SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   FreeType Vendors:   freetype.org
FreeType Multiple Flaws Let Remote Users Bypass Security Features, Deny Service, and Execute Arbitrary Code
SecurityTracker Alert ID:  1031711
SecurityTracker URL:  http://securitytracker.com/id/1031711
CVE Reference:   CVE-2014-9656, CVE-2014-9657, CVE-2014-9658, CVE-2014-9659, CVE-2014-9660, CVE-2014-9661, CVE-2014-9662, CVE-2014-9663, CVE-2014-9664, CVE-2014-9665, CVE-2014-9666, CVE-2014-9667, CVE-2014-9668, CVE-2014-9669, CVE-2014-9670, CVE-2014-9671, CVE-2014-9672, CVE-2014-9673, CVE-2014-9674, CVE-2014-9675   (Links to External Site)
Date:  Feb 8 2015
Impact:   Denial of service via network, Disclosure of system information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.5.4
Description:   Multiple vulnerabilities were reported in FreeType. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions. A remote user can bypass security features.

A remote user can create a specially crafted font file that, when loaded by the target user or application, will execute arbitrary code on the target system or cause the target application to crash. The code will run with the privileges of the target user or application.

An integer overflow may occur in the tt_sbit_decoder_load_image() function in 'sfnt/ttsbit.c' [CVE-2014-9656].

An out-of-bounds memory read may occur in the tt_face_load_hdmx() function in 'truetype/ttpload.c' [CVE-2014-9657].

An out-of-bounds memory read may occur in the tt_face_load_kern() function in 'sfnt/ttkern.c' [CVE-2014-9658].

A stack overflow may occur in the CFF CharString interpreter in 'cff/cf2intrp.c' [CVE-2014-9659]. This vulnerability is the result of an incomplete fix for the previously reported CVE-2014-2240 vulnerability [see Alert ID 1029895].

A null pointer dereference may occur in the _bdf_parse_glyphs() function in 'bdf/bdflib.c' [CVE-2014-9660].

A use-after-free memory error may occur in 'type42/t42parse.c' [CVE-2014-9661].

A heap overflow may occur in 'cff/cf2ft.c' [CVE-2014-9662].

An out-of-bounds memory read error may occur in the tt_cmap4_validate() function in 'sfnt/ttcmap.c'.

A parsing error may occur in 'type42/t42parse.c' and 'type1/t1load.c' [CVE-2014-9664].

An integer overflow or heap overflow may occur in the Load_SBit_Png function() in 'sfnt/pngshim.c' [CVE-2014-9665].

An integer overflow or out-of-bounds memory read error may occur in the tt_sbit_decoder_init() function in 'sfnt/ttsbit.c' [CVE-2014-9666].

An integer overflow or out-of-bounds memory read error may occur in the tt_sbit_decoder_init() function in 'sfnt/ttload.c' [CVE-2014-9667].

An integer overflow or heap overflow may occur in the woff_open_font function() in 'sfnt/sfobjs.c' [CVE-2014-9668].

An integer overflow may occur in 'sfnt/ttcmap.c' [CVE-2014-9669].

An integer signedness error may occur in the pcf_get_encodings() function in 'pcf/pcfread.c' [CVE-2014-9670].

An off-by-one error may occur in the pcf_get_properties() function in 'pcf/pcfread.c' [CVE-2014-9671].

An array index error may occur in the parse_fond() function in 'base/ftmac.c' [CVE-2014-9672].

A heap overflow may occur in the Mac_Read_POST_Resource() function in 'base/ftobjs.c' [CVE-2014-9673, CVE-2014-9674].

A remote user can create a specially crafted font file that, when loaded by the target user or application, will exploit a flaw in 'bdf/bdflib.c' and read heap pointer values to bypass address space layout randomization (ASLR) features [CVE-2014-9675].

Mateusz Jurczyk of Google Security Research reported these vulnerabilities.

Impact:   A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can cause denial of service conditions.

A remote user can bypass address space layer randomization (ALSR) protection mechanisms.

Solution:   The vendor has issued a fix (2.5.4) [in December 2014].
Vendor URL:  www.freetype.org/ (Links to External Site)
Cause:   Access control error, Boundary error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 25 2015 (Ubuntu Issues Fix) FreeType Multiple Flaws Let Remote Users Bypass Security Features, Deny Service, and Execute Arbitrary Code
Ubuntu has issued a fix for Ubuntu 10.04 LTS, 12.04 LTS, 14.04 LTS, and 14.10.
Mar 19 2015 (Red Hat Issues Fix) FreeType Multiple Flaws Let Remote Users Bypass Security Features, Deny Service, and Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 6 and 7.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC