Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 539796 (CVE-2014-9656)

Summary: <media-libs/freetype-2.5.5: Multiple vulnerabilities (CVE-2014-{9656,9657,9658,9659,9660,9661,9662,9663,9664,9665,9666,9667,9668,9669,9670,9671,9672,9673,9674,9675})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: fonts, polynomial-c, yngwin
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-11 17:44:12 UTC
Summary of bugs:
CVE	Fixed version	Type
CVE-2014-9656	2.5.4	DoS, Unspecified other attack vector
CVE-2014-9657	2.5.4	DoS, Unspecified other attack vector
CVE-2014-9658	2.5.4	DoS, Unspecified other attack vector
CVE-2014-9659	2.5.4	AcE, DoS
CVE-2014-9660	2.5.4	DoS, Unspecified other attack vector
CVE-2014-9661	2.5.4	DoS, Unspecified other attack vector
CVE-2014-9662	2.5.4	DoS, Unspecified other attack vector
CVE-2014-9663	2.5.4	DoS, Unspecified other attack vector
CVE-2014-9664	2.5.4	DoS, Unspecified other attack vector
CVE-2014-9665	2.5.4	DoS, Unspecified other attack vector
CVE-2014-9666 	2.5.4	DoS, Unspecified other attack vector
CVE-2014-9667	2.5.4	DoS, Unspecified other attack vector
CVE-2014-9668 	2.5.4	DoS, Unspecified other attack vector
CVE-2014-9669	2.5.4	DoS, Unspecified other attack vector
CVE-2014-9670	2.5.4	DoS
CVE-2014-9671	2.5.4	DoS
CVE-2014-9672	2.5.4	DoS, Information leak
CVE-2014-9673	2.5.4	DoS, Unspecified other attack vector

@maintainers: Please specify which version you want stabilized and call for stabilization
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-02-11 17:49:30 UTC
CVE-2014-9674 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9674):
  The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before
  2.5.4 proceeds with adding to length values without validating the original
  values, which allows remote attackers to cause a denial of service (integer
  overflow and heap-based buffer overflow) or possibly have unspecified other
  impact via a crafted Mac font.

CVE-2014-9673 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9673):
  Integer signedness error in the Mac_Read_POST_Resource function in
  base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to cause a
  denial of service (heap-based buffer overflow) or possibly have unspecified
  other impact via a crafted Mac font.

CVE-2014-9672 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9672):
  Array index error in the parse_fond function in base/ftmac.c in FreeType
  before 2.5.4 allows remote attackers to cause a denial of service
  (out-of-bounds read) or obtain sensitive information from process memory via
  a crafted FOND resource in a Mac font file.

CVE-2014-9671 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9671):
  Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in
  FreeType before 2.5.4 allows remote attackers to cause a denial of service
  (NULL pointer dereference and application crash) via a crafted PCF file with
  a 0xffffffff size value that is improperly incremented.

CVE-2014-9670 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9670):
  Multiple integer signedness errors in the pcf_get_encodings function in
  pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to cause a
  denial of service (integer overflow, NULL pointer dereference, and
  application crash) via a crafted PCF file that specifies negative values for
  the first column and first row.

CVE-2014-9669 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9669):
  Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 allow
  remote attackers to cause a denial of service (out-of-bounds read or memory
  corruption) or possibly have unspecified other impact via a crafted cmap
  SFNT table.

CVE-2014-9668 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9668):
  The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4
  proceeds with offset+length calculations without restricting length values,
  which allows remote attackers to cause a denial of service (integer overflow
  and heap-based buffer overflow) or possibly have unspecified other impact
  via a crafted Web Open Font Format (WOFF) file.

CVE-2014-9667 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9667):
  sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length
  calculations without restricting the values, which allows remote attackers
  to cause a denial of service (integer overflow and out-of-bounds read) or
  possibly have unspecified other impact via a crafted SFNT table.

CVE-2014-9666 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9666):
  The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4
  proceeds with a count-to-size association without restricting the count
  value, which allows remote attackers to cause a denial of service (integer
  overflow and out-of-bounds read) or possibly have unspecified other impact
  via a crafted embedded bitmap.

CVE-2014-9665 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9665):
  The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 does
  not restrict the rows and pitch values of PNG data, which allows remote
  attackers to cause a denial of service (integer overflow and heap-based
  buffer overflow) or possibly have unspecified other impact by embedding a
  PNG file in a .ttf font file.

CVE-2014-9664 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9664):
  FreeType before 2.5.4 does not check for the end of the data during certain
  parsing actions, which allows remote attackers to cause a denial of service
  (out-of-bounds read) or possibly have unspecified other impact via a crafted
  Type42 font, related to type42/t42parse.c and type1/t1load.c.

