Security update for freetype2

SUSE Security Update: Security update for freetype2
Announcement ID: SUSE-SU-2015:0455-1
Rating: moderate
References: #916847 #916856 #916857 #916858 #916859 #916860 #916861 #916862 #916863 #916864 #916865 #916867 #916868 #916870 #916871 #916872 #916873 #916874 #916879 #916881
Affected Products:
  • SUSE Linux Enterprise Software Development Kit 12
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Desktop 12

  • An update that fixes 21 vulnerabilities is now available.

    Description:

    freetype2 was updated to fix 20 security issues.

    These security issues were fixed:
    - CVE-2014-9663: The tt_cmap4_validate function in sfnt/ttcmap.c in
    FreeType before 2.5.4 validates a certain length field before that
    field's value is completely calculated, which allowed remote attackers
    to cause a denial of service (out-of-bounds read) or possibly have
    unspecified other impact via a crafted cmap SFNT table (bnc#916865).
    - CVE-2014-9662: cff/cf2ft.c in FreeType before 2.5.4 did not validate the
    return values of point-allocation functions, which allowed remote
    attackers to cause a denial of service (heap-based buffer overflow) or
    possibly have unspecified other impact via a crafted OTF font
    (bnc#916860).
    - CVE-2014-9661: type42/t42parse.c in FreeType before 2.5.4 did not
    consider that scanning can be incomplete without triggering an error,
    which allowed remote attackers to cause a denial of service
    (use-after-free) or possibly have unspecified other impact via a crafted
    Type42 font (bnc#916859).
    - CVE-2014-9660: The _bdf_parse_glyphs function in bdf/bdflib.c in
    FreeType before 2.5.4 did not properly handle a missing ENDCHAR record,
    which allowed remote attackers to cause a denial of service (NULL
    pointer dereference) or possibly have unspecified other impact via a
    crafted BDF font (bnc#916858).
    - CVE-2014-9667: sfnt/ttload.c in FreeType before 2.5.4 proceeds with
    offset+length calculations without restricting the values, which allowed
    remote attackers to cause a denial of service (integer overflow and
    out-of-bounds read) or possibly have unspecified other impact via a
    crafted SFNT table (bnc#916861).
    - CVE-2014-9666: The tt_sbit_decoder_init function in sfnt/ttsbit.c in
    FreeType before 2.5.4 proceeds with a count-to-size association without
    restricting the count value, which allowed remote attackers to cause a
    denial of service (integer overflow and out-of-bounds read) or possibly
    have unspecified other impact via a crafted embedded bitmap (bnc#916862).
    - CVE-2014-9665: The Load_SBit_Png function in sfnt/pngshim.c in FreeType
    before 2.5.4 did not restrict the rows and pitch values of PNG data,
    which allowed remote attackers to cause a denial of service (integer
    overflow and heap-based buffer overflow) or possibly have unspecified
    other impact by embedding a PNG file in a .ttf font file (bnc#916863).
    - CVE-2014-9664: FreeType before 2.5.4 did not check for the end of the
    data during certain parsing actions, which allowed remote attackers to
    cause a denial of service (out-of-bounds read) or possibly have
    unspecified other impact via a crafted Type42 font, related to
    type42/t42parse.c and type1/t1load.c (bnc#916864).
    - CVE-2014-9669: Multiple integer overflows in sfnt/ttcmap.c in FreeType
    before 2.5.4 allowed remote attackers to cause a denial of service
    (out-of-bounds read or memory corruption) or possibly have unspecified
    other impact via a crafted cmap SFNT table (bnc#916870).
    - CVE-2014-9668: The woff_open_font function in sfnt/sfobjs.c in FreeType
    before 2.5.4 proceeds with offset+length calculations without
    restricting length values, which allowed remote attackers to cause a
    denial of service (integer overflow and heap-based buffer overflow) or
    possibly have unspecified other impact via a crafted Web Open Font
    Format (WOFF) file (bnc#916868).
    - CVE-2014-9656: The tt_sbit_decoder_load_image function in sfnt/ttsbit.c
    in FreeType before 2.5.4 did not properly check for an integer overflow,
    which allowed remote attackers to cause a denial of service
    (out-of-bounds read) or possibly have unspecified other impact via a
    crafted OpenType font (bnc#916847).
    - CVE-2014-9658: The tt_face_load_kern function in sfnt/ttkern.c in
    FreeType before 2.5.4 enforces an incorrect minimum table length, which
    allowed remote attackers to cause a denial of service (out-of-bounds
    read) or possibly have unspecified other impact via a crafted TrueType
    font (bnc#916857).
    - CVE-2014-9659: cff/cf2intrp.c in the CFF CharString interpreter in
    FreeType before 2.5.4 proceeds with additional hints after the hint mask
    has been computed, which allowed remote attackers to execute arbitrary
    code or cause a denial of service (stack-based buffer overflow) via a
    crafted OpenType font. NOTE: this vulnerability exists because of an
    incomplete fix for CVE-2014-2240 (bnc#916867).
    - CVE-2014-9674: The Mac_Read_POST_Resource function in base/ftobjs.c in
    FreeType before 2.5.4 proceeds with adding to length values without
    validating the original values, which allowed remote attackers to cause
    a denial of service (integer overflow and heap-based buffer overflow) or
    possibly have unspecified other impact via a crafted Mac font
    (bnc#916879).
    - CVE-2014-9675: bdf/bdflib.c in FreeType before 2.5.4 identifies property
    names by only verifying that an initial substring is present, which
    allowed remote attackers to discover heap pointer values and bypass the
    ASLR protection mechanism via a crafted BDF font (bnc#916881).
    - CVE-2014-9657: The tt_face_load_hdmx function in truetype/ttpload.c in
    FreeType before 2.5.4 did not establish a minimum record size, which
    allowed remote attackers to cause a denial of service (out-of-bounds
    read) or possibly have unspecified other impact via a crafted TrueType
    font (bnc#916856).
    - CVE-2014-9670: Multiple integer signedness errors in the
    pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4
    allowed remote attackers to cause a denial of service (integer overflow,
    NULL pointer dereference, and application crash) via a crafted PCF file
    that specifies negative values for the first column and first row
    (bnc#916871).
    - CVE-2014-9671: Off-by-one error in the pcf_get_properties function in
    pcf/pcfread.c in FreeType before 2.5.4 allowed remote attackers to cause
    a denial of service (NULL pointer dereference and application crash) via
    a crafted PCF file with a 0xffffffff size value that is improperly
    incremented (bnc#916872).
    - CVE-2014-9672: Array index error in the parse_fond function in
    base/ftmac.c in FreeType before 2.5.4 allowed remote attackers to cause
    a denial of service (out-of-bounds read) or obtain sensitive information
    from process memory via a crafted FOND resource in a Mac font file
    (bnc#916873).
    - CVE-2014-9673: Integer signedness error in the Mac_Read_POST_Resource
    function in base/ftobjs.c in FreeType before 2.5.4 allowed remote
    attackers to cause a denial of service (heap-based buffer overflow) or
    possibly have unspecified other impact via a crafted Mac font
    (bnc#916874).

