There is thus a _real_ risk that on this system, a buggy font may crash
your system. You can also envision a virus writer writing some malware
font if some buffer overflows can be exploited in the engine or the
VM Bytecode interpreter.

It's then conceptually possible to imagine a similar font file designed
to take ownership of your X server or other applications that happen to
use FreeType (e.g. nearly anything that displays AA text) on Linux. That is,
if a security hole is found in the engine. If these apps are run as root
with all priviledges, this could be a problem too.

But, as you rightly pointed out, digital signatures do not offer any
credible protection to the buggy and malware problems. What's worse is
that they provide a _false_ sense of security. What a joke !

My opinion is that the DSIG table is the brain-child of DRM-obsessed
managers at Microsoft Typography (or above), who don't understand much
things regarding security.

If digital signatures are not mandatory _and_ used with non-reversible
encryption, they're simply useless.

Don't even bother to lose your time on these things.

Regards,

- David Turner
- The FreeType Project  (www.freetype.org)



> There has been an argument running on the OpenType list about Digital
> signatures.
> 
> I must confess I fail to understand the need for them on a linux/unix
> platform. Perhaps someone can illuminate me, or perhaps linux/unix is
> different enough from Windows/Mac that font validation isn't as
> important.
> 
> As I understand it, the Digital signature says that someone 
> (who has at
> one time been in some sense verified to exist) says the font 
> is ok. But
> it does not say the font has been validated or anything useful, just
> that someone thought it was ok. (It doesn't even say that the someone
> wasn't a virus-writer ten years ago when the certificate was obtained
> who has since moved on from the original location)
> 
> First of all that seems a very weak form of protection.
> 
> Secondly I don't really understand what damage a font can do to my
> system. The worst I can think of is
>       a) crash the X server
>       b) send pango into an infinite loop.
> To me neither of these seems all that worrying.
> 
> I don't see how a bad font can have any real effect on the 
> integrity of
> my system.
> 
> Perhaps this is more of an issue on a system like the Mac where the
> system can't come up in a non-windowing mode. So if the font used for
> the menu is corrupt you are screwed.
> 
> Am I missing something?
> 
> 
> 
> _______________________________________________
> Freetype-devel mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/freetype-devel
>