CVE-2014-9663 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9663):
  The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5.4
  validates a certain length field before that field's value is completely
  calculated, which allows remote attackers to cause a denial of service
  (out-of-bounds read) or possibly have unspecified other impact via a crafted
  cmap SFNT table.

CVE-2014-9662 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9662):
  cff/cf2ft.c in FreeType before 2.5.4 does not validate the return values of
  point-allocation functions, which allows remote attackers to cause a denial
  of service (heap-based buffer overflow) or possibly have unspecified other
  impact via a crafted OTF font.

CVE-2014-9661 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9661):
  type42/t42parse.c in FreeType before 2.5.4 does not consider that scanning
  can be incomplete without triggering an error, which allows remote attackers
  to cause a denial of service (use-after-free) or possibly have unspecified
  other impact via a crafted Type42 font.

CVE-2014-9660 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9660):
  The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5.4 does
  not properly handle a missing ENDCHAR record, which allows remote attackers
  to cause a denial of service (NULL pointer dereference) or possibly have
  unspecified other impact via a crafted BDF font.

CVE-2014-9659 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9659):
  cff/cf2intrp.c in the CFF CharString interpreter in FreeType before 2.5.4
  proceeds with additional hints after the hint mask has been computed, which
  allows remote attackers to execute arbitrary code or cause a denial of
  service (stack-based buffer overflow) via a crafted OpenType font.  NOTE:
  this vulnerability exists because of an incomplete fix for CVE-2014-2240.

CVE-2014-9658 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9658):
  The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4
  enforces an incorrect minimum table length, which allows remote attackers to
  cause a denial of service (out-of-bounds read) or possibly have unspecified
  other impact via a crafted TrueType font.

CVE-2014-9657 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9657):
  The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before
  2.5.4 does not establish a minimum record size, which allows remote
  attackers to cause a denial of service (out-of-bounds read) or possibly have
  unspecified other impact via a crafted TrueType font.

CVE-2014-9656 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9656):
  The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before
  2.5.4 does not properly check for an integer overflow, which allows remote
  attackers to cause a denial of service (out-of-bounds read) or possibly have
  unspecified other impact via a crafted OpenType font.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-02-11 17:49:57 UTC
CVE-2014-9675 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9675):
  bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only
  verifying that an initial substring is present, which allows remote
  attackers to discover heap pointer values and bypass the ASLR protection
  mechanism via a crafted BDF font.
Comment 4 Ben de Groot (RETIRED) gentoo-dev 2015-02-12 07:18:37 UTC
I'd say we go for 2.5.5. Any objections?
Comment 5 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-02-12 19:45:17 UTC
(In reply to Ben de Groot from comment #4)
> I'd say we go for 2.5.5. Any objections?

+1
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-13 09:13:31 UTC
Arches, please stabilize:
=media-libs/freetype-2.5.5
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 7 Agostino Sarubbo gentoo-dev 2015-02-13 10:34:46 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-02-13 10:35:14 UTC
x86 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-13 20:04:07 UTC
Stable for HPPA.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-13 20:05:11 UTC
Er, 2.5.5 it is, then...
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-13 20:59:52 UTC
Stable for HPPA.
Comment 12 Agostino Sarubbo gentoo-dev 2015-02-14 13:20:16 UTC
amd64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-02-14 13:20:44 UTC
x86 stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-02-16 10:24:32 UTC
sparc stable
Comment 15 Markus Meier gentoo-dev 2015-02-17 21:08:30 UTC
arm stable
Comment 16 Agostino Sarubbo gentoo-dev 2015-02-18 08:53:25 UTC
ppc64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2015-02-18 09:18:51 UTC
ppc stable
Comment 18 Agostino Sarubbo gentoo-dev 2015-02-23 11:39:03 UTC
ia64 stable
Comment 19 Agostino Sarubbo gentoo-dev 2015-02-24 10:58:02 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 20 Ben de Groot (RETIRED) gentoo-dev 2015-02-24 12:27:55 UTC
+  24 Feb 2015; Ben de Groot <yngwin@gentoo.org>
+  -files/2.5.4-0001-pcf-Fix-Savannah-bug-43774.patch,
+  -files/2.5.4-0002-src-pcf-pcfread.c-pcf_read_TOC-Improve-fix-from-2014.patch,
+  -freetype-2.5.3-r1.ebuild, -freetype-2.5.4-r1.ebuild, freetype-2.5.5.ebuild:
+  remove vulnerable versions (bug #539796)
Comment 21 Yury German Gentoo Infrastructure gentoo-dev 2015-02-26 01:15:18 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2015-03-08 15:07:15 UTC
This issue was resolved and addressed in
 GLSA 201503-05 at http://security.gentoo.org/glsa/glsa-201503-05.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).