[Bug 1191190] CVE-2014-9674 freetype: multiple integer overflows Mac_Read_POST_Resource() leading to heap-based buffer overflows
bugzilla at redhat.com
bugzilla at redhat.com
Tue Feb 24 13:02:43 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1191190
Tomas Hoger <thoger at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|medium |high
Summary|CVE-2014-9674 freetype: |CVE-2014-9674 freetype:
|integer overflow and |multiple integer overflows
|heap-based buffer overflow |Mac_Read_POST_Resource()
|in the |leading to heap-based
|Mac_Read_POST_Resource |buffer overflows
|function in base/ftobjs.c |
Whiteboard|impact=moderate,public=2015 |impact=important,public=201
|0208,reported=20150209,sour |50208,reported=20150209,sou
|ce=suse,cvss2=3.7/AV:L/AC:H |rce=suse,cvss2=6.8/AV:N/AC:
|/Au:N/C:P/I:P/A:P,fedora-al |M/Au:N/C:P/I:P/A:P,cwe=CWE-
|l/freetype=affected,rhel-5/ |190->CWE-122,rhel-4/freetyp
|freetype=new,rhel-6/freetyp |e=wontfix,rhel-5/freetype=a
|e=new,rhel-7/freetype=new |ffected,rhel-6/freetype=aff
| |ected,rhel-7/freetype=affec
| |ted,rhev-m-3/mingw-virt-vie
| |wer=affected,fedora-all/fre
| |etype=affected,fedora-all/m
| |ingw-freetype=affected,epel
| |-7/mingw-freetype=affected
Severity|medium |high
--- Comment #4 from Tomas Hoger <thoger at redhat.com> ---
(Private) upstream bug:
https://savannah.nongnu.org/bugs/?43538
Issue was fixed upstream in 2.5.4.
There are multiple integer overflow issues in the Mac_Read_POST_Resource()
function. They can cause freetype to allocate buffer of insufficient size and
later write data past its boundaries. This will lead to memory corruption that
can cause crash and possibly code execution.
These flaw make it possible to bypass boundary check added to address
CVE-2010-2808 (see bug 621907).
This is related to issue tracked via bug 1191096, and the following patches
were applied to address problems reported via these two bugs:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=240c94a
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=35252ae
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=4533167
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=1720e81
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=cd4a5a2
Unified diff for all the above changes:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/diff/src/base/ftobjs.c?id2=5aff853&id=cd4a5a2
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=snnJKz84uT&a=cc_unsubscribe
More information about the fonts-bugs
mailing list