Security update for freetype2
SUSE Security Update: Security update for freetype2
These security issues were fixed:
- CVE-2014-9663: The tt_cmap4_validate function in sfnt/ttcmap.c in
FreeType before 2.5.4 validates a certain length field before that
field's value is completely calculated, which allowed remote attackers
to cause a denial of service (out-of-bounds read) or possibly have
unspecified other impact via a crafted cmap SFNT table (bnc#916865).
- CVE-2014-9662: cff/cf2ft.c in FreeType before 2.5.4 did not validate the
return values of point-allocation functions, which allowed remote
attackers to cause a denial of service (heap-based buffer overflow) or
possibly have unspecified other impact via a crafted OTF font
(bnc#916860).
- CVE-2014-9661: type42/t42parse.c in FreeType before 2.5.4 did not
consider that scanning can be incomplete without triggering an error,
which allowed remote attackers to cause a denial of service
(use-after-free) or possibly have unspecified other impact via a crafted
Type42 font (bnc#916859).
- CVE-2014-9660: The _bdf_parse_glyphs function in bdf/bdflib.c in
FreeType before 2.5.4 did not properly handle a missing ENDCHAR record,
which allowed remote attackers to cause a denial of service (NULL
pointer dereference) or possibly have unspecified other impact via a
crafted BDF font (bnc#916858).
- CVE-2014-9667: sfnt/ttload.c in FreeType before 2.5.4 proceeds with
offset+length calculations without restricting the values, which allowed
remote attackers to cause a denial of service (integer overflow and
out-of-bounds read) or possibly have unspecified other impact via a
crafted SFNT table (bnc#916861).
- CVE-2014-9666: The tt_sbit_decoder_init function in sfnt/ttsbit.c in
FreeType before 2.5.4 proceeds with a count-to-size association without
restricting the count value, which allowed remote attackers to cause a
denial of service (integer overflow and out-of-bounds read) or possibly
have unspecified other impact via a crafted embedded bitmap (bnc#916862).
- CVE-2014-9665: The Load_SBit_Png function in sfnt/pngshim.c in FreeType
before 2.5.4 did not restrict the rows and pitch values of PNG data,
which allowed remote attackers to cause a denial of service (integer
overflow and heap-based buffer overflow) or possibly have unspecified
other impact by embedding a PNG file in a .ttf font file (bnc#916863).
- CVE-2014-9664: FreeType before 2.5.4 did not check for the end of the
data during certain parsing actions, which allowed remote attackers to
cause a denial of service (out-of-bounds read) or possibly have
unspecified other impact via a crafted Type42 font, related to
type42/t42parse.c and type1/t1load.c (bnc#916864).
- CVE-2014-9669: Multiple integer overflows in sfnt/ttcmap.c in FreeType
before 2.5.4 allowed remote attackers to cause a denial of service
(out-of-bounds read or memory corruption) or possibly have unspecified
other impact via a crafted cmap SFNT table (bnc#916870).
- CVE-2014-9668: The woff_open_font function in sfnt/sfobjs.c in FreeType
before 2.5.4 proceeds with offset+length calculations without
restricting length values, which allowed remote attackers to cause a
denial of service (integer overflow and heap-based buffer overflow) or
possibly have unspecified other impact via a crafted Web Open Font
Format (WOFF) file (bnc#916868).
- CVE-2014-9656: The tt_sbit_decoder_load_image function in sfnt/ttsbit.c
in FreeType before 2.5.4 did not properly check for an integer overflow,
which allowed remote attackers to cause a denial of service
(out-of-bounds read) or possibly have unspecified other impact via a
crafted OpenType font (bnc#916847).
- CVE-2014-9658: The tt_face_load_kern function in sfnt/ttkern.c in
FreeType before 2.5.4 enforces an incorrect minimum table length, which
allowed remote attackers to cause a denial of service (out-of-bounds
read) or possibly have unspecified other impact via a crafted TrueType
font (bnc#916857).
- CVE-2014-9659: cff/cf2intrp.c in the CFF CharString interpreter in
FreeType before 2.5.4 proceeds with additional hints after the hint mask
has been computed, which allowed remote attackers to execute arbitrary
code or cause a denial of service (stack-based buffer overflow) via a
crafted OpenType font. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2014-2240 (bnc#916867).