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Software Development Kit 12:
      zypper in -t patch SUSE-SLE-SDK-12-2015-111=1
    • SUSE Linux Enterprise Server 12:
      zypper in -t patch SUSE-SLE-SERVER-12-2015-111=1
    • SUSE Linux Enterprise Desktop 12:
      zypper in -t patch SUSE-SLE-DESKTOP-12-2015-111=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):
      • freetype2-debugsource-2.5.3-5.1
      • freetype2-devel-2.5.3-5.1
    • SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
      • freetype2-debugsource-2.5.3-5.1
      • ft2demos-2.5.3-5.1
      • libfreetype6-2.5.3-5.1
      • libfreetype6-debuginfo-2.5.3-5.1
    • SUSE Linux Enterprise Server 12 (s390x x86_64):
      • libfreetype6-32bit-2.5.3-5.1
      • libfreetype6-debuginfo-32bit-2.5.3-5.1
    • SUSE Linux Enterprise Desktop 12 (x86_64):
      • freetype2-debugsource-2.5.3-5.1
      • ft2demos-2.5.3-5.1
      • libfreetype6-2.5.3-5.1
      • libfreetype6-32bit-2.5.3-5.1
      • libfreetype6-debuginfo-2.5.3-5.1
      • libfreetype6-debuginfo-32bit-2.5.3-5.1

    References:

    • http://support.novell.com/security/cve/CVE-2014-2240.html
    • http://support.novell.com/security/cve/CVE-2014-9656.html
    • http://support.novell.com/security/cve/CVE-2014-9657.html
    • http://support.novell.com/security/cve/CVE-2014-9658.html
    • http://support.novell.com/security/cve/CVE-2014-9659.html
    • http://support.novell.com/security/cve/CVE-2014-9660.html
    • http://support.novell.com/security/cve/CVE-2014-9661.html
    • http://support.novell.com/security/cve/CVE-2014-9662.html
    • http://support.novell.com/security/cve/CVE-2014-9663.html
    • http://support.novell.com/security/cve/CVE-2014-9664.html
    • http://support.novell.com/security/cve/CVE-2014-9665.html
    • http://support.novell.com/security/cve/CVE-2014-9666.html
    • http://support.novell.com/security/cve/CVE-2014-9667.html
    • http://support.novell.com/security/cve/CVE-2014-9668.html
    • http://support.novell.com/security/cve/CVE-2014-9669.html
    • http://support.novell.com/security/cve/CVE-2014-9670.html
    • http://support.novell.com/security/cve/CVE-2014-9671.html
    • http://support.novell.com/security/cve/CVE-2014-9672.html
    • http://support.novell.com/security/cve/CVE-2014-9673.html
    • http://support.novell.com/security/cve/CVE-2014-9674.html
    • http://support.novell.com/security/cve/CVE-2014-9675.html
    • https://bugzilla.suse.com/916847
    • https://bugzilla.suse.com/916856
    • https://bugzilla.suse.com/916857
    • https://bugzilla.suse.com/916858
    • https://bugzilla.suse.com/916859
    • https://bugzilla.suse.com/916860
    • https://bugzilla.suse.com/916861
    • https://bugzilla.suse.com/916862
    • https://bugzilla.suse.com/916863
    • https://bugzilla.suse.com/916864
    • https://bugzilla.suse.com/916865
    • https://bugzilla.suse.com/916867
    • https://bugzilla.suse.com/916868
    • https://bugzilla.suse.com/916870
    • https://bugzilla.suse.com/916871
    • https://bugzilla.suse.com/916872
    • https://bugzilla.suse.com/916873
    • https://bugzilla.suse.com/916874
    • https://bugzilla.suse.com/916879
    • https://bugzilla.suse.com/916881