SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   FreeType Vendors:   freetype.org
(Red Hat Issues Fix) FreeType Multiple Flaws Let Remote Users Bypass Security Features, Deny Service, and Execute Arbitrary Code
SecurityTracker Alert ID:  1031944
SecurityTracker URL:  http://securitytracker.com/id/1031944
CVE Reference:   CVE-2014-9656, CVE-2014-9657, CVE-2014-9658, CVE-2014-9659, CVE-2014-9660, CVE-2014-9661, CVE-2014-9662, CVE-2014-9663, CVE-2014-9664, CVE-2014-9665, CVE-2014-9666, CVE-2014-9667, CVE-2014-9668, CVE-2014-9669, CVE-2014-9670, CVE-2014-9671, CVE-2014-9672, CVE-2014-9673, CVE-2014-9674, CVE-2014-9675   (Links to External Site)
Date:  Mar 19 2015
Impact:   Denial of service via network, Disclosure of system information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.5.4
Description:   Multiple vulnerabilities were reported in FreeType. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions. A remote user can bypass security features.

A remote user can create a specially crafted font file that, when loaded by the target user or application, will execute arbitrary code on the target system or cause the target application to crash. The code will run with the privileges of the target user or application.

An integer overflow may occur in the tt_sbit_decoder_load_image() function in 'sfnt/ttsbit.c' [CVE-2014-9656].

An out-of-bounds memory read may occur in the tt_face_load_hdmx() function in 'truetype/ttpload.c' [CVE-2014-9657].

An out-of-bounds memory read may occur in the tt_face_load_kern() function in 'sfnt/ttkern.c' [CVE-2014-9658].

A stack overflow may occur in the CFF CharString interpreter in 'cff/cf2intrp.c' [CVE-2014-9659]. This vulnerability is the result of an incomplete fix for the previously reported CVE-2014-2240 vulnerability [see Alert ID 1029895].

A null pointer dereference may occur in the _bdf_parse_glyphs() function in 'bdf/bdflib.c' [CVE-2014-9660].

A use-after-free memory error may occur in 'type42/t42parse.c' [CVE-2014-9661].

A heap overflow may occur in 'cff/cf2ft.c' [CVE-2014-9662].

An out-of-bounds memory read error may occur in the tt_cmap4_validate() function in 'sfnt/ttcmap.c'.

A parsing error may occur in 'type42/t42parse.c' and 'type1/t1load.c' [CVE-2014-9664].

An integer overflow or heap overflow may occur in the Load_SBit_Png function() in 'sfnt/pngshim.c' [CVE-2014-9665].

An integer overflow or out-of-bounds memory read error may occur in the tt_sbit_decoder_init() function in 'sfnt/ttsbit.c' [CVE-2014-9666].

An integer overflow or out-of-bounds memory read error may occur in the tt_sbit_decoder_init() function in 'sfnt/ttload.c' [CVE-2014-9667].

An integer overflow or heap overflow may occur in the woff_open_font function() in 'sfnt/sfobjs.c' [CVE-2014-9668].

An integer overflow may occur in 'sfnt/ttcmap.c' [CVE-2014-9669].

An integer signedness error may occur in the pcf_get_encodings() function in 'pcf/pcfread.c' [CVE-2014-9670].

An off-by-one error may occur in the pcf_get_properties() function in 'pcf/pcfread.c' [CVE-2014-9671].

An array index error may occur in the parse_fond() function in 'base/ftmac.c' [CVE-2014-9672].

A heap overflow may occur