Source: freetype Version: 2.5.2-2 Severity: grave Tags: security upstream fixed-upstream
Hi, the following vulnerabilities were published for freetype. I filled this as "RC" since at least one seems to allow code execution. Could you help identify which also affect wheezy? CVE-2014-9656[0]: | The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType | before 2.5.4 does not properly check for an integer overflow, which | allows remote attackers to cause a denial of service (out-of-bounds | read) or possibly have unspecified other impact via a crafted OpenType | font. CVE-2014-9657[1]: | The tt_face_load_hdmx function in truetype/ttpload.c in FreeType | before 2.5.4 does not establish a minimum record size, which allows | remote attackers to cause a denial of service (out-of-bounds read) or | possibly have unspecified other impact via a crafted TrueType font. CVE-2014-9658[2]: | The tt_face_load_kern function in sfnt/ttkern.c in FreeType before | 2.5.4 enforces an incorrect minimum table length, which allows remote | attackers to cause a denial of service (out-of-bounds read) or | possibly have unspecified other impact via a crafted TrueType font. CVE-2014-9659[3]: | cff/cf2intrp.c in the CFF CharString interpreter in FreeType before | 2.5.4 proceeds with additional hints after the hint mask has been | computed, which allows remote attackers to execute arbitrary code or | cause a denial of service (stack-based buffer overflow) via a crafted | OpenType font. NOTE: this vulnerability exists because of an | incomplete fix for CVE-2014-2240. CVE-2014-9660[4]: | The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before | 2.5.4 does not properly handle a missing ENDCHAR record, which allows | remote attackers to cause a denial of service (NULL pointer | dereference) or possibly have unspecified other impact via a crafted | BDF font. CVE-2014-9661[5]: | type42/t42parse.c in FreeType before 2.5.4 does not consider that | scanning can be incomplete without triggering an error, which allows | remote attackers to cause a denial of service (use-after-free) or | possibly have unspecified other impact via a crafted Type42 font. CVE-2014-9662[6]: | cff/cf2ft.c in FreeType before 2.5.4 does not validate the return | values of point-allocation functions, which allows remote attackers to | cause a denial of service (heap-based buffer overflow) or possibly | have unspecified other impact via a crafted OTF font. CVE-2014-9663[7]: | The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before | 2.5.4 validates a certain length field before that field's value is | completely calculated, which allows remote attackers to cause a denial | of service (out-of-bounds read) or possibly have unspecified other | impact via a crafted cmap SFNT table. CVE-2014-9664[8]: | FreeType before 2.5.4 does not check for the end of the data during | certain parsing actions, which allows remote attackers to cause a | denial of service (out-of-bounds read) or possibly have unspecified | other impact via a crafted Type42 font, related to type42/t42parse.c | and type1/t1load.c. CVE-2014-9665[9]: | The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 | does not restrict the rows and pitch values of PNG data, which allows | remote attackers to cause a denial of service (integer overflow and | heap-based buffer overflow) or possibly have unspecified other impact | by embedding a PNG file in a .ttf font file. CVE-2014-9666[10]: | The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before | 2.5.4 proceeds with a count-to-size association without restricting | the count value, which allows remote attackers to cause a denial of | service (integer overflow and out-of-bounds read) or possibly have | unspecified other impact via a crafted embedded bitmap. CVE-2014-9667[11]: | sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length | calculations without restricting the values, which allows remote | attackers to cause a denial of service (integer overflow and | out-of-bounds read) or possibly have unspecified other impact via a | crafted SFNT table. CVE-2014-9668[12]: | The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 | proceeds with offset+length calculations without restricting length | values, which allows remote attackers to cause a denial of service | (integer overflow and heap-based buffer overflow) or possibly have | unspecified other impact via a crafted Web Open Font Format (WOFF) | file. CVE-2014-9669[13]: | Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 | allow remote attackers to cause a denial of service (out-of-bounds | read or memory corruption) or possibly have unspecified other impact | via a crafted cmap SFNT table. CVE-2014-9670[14]: | Multiple integer signedness errors in the pcf_get_encodings function | in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to | cause a denial of service (integer overflow, NULL pointer dereference, | and application crash) via a crafted PCF file that specifies negative | values for the first column and first row. CVE-2014-9671[15]: | Off-by-one error in the pcf_get_properties function in pcf/pcfread.c | in FreeType before 2.5.4 allows remote attackers to cause a denial of | service (NULL pointer dereference and application crash) via a crafted | PCF file with a 0xffffffff size value that is improperly incremented. CVE-2014-9672[16]: | Array index error in the parse_fond function in base/ftmac.c in | FreeType before 2.5.4 allows remote attackers to cause a denial of | service (out-of-bounds read) or obtain sensitive information from | process memory via a crafted FOND resource in a Mac font file. CVE-2014-9673[17]: | Integer signedness error in the Mac_Read_POST_Resource function in | base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to | cause a denial of service (heap-based buffer overflow) or possibly | have unspecified other impact via a crafted Mac font. CVE-2014-9674[18]: | The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType | before 2.5.4 proceeds with adding to length values without validating | the original values, which allows remote attackers to cause a denial | of service (integer overflow and heap-based buffer overflow) or | possibly have unspecified other impact via a crafted Mac font. CVE-2014-9675[19]: | bdf/bdflib.c in FreeType before 2.5.4 identifies property names by | only verifying that an initial substring is present, which allows | remote attackers to discover heap pointer values and bypass the ASLR | protection mechanism via a crafted BDF font. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-9656 [1] https://security-tracker.debian.org/tracker/CVE-2014-9657 [2] https://security-tracker.debian.org/tracker/CVE-2014-9658 [3] https://security-tracker.debian.org/tracker/CVE-2014-9659 [4] https://security-tracker.debian.org/tracker/CVE-2014-9660 [5] https://security-tracker.debian.org/tracker/CVE-2014-9661 [6] https://security-tracker.debian.org/tracker/CVE-2014-9662 [7] https://security-tracker.debian.org/tracker/CVE-2014-9663 [8] https://security-tracker.debian.org/tracker/CVE-2014-9664 [9] https://security-tracker.debian.org/tracker/CVE-2014-9665 [10] https://security-tracker.debian.org/tracker/CVE-2014-9666 [11] https://security-tracker.debian.org/tracker/CVE-2014-9667 [12] https://security-tracker.debian.org/tracker/CVE-2014-9668 [13] https://security-tracker.debian.org/tracker/CVE-2014-9669 [14] https://security-tracker.debian.org/tracker/CVE-2014-9670 [15] https://security-tracker.debian.org/tracker/CVE-2014-9671 [16] https://security-tracker.debian.org/tracker/CVE-2014-9672 [17] https://security-tracker.debian.org/tracker/CVE-2014-9673 [18] https://security-tracker.debian.org/tracker/CVE-2014-9674 [19] https://security-tracker.debian.org/tracker/CVE-2014-9675 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org