- CVE-2014-9674: The Mac_Read_POST_Resource function in base/ftobjs.c in
FreeType before 2.5.4 proceeds with adding to length values without
validating the original values, which allowed remote attackers to cause
a denial of service (integer overflow and heap-based buffer overflow) or
possibly have unspecified other impact via a crafted Mac font
(bnc#916879).
- CVE-2014-9675: bdf/bdflib.c in FreeType before 2.5.4 identifies property
names by only verifying that an initial substring is present, which
allowed remote attackers to discover heap pointer values and bypass the
ASLR protection mechanism via a crafted BDF font (bnc#916881).
- CVE-2014-9657: The tt_face_load_hdmx function in truetype/ttpload.c in
FreeType before 2.5.4 did not establish a minimum record size, which
allowed remote attackers to cause a denial of service (out-of-bounds
read) or possibly have unspecified other impact via a crafted TrueType
font (bnc#916856).
- CVE-2014-9670: Multiple integer signedness errors in the
pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4
allowed remote attackers to cause a denial of service (integer overflow,
NULL pointer dereference, and application crash) via a crafted PCF file
that specifies negative values for the first column and first row
(bnc#916871).
- CVE-2014-9671: Off-by-one error in the pcf_get_properties function in
pcf/pcfread.c in FreeType before 2.5.4 allowed remote attackers to cause
a denial of service (NULL pointer dereference and application crash) via
a crafted PCF file with a 0xffffffff size value that is improperly
incremented (bnc#916872).
- CVE-2014-9672: Array index error in the parse_fond function in
base/ftmac.c in FreeType before 2.5.4 allowed remote attackers to cause
a denial of service (out-of-bounds read) or obtain sensitive information
from process memory via a crafted FOND resource in a Mac font file
(bnc#916873).
- CVE-2014-9673: Integer signedness error in the Mac_Read_POST_Resource
function in base/ftobjs.c in FreeType before 2.5.4 allowed remote
attackers to cause a denial of service (heap-based buffer overflow) or
possibly have unspecified other impact via a crafted Mac font
(bnc#916874).
Announcement ID: | SUSE-SU-2015:0455-1 |
Rating: | moderate |
References: | #916847 #916856 #916857 #916858 #916859 #916860 #916861 #916862 #916863 #916864 #916865 #916867 #916868 #916870 #916871 #916872 #916873 #916874 #916879 #916881 |
Affected Products: |
An update that fixes 21 vulnerabilities is now available.
Description:
freetype2 was updated to fix 20 security issues.These security issues were fixed:
- CVE-2014-9663: The tt_cmap4_validate function in sfnt/ttcmap.c in
FreeType before 2.5.4 validates a certain length field before that
field's value is completely calculated, which allowed remote attackers
to cause a denial of service (out-of-bounds read) or possibly have
unspecified other impact via a crafted cmap SFNT table (bnc#916865).
- CVE-2014-9662: cff/cf2ft.c in FreeType before 2.5.4 did not validate the
return values of point-allocation functions, which allowed remote
attackers to cause a denial of service (heap-based buffer overflow) or
possibly have unspecified other impact via a crafted OTF font
(bnc#916860).
- CVE-2014-9661: type42/t42parse.c in FreeType before 2.5.4 did not
consider that scanning can be incomplete without triggering an error,
which allowed remote attackers to cause a denial of service
(use-after-free) or possibly have unspecified other impact via a crafted
Type42 font (bnc#916859).
- CVE-2014-9660: The _bdf_parse_glyphs function in bdf/bdflib.c in
FreeType before 2.5.4 did not properly handle a missing ENDCHAR record,
which allowed remote attackers to cause a denial of service (NULL
pointer dereference) or possibly have unspecified other impact via a
crafted BDF font (bnc#916858).
- CVE-2014-9667: sfnt/ttload.c in FreeType before 2.5.4 proceeds with
offset+length calculations without restricting the values, which allowed
remote attackers to cause a denial of service (integer overflow and
out-of-bounds read) or possibly have unspecified other impact via a
crafted SFNT table (bnc#916861).
