[Bug 1191079] New: CVE-2014-9657 freetype: DoS in the tt_face_load_hdmx function in truetype/ttpload.c
6:50 a.m.
https://bugzilla.redhat.com/show_bug.cgi?id=1191079
Bug ID: 1191079
Summary: CVE-2014-9657 freetype: DoS in the tt_face_load_hdmx
function in truetype/ttpload.c
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: vkaigoro(a)redhat.com
CC: behdad(a)fedoraproject.org,
fonts-bugs(a)lists.fedoraproject.org,
kevin(a)tigcc.ticalc.org, mkasik(a)redhat.com
Common Vulnerabilities and Exposures assigned CVE-2014-9657 to the following
issue:
The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4
does not establish a minimum record size, which allows remote attackers to
cause
a denial of service (out-of-bounds read) or possibly have unspecified other
impact via a crafted TrueType font.
http://code.google.com/p/google-security-research/issues/detail?id=195
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=eca0f0...
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=JxlmnOGyZ0&a=cc_unsubscribe
6:55 a.m.
New subject: [Bug 1191079] CVE-2014-9657 freetype: DoS in the tt_face_load_hdmx function in truetype/ttpload.c
https://bugzilla.redhat.com/show_bug.cgi?id=1191079
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1191099
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1191099
[Bug 1191099] CVE-2014-9656 freetype: integer overflow in the
tt_sbit_decoder_load_image function in sfnt/ttsbit.c [fedora-all]
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=ZKCo6JZM8M&a=cc_unsubscribe
6:55 a.m.
New subject: [Bug 1191079] CVE-2014-9657 freetype: DoS in the tt_face_load_hdmx function in truetype/ttpload.c
https://bugzilla.redhat.com/show_bug.cgi?id=1191079
--- Comment #1 from Vasyl Kaigorodov <vkaigoro(a)redhat.com> ---
Created freetype tracking bugs for this issue:
Affects: fedora-all [bug 1191099]
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=9ZtrHOJj41&a=cc_unsubscribe
7 a.m.
New subject: [Bug 1191079] CVE-2014-9657 freetype: DoS in the tt_face_load_hdmx function in truetype/ttpload.c
https://bugzilla.redhat.com/show_bug.cgi?id=1191079
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1191102
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=SOxZrlQLIQ&a=cc_unsubscribe
7:13 a.m.
New subject: [Bug 1191079] CVE-2014-9657 freetype: off-by-one buffer over-read in tt_face_load_hdmx()
https://bugzilla.redhat.com/show_bug.cgi?id=1191079
Tomas Hoger <thoger(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|medium |low
Fixed In Version| |freetype 2.5.4
Summary|CVE-2014-9657 freetype: DoS |CVE-2014-9657 freetype:
|in the tt_face_load_hdmx |off-by-one buffer over-read
|function in |in tt_face_load_hdmx()
|truetype/ttpload.c |
Whiteboard|impact=moderate,public=2014 |impact=low,public=20141124,
|1124,reported=20150210,sour |reported=20150210,source=cv
|ce=cve,cvss2=3.7/AV:L/AC:H/ |e,cvss2=2.6/AV:N/AC:H/Au:N/
|Au:N/C:P/I:P/A:P,fedora-all |C:N/I:N/A:P,cwe=CWE-193->CW
|/freetype=affected,rhel-5/f |E-125,fedora-all/freetype=a
|reetype=new,rhel-6/freetype |ffected,rhel-5/freetype=new
|=new,rhel-7/freetype=new |,rhel-6/freetype=new,rhel-7
| |/freetype=new
Severity|medium |low
--- Comment #2 from Tomas Hoger <thoger(a)redhat.com> ---
Upstream bug is:
https://savannah.nongnu.org/bugs/?43679
Issue was fixed upstream in 2.5.4.
This is a single byte heap-based buffer over-read. A probability of this
causing crash is extremely low.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=eZz2yJjIF6&a=cc_unsubscribe
7:28 a.m.
New subject: [Bug 1191079] CVE-2014-9657 freetype: off-by-one buffer over-read in tt_face_load_hdmx()
https://bugzilla.redhat.com/show_bug.cgi?id=1191079
Tomas Hoger <thoger(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=low,public=20141124, |impact=low,public=20141124,
|reported=20150210,source=cv |reported=20150210,source=cv
|e,cvss2=2.6/AV:N/AC:H/Au:N/ |e,cvss2=2.6/AV:N/AC:H/Au:N/
|C:N/I:N/A:P,cwe=CWE-193->CW |C:N/I:N/A:P,cwe=CWE-193->CW
|E-125,fedora-all/freetype=a |E-125,rhel-4/freetype=wontf
|ffected,rhel-5/freetype=new |ix,rhel-5/freetype=wontfix,
|,rhel-6/freetype=new,rhel-7 |rhel-6/freetype=affected,rh
|/freetype=new |el-7/freetype=affected,rhev
| |-m-3/mingw-virt-viewer=affe
| |cted,fedora-all/freetype=af
| |fected,fedora-all/mingw-fre
| |etype=affected,epel-7/mingw
| |-freetype=affected
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=mUhEyl76sM&a=cc_unsubscribe
noon
New subject: [Bug 1191079] CVE-2014-9657 freetype: off-by-one buffer over-read in tt_face_load_hdmx()
https://bugzilla.redhat.com/show_bug.cgi?id=1191079
Bug 1191079 depends on bug 1191099, which changed state.
