[Bug 1191190] CVE-2014-9674 freetype: multiple integer overflows Mac_Read_POST_Resource() leading to heap-based buffer overflows

Tue Feb 24 13:02:43 UTC 2015

https://bugzilla.redhat.com/show_bug.cgi?id=1191190

Tomas Hoger <thoger at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|medium                      |high
            Summary|CVE-2014-9674 freetype:     |CVE-2014-9674 freetype:
                   |integer overflow and        |multiple integer overflows
                   |heap-based buffer overflow  |Mac_Read_POST_Resource()
                   |in the                      |leading to heap-based
                   |Mac_Read_POST_Resource      |buffer overflows
                   |function in base/ftobjs.c   |
         Whiteboard|impact=moderate,public=2015 |impact=important,public=201
                   |0208,reported=20150209,sour |50208,reported=20150209,sou
                   |ce=suse,cvss2=3.7/AV:L/AC:H |rce=suse,cvss2=6.8/AV:N/AC:
                   |/Au:N/C:P/I:P/A:P,fedora-al |M/Au:N/C:P/I:P/A:P,cwe=CWE-
                   |l/freetype=affected,rhel-5/ |190->CWE-122,rhel-4/freetyp
                   |freetype=new,rhel-6/freetyp |e=wontfix,rhel-5/freetype=a
                   |e=new,rhel-7/freetype=new   |ffected,rhel-6/freetype=aff
                   |                            |ected,rhel-7/freetype=affec
                   |                            |ted,rhev-m-3/mingw-virt-vie
                   |                            |wer=affected,fedora-all/fre
                   |                            |etype=affected,fedora-all/m
                   |                            |ingw-freetype=affected,epel
                   |                            |-7/mingw-freetype=affected
           Severity|medium                      |high

--- Comment #4 from Tomas Hoger <thoger at redhat.com> ---
(Private) upstream bug:
https://savannah.nongnu.org/bugs/?43538

Issue was fixed upstream in 2.5.4.

There are multiple integer overflow issues in the Mac_Read_POST_Resource()
function.  They can cause freetype to allocate buffer of insufficient size and
later write data past its boundaries.  This will lead to memory corruption that
can cause crash and possibly code execution.

These flaw make it possible to bypass boundary check added to address
CVE-2010-2808 (see bug 621907).

This is related to issue tracked via bug 1191096, and the following patches
were applied to address problems reported via these two bugs:

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=240c94a
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=35252ae
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=4533167
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=1720e81
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=cd4a5a2

Unified diff for all the above changes:

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/diff/src/base/ftobjs.c?id2=5aff853&id=cd4a5a2

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=snnJKz84uT&a=cc_unsubscribe