[Bug 1191094] New: CVE-2014-9671 freetype: Off-by-one error in the pcf_get_properties function in pcf/pcfread.c
6:52 a.m.
https://bugzilla.redhat.com/show_bug.cgi?id=1191094
Bug ID: 1191094
Summary: CVE-2014-9671 freetype: Off-by-one error in the
pcf_get_properties function in pcf/pcfread.c
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: vkaigoro(a)redhat.com
CC: behdad(a)fedoraproject.org,
fonts-bugs(a)lists.fedoraproject.org,
kevin(a)tigcc.ticalc.org, mkasik(a)redhat.com
Common Vulnerabilities and Exposures assigned CVE-2014-9671 to the following
issue:
Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in
FreeType
before 2.5.4 allows remote attackers to cause a denial of service (NULL pointer
dereference and application crash) via a crafted PCF file with a 0xffffffff
size
value that is improperly incremented.
http://code.google.com/p/google-security-research/issues/detail?id=157
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0e2f5d...
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=Kh2uxQYUM7&a=cc_unsubscribe
6:58 a.m.
New subject: [Bug 1191094] CVE-2014-9671 freetype: Off-by-one error in the pcf_get_properties function in pcf/pcfread.c
https://bugzilla.redhat.com/show_bug.cgi?id=1191094
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1191099
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1191099
[Bug 1191099] CVE-2014-9656 CVE-2014-9657 CVE-2014-9661 CVE-2014-9660
CVE-2014-9667 CVE-2014-9666 CVE-2014-9665 CVE-2014-9664 CVE-2014-9669
CVE-2014-9668 CVE-2014-9662 CVE-2014-9658 CVE-2014-9659 CVE-2014-9663
CVE-2014-9670 freetype: various flaws [fedora-all]
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=HOK4oCmXsn&a=cc_unsubscribe
7 a.m.
New subject: [Bug 1191094] CVE-2014-9671 freetype: Off-by-one error in the pcf_get_properties function in pcf/pcfread.c
https://bugzilla.redhat.com/show_bug.cgi?id=1191094
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1191102
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=iWhGYFBj30&a=cc_unsubscribe
noon
New subject: [Bug 1191094] CVE-2014-9671 freetype: Off-by-one error in the pcf_get_properties function in pcf/pcfread.c
https://bugzilla.redhat.com/show_bug.cgi?id=1191094
Bug 1191094 depends on bug 1191099, which changed state.
Bug 1191099 Summary: CVE-2014-9656 CVE-2014-9657 CVE-2014-9661 CVE-2014-9660 CVE-2014-9667
CVE-2014-9666 CVE-2014-9665 CVE-2014-9664 CVE-2014-9669 CVE-2014-9668 CVE-2014-9662
CVE-2014-9658 CVE-2014-9659 CVE-2014-9663 CVE-2014-9670 freetype: various flaws
[fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1191099
What |Removed |Added
----------------------------------------------------------------------------
Status|ON_QA |CLOSED
Resolution|--- |ERRATA
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=iAjwPeynvp&a=cc_unsubscribe
8:53 a.m.
New subject: [Bug 1191094] CVE-2014-9671 freetype: integer overflow in pcf_get_encodings() leading to NULL pointer dereference
https://bugzilla.redhat.com/show_bug.cgi?id=1191094
Tomas Hoger <thoger(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|medium |low
Fixed In Version| |freetype 2.5.4
Summary|CVE-2014-9671 freetype: |CVE-2014-9671 freetype:
|Off-by-one error in the |integer overflow in
|pcf_get_properties function |pcf_get_encodings() leading
|in pcf/pcfread.c |to NULL pointer dereference
Whiteboard|impact=moderate,public=2014 |impact=low,public=20141124,
|1124,reported=20150210,sour |reported=20150210,source=cv
|ce=cve,cvss2=3.7/AV:L/AC:H/ |e,cvss2=4.3/AV:N/AC:M/Au:N/
|Au:N/C:P/I:P/A:P,fedora-all |C:N/I:N/A:P,cwe=CWE-190->CW
|/freetype=affected,rhel-5/f |E-476,rhel-4/freetype=notaf
|reetype=new,rhel-6/freetype |fected,rhel-5/freetype=wont
|=new,rhel-7/freetype=new |fix,rhel-6/freetype=affecte
| |d,rhel-7/freetype=affected,
| |rhev-m-3/mingw-virt-viewer=
| |affected,fedora-all/freetyp
| |e=affected,fedora-all/mingw
| |-freetype=affected,epel-7/m
| |ingw-freetype=affected
Severity|medium |low
--- Comment #1 from Tomas Hoger <thoger(a)redhat.com> ---
Upstream bug is:
https://savannah.nongnu.org/bugs/?43547
Issue was fixed upstream in 2.5.4.
This is an integer overflow issue, rather than off-by-one. A string_size value
is read from input font file. If value 0xffffffff is used and later 1 is added
to it when FT_NEW_ARRAY() is called to allocate strings[] buffer, the addition
will overflow (32bit overflow) and leads to attempt to allocate zero sized
buffer. Freetype memory allocation functions return NULL in that case, which
leads to crash when the buffer is populated later.
Note that this issue was introduced by the CVE-2012-1130 fix (see bug 800587)
in the following commit:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c776fc17
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=u9Jm2RfmwU&a=cc_unsubscribe
8:22 a.m.
New subject: [Bug 1191094] CVE-2014-9671 freetype: integer overflow in pcf_get_properties() leading to NULL pointer dereference
https://bugzilla.redhat.com/show_bug.cgi?id=1191094
Tomas Hoger <thoger(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|CVE-2014-9671 freetype: |CVE-2014-9671 freetype:
|integer overflow in |integer overflow in
|pcf_get_encodings() leading |pcf_get_properties()
|to NULL pointer dereference |leading to NULL pointer
| |dereference
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=G7bVT3eYXY&a=cc_unsubscribe
8:25 a.m.
New subject: [Bug 1191094] CVE-2014-9671 freetype: integer overflow in pcf_get_properties() leading to NULL pointer dereference
https://bugzilla.redhat.com/show_bug.cgi?id=1191094
--- Comment #4 from Tomas Hoger <thoger(a)redhat.com> ---
The fix for this issue was found to introduce a regression that prevented
loading of certain PCF fonts. Upstream bug and fix:
https://savannah.nongnu.org/bugs/?43774
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=74af85...
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=06842c...
Reported for Fedora in bug 1195652.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=ENcqzRIXCm&a=cc_unsubscribe
8:08 a.m.
New subject: [Bug 1191094] CVE-2014-9671 freetype: integer overflow in pcf_get_properties() leading to NULL pointer dereference
https://bugzilla.redhat.com/show_bug.cgi?id=1191094
Martin Prpic <mprpic(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1197737
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=byZuMJZL4C&a=cc_unsubscribe
8:08 a.m.
New subject: [Bug 1191094] CVE-2014-9671 freetype: integer overflow in pcf_get_properties() leading to NULL pointer dereference
https://bugzilla.redhat.com/show_bug.cgi?id=1191094
Martin Prpic <mprpic(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1197738
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=nbdEkfIRms&a=cc_unsubscribe
8:08 a.m.
New subject: [Bug 1191094] CVE-2014-9671 freetype: integer overflow in pcf_get_properties() leading to NULL pointer dereference
https://bugzilla.redhat.com/show_bug.cgi?id=1191094
Martin Prpic <mprpic(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1197739
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=YSorkt9jem&a=cc_unsubscribe
8:09 a.m.
New subject: [Bug 1191094] CVE-2014-9671 freetype: integer overflow in pcf_get_properties() leading to NULL pointer dereference
https://bugzilla.redhat.com/show_bug.cgi?id=1191094
Martin Prpic <mprpic(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1197740
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=pbNZAznPIb&a=cc_unsubscribe
12:59 p.m.
New subject: [Bug 1191094] CVE-2014-9671 freetype: integer overflow in pcf_get_properties() leading to NULL pointer dereference
https://bugzilla.redhat.com/show_bug.cgi?id=1191094
--- Comment #6 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> ---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Via RHSA-2015:0696 https://rhn.redhat.com/errata/RHSA-2015-0696.html
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=X0IwDM6rp1&a=cc_unsubscribe
2:40 a.m.
New subject: [Bug 1191094] CVE-2014-9671 freetype: integer overflow in pcf_get_properties() leading to NULL pointer dereference
https://bugzilla.redhat.com/show_bug.cgi?id=1191094
Tomas Hoger <thoger(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution|--- |ERRATA
Last Closed| |2015-03-18 03:40:54
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=9HFViiFDHk&a=cc_unsubscribe
4:50 p.m.
New subject: [Bug 1191094] CVE-2014-9671 freetype: integer overflow in
pcf_get_properties() leading to NULL pointer dereference
https://bugzilla.redhat.com/show_bug.cgi?id=1191094
Vincent Danen <vdanen(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=low,public=20141124, |impact=low,public=20141124,
|reported=20150210,source=cv |reported=20150210,source=cv
|e,cvss2=4.3/AV:N/AC:M/Au:N/ |e,cvss2=4.3/AV:N/AC:M/Au:N/
|C:N/I:N/A:P,cwe=CWE-190->CW |C:N/I:N/A:P,cwe=CWE-190->CW
|E-476,rhel-4/freetype=notaf |E-476,rhel-4/freetype=notaf
|fected,rhel-5/freetype=wont |fected,rhel-5/freetype=wont
|fix,rhel-6/freetype=affecte |fix,rhel-6/freetype=notaffe
|d,rhel-7/freetype=affected, |cted,rhel-7/freetype=affect
|rhev-m-3/mingw-virt-viewer= |ed,rhev-m-3/mingw-virt-view
|affected,fedora-all/freetyp |er=affected,fedora-all/free
|e=affected,fedora-all/mingw |type=affected,fedora-all/mi
|-freetype=affected,epel-7/m |ngw-freetype=affected,epel-
|ingw-freetype=affected |7/mingw-freetype=affected
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=v3uHWWxHMz&a=cc_unsubscribe
4:29 a.m.
New subject: [Bug 1191094] CVE-2014-9671 freetype: integer overflow in
pcf_get_properties() leading to NULL pointer dereference
https://bugzilla.redhat.com/show_bug.cgi?id=1191094
Ján Rusnačko <jrusnack(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=low,public=20141124, |impact=low,public=20141124,
|reported=20150210,source=cv |reported=20150210,source=cv
|e,cvss2=4.3/AV:N/AC:M/Au:N/ |e,cvss2=4.3/AV:N/AC:M/Au:N/
|C:N/I:N/A:P,cwe=CWE-190->CW |C:N/I:N/A:P,cwe=CWE-190->CW
|E-476,rhel-4/freetype=notaf |E-476,rhel-4/freetype=notaf
|fected,rhel-5/freetype=wont |fected,rhel-5/freetype=wont
|fix,rhel-6/freetype=notaffe |fix,rhel-6/freetype=affecte
|cted,rhel-7/freetype=affect |d,rhel-7/freetype=affected,
|ed,rhev-m-3/mingw-virt-view |rhev-m-3/mingw-virt-viewer=
|er=affected,fedora-all/free |affected,fedora-all/freetyp
|type=affected,fedora-all/mi |e=affected,fedora-all/mingw
|ngw-freetype=affected,epel- |-freetype=affected,epel-7/m
|7/mingw-freetype=affected |ingw-freetype=affected
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=0RpHx6PChl&a=cc_unsubscribe
3113
days inactive
3401
days old
fonts-bugs@lists.fedoraproject.org
14 comments
1 participants
participants (1)
-
Red Hat Bugzilla