- CVE-2014-9666: The tt_sbit_decoder_init function in sfnt/ttsbit.c in
FreeType before 2.5.4 proceeds with a count-to-size association without
restricting the count value, which allowed remote attackers to cause a
denial of service (integer overflow and out-of-bounds read) or possibly
have unspecified other impact via a crafted embedded bitmap (bnc#916862).
- CVE-2014-9665: The Load_SBit_Png function in sfnt/pngshim.c in FreeType
before 2.5.4 did not restrict the rows and pitch values of PNG data,
which allowed remote attackers to cause a denial of service (integer
overflow and heap-based buffer overflow) or possibly have unspecified
other impact by embedding a PNG file in a .ttf font file (bnc#916863).
- CVE-2014-9664: FreeType before 2.5.4 did not check for the end of the
data during certain parsing actions, which allowed remote attackers to
cause a denial of service (out-of-bounds read) or possibly have
unspecified other impact via a crafted Type42 font, related to
type42/t42parse.c and type1/t1load.c (bnc#916864).
- CVE-2014-9669: Multiple integer overflows in sfnt/ttcmap.c in FreeType
before 2.5.4 allowed remote attackers to cause a denial of service
(out-of-bounds read or memory corruption) or possibly have unspecified
other impact via a crafted cmap SFNT table (bnc#916870).
- CVE-2014-9668: The woff_open_font function in sfnt/sfobjs.c in FreeType
before 2.5.4 proceeds with offset+length calculations without
restricting length values, which allowed remote attackers to cause a
denial of service (integer overflow and heap-based buffer overflow) or
possibly have unspecified other impact via a crafted Web Open Font
Format (WOFF) file (bnc#916868).
- CVE-2014-9656: The tt_sbit_decoder_load_image function in sfnt/ttsbit.c
in FreeType before 2.5.4 did not properly check for an integer overflow,
which allowed remote attackers to cause a denial of service
(out-of-bounds read) or possibly have unspecified other impact via a
crafted OpenType font (bnc#916847).
- CVE-2014-9658: The tt_face_load_kern function in sfnt/ttkern.c in
FreeType before 2.5.4 enforces an incorrect minimum table length, which
allowed remote attackers to cause a denial of service (out-of-bounds
read) or possibly have unspecified other impact via a crafted TrueType
font (bnc#916857).
- CVE-2014-9659: cff/cf2intrp.c in the CFF CharString interpreter in
FreeType before 2.5.4 proceeds with additional hints after the hint mask
has been computed, which allowed remote attackers to execute arbitrary
code or cause a denial of service (stack-based buffer overflow) via a
crafted OpenType font. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2014-2240 (bnc#916867).
- CVE-2014-9674: The Mac_Read_POST_Resource function in base/ftobjs.c in
FreeType before 2.5.4 proceeds with adding to length values without
validating the original values, which allowed remote attackers to cause
a denial of service (integer overflow and heap-based buffer overflow) or
possibly have unspecified other impact via a crafted Mac font
(bnc#916879).
- CVE-2014-9675: bdf/bdflib.c in FreeType before 2.5.4 identifies property
names by only verifying that an initial substring is present, which
allowed remote attackers to discover heap pointer values and bypass the
ASLR protection mechanism via a crafted BDF font (bnc#916881).
- CVE-2014-9657: The tt_face_load_hdmx function in truetype/ttpload.c in
FreeType before 2.5.4 did not establish a minimum record size, which
allowed remote attackers to cause a denial of service (out-of-bounds
read) or possibly have unspecified other impact via a crafted TrueType
font (bnc#916856).
- CVE-2014-9670: Multiple integer signedness errors in the
pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4
allowed remote attackers to cause a denial of service (integer overflow,
NULL pointer dereference, and application crash) via a crafted PCF file
that specifies negative values for the first column and first row
(bnc#916871).
- CVE-2014-9671: Off-by-one error in the pcf_get_properties function in
pcf/pcfread.c in FreeType before 2.5.4 allowed remote attackers to cause
a denial of service (NULL pointer dereference and application crash) via
a crafted PCF file with a 0xffffffff size value that is improperly
incremented (bnc#916872).