Bug 1191099 Summary: CVE-2014-9656 CVE-2014-9657 CVE-2014-9661 CVE-2014-9660 CVE-2014-9667
CVE-2014-9666 CVE-2014-9665 CVE-2014-9664 CVE-2014-9669 CVE-2014-9668 CVE-2014-9662
CVE-2014-9658 CVE-2014-9659 CVE-2014-9663 CVE-2014-9670 freetype: various flaws
[fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1191099
What |Removed |Added
----------------------------------------------------------------------------
Status|ON_QA |CLOSED
Resolution|--- |ERRATA
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=33unWjrFzb&a=cc_unsubscribe
12:01 p.m.
New subject: [Bug 1191079] CVE-2014-9657 freetype: off-by-one buffer over-read in tt_face_load_hdmx()
https://bugzilla.redhat.com/show_bug.cgi?id=1191079
--- Comment #4 from Fedora Update System <updates(a)fedoraproject.org> ---
freetype-2.5.3-15.fc21 has been pushed to the Fedora 21 stable repository. If
problems still persist, please make note of it in this bug report.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=uTAnkCAIPC&a=cc_unsubscribe
2:30 a.m.
New subject: [Bug 1191079] CVE-2014-9657 freetype: off-by-one buffer over-read in tt_face_load_hdmx()
https://bugzilla.redhat.com/show_bug.cgi?id=1191079
--- Comment #5 from Fedora Update System <updates(a)fedoraproject.org> ---
freetype-2.5.0-9.fc20 has been pushed to the Fedora 20 stable repository. If
problems still persist, please make note of it in this bug report.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=S06tdVf952&a=cc_unsubscribe
8:02 a.m.
New subject: [Bug 1191079] CVE-2014-9657 freetype: off-by-one buffer over-read in tt_face_load_hdmx()
https://bugzilla.redhat.com/show_bug.cgi?id=1191079
Martin Prpic <mprpic(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1197737
Depends On| |1197738
Depends On| |1197739
Depends On| |1197740
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=dwKkyhH6rB&a=cc_unsubscribe
12:58 p.m.
New subject: [Bug 1191079] CVE-2014-9657 freetype: off-by-one buffer over-read in tt_face_load_hdmx()
https://bugzilla.redhat.com/show_bug.cgi?id=1191079
--- Comment #7 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> ---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Via RHSA-2015:0696 https://rhn.redhat.com/errata/RHSA-2015-0696.html
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=ISYTyUPjl5&a=cc_unsubscribe
2:40 a.m.
New subject: [Bug 1191079] CVE-2014-9657 freetype: off-by-one buffer over-read in tt_face_load_hdmx()
https://bugzilla.redhat.com/show_bug.cgi?id=1191079
Tomas Hoger <thoger(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution|--- |ERRATA
Last Closed| |2015-03-18 03:40:56
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=kOuXCvViU9&a=cc_unsubscribe
4:50 p.m.
New subject: [Bug 1191079] CVE-2014-9657 freetype: off-by-one buffer over-read in
tt_face_load_hdmx()
https://bugzilla.redhat.com/show_bug.cgi?id=1191079
Vincent Danen <vdanen(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=low,public=20141124, |impact=low,public=20141124,
|reported=20150210,source=cv |reported=20150210,source=cv
|e,cvss2=2.6/AV:N/AC:H/Au:N/ |e,cvss2=2.6/AV:N/AC:H/Au:N/
|C:N/I:N/A:P,cwe=CWE-193->CW |C:N/I:N/A:P,cwe=CWE-193->CW
|E-125,rhel-4/freetype=wontf |E-125,rhel-4/freetype=wontf
|ix,rhel-5/freetype=wontfix, |ix,rhel-5/freetype=wontfix,
|rhel-6/freetype=affected,rh |rhel-6/freetype=notaffected
|el-7/freetype=affected,rhev |,rhel-7/freetype=affected,r
|-m-3/mingw-virt-viewer=affe |hev-m-3/mingw-virt-viewer=a
|cted,fedora-all/freetype=af |ffected,fedora-all/freetype
|fected,fedora-all/mingw-fre |=affected,fedora-all/mingw-
|etype=affected,epel-7/mingw |freetype=affected,epel-7/mi
|-freetype=affected |ngw-freetype=affected
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=VsLPLE1Ggd&a=cc_unsubscribe
4:28 a.m.
New subject: [Bug 1191079] CVE-2014-9657 freetype: off-by-one buffer over-read in
tt_face_load_hdmx()
https://bugzilla.redhat.com/show_bug.cgi?id=1191079
Ján Rusnačko <jrusnack(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=low,public=20141124, |impact=low,public=20141124,
|reported=20150210,source=cv |reported=20150210,source=cv
|e,cvss2=2.6/AV:N/AC:H/Au:N/ |e,cvss2=2.6/AV:N/AC:H/Au:N/
|C:N/I:N/A:P,cwe=CWE-193->CW |C:N/I:N/A:P,cwe=CWE-193->CW
|E-125,rhel-4/freetype=wontf |E-125,rhel-4/freetype=wontf
|ix,rhel-5/freetype=wontfix, |ix,rhel-5/freetype=wontfix,
|rhel-6/freetype=notaffected |rhel-6/freetype=affected,rh
|,rhel-7/freetype=affected,r |el-7/freetype=affected,rhev
|hev-m-3/mingw-virt-viewer=a |-m-3/mingw-virt-viewer=affe
|ffected,fedora-all/freetype |cted,fedora-all/freetype=af
|=affected,fedora-all/mingw- |fected,fedora-all/mingw-fre
|freetype=affected,epel-7/mi |etype=affected,epel-7/mingw
|ngw-freetype=affected |-freetype=affected
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=WQF2j86gsW&a=cc_unsubscribe
3072
days inactive
3360
days old
fonts-bugs@lists.fedoraproject.org
13 comments
1 participants
participants (1)
-
Red Hat Bugzilla