- CVE-2014-9672: Array index error in the parse_fond function in
base/ftmac.c in FreeType before 2.5.4 allowed remote attackers to cause
a denial of service (out-of-bounds read) or obtain sensitive information
from process memory via a crafted FOND resource in a Mac font file
(bnc#916873).
- CVE-2014-9673: Integer signedness error in the Mac_Read_POST_Resource
function in base/ftobjs.c in FreeType before 2.5.4 allowed remote
attackers to cause a denial of service (heap-based buffer overflow) or
possibly have unspecified other impact via a crafted Mac font
(bnc#916874).
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 12:
zypper in -t patch SUSE-SLE-SDK-12-2015-111=1
- SUSE Linux Enterprise Server 12:
zypper in -t patch SUSE-SLE-SERVER-12-2015-111=1
- SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2015-111=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):
- freetype2-debugsource-2.5.3-5.1
- freetype2-devel-2.5.3-5.1
- SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
- freetype2-debugsource-2.5.3-5.1
- ft2demos-2.5.3-5.1
- libfreetype6-2.5.3-5.1
- libfreetype6-debuginfo-2.5.3-5.1
- SUSE Linux Enterprise Server 12 (s390x x86_64):
- libfreetype6-32bit-2.5.3-5.1
- libfreetype6-debuginfo-32bit-2.5.3-5.1
- SUSE Linux Enterprise Desktop 12 (x86_64):
- freetype2-debugsource-2.5.3-5.1
- ft2demos-2.5.3-5.1
- libfreetype6-2.5.3-5.1
- libfreetype6-32bit-2.5.3-5.1
- libfreetype6-debuginfo-2.5.3-5.1
- libfreetype6-debuginfo-32bit-2.5.3-5.1
References:
- http://support.novell.com/security/cve/CVE-2014-2240.html
- http://support.novell.com/security/cve/CVE-2014-9656.html
- http://support.novell.com/security/cve/CVE-2014-9657.html
- http://support.novell.com/security/cve/CVE-2014-9658.html
- http://support.novell.com/security/cve/CVE-2014-9659.html
- http://support.novell.com/security/cve/CVE-2014-9660.html
- http://support.novell.com/security/cve/CVE-2014-9661.html
- http://support.novell.com/security/cve/CVE-2014-9662.html
- http://support.novell.com/security/cve/CVE-2014-9663.html
- http://support.novell.com/security/cve/CVE-2014-9664.html
- http://support.novell.com/security/cve/CVE-2014-9665.html
- http://support.novell.com/security/cve/CVE-2014-9666.html
- http://support.novell.com/security/cve/CVE-2014-9667.html
- http://support.novell.com/security/cve/CVE-2014-9668.html
- http://support.novell.com/security/cve/CVE-2014-9669.html
- http://support.novell.com/security/cve/CVE-2014-9670.html
- http://support.novell.com/security/cve/CVE-2014-9671.html
- http://support.novell.com/security/cve/CVE-2014-9672.html
- http://support.novell.com/security/cve/CVE-2014-9673.html
- http://support.novell.com/security/cve/CVE-2014-9674.html
- http://support.novell.com/security/cve/CVE-2014-9675.html
- https://bugzilla.suse.com/916847
- https://bugzilla.suse.com/916856
- https://bugzilla.suse.com/916857
- https://bugzilla.suse.com/916858
- https://bugzilla.suse.com/916859
- https://bugzilla.suse.com/916860
- https://bugzilla.suse.com/916861
- https://bugzilla.suse.com/916862
- https://bugzilla.suse.com/916863
- https://bugzilla.suse.com/916864
- https://bugzilla.suse.com/916865
- https://bugzilla.suse.com/916867
- https://bugzilla.suse.com/916868
- https://bugzilla.suse.com/916870
- https://bugzilla.suse.com/916871
- https://bugzilla.suse.com/916872
- https://bugzilla.suse.com/916873
- https://bugzilla.suse.com/916874
- https://bugzilla.suse.com/916879
- https://bugzilla.suse.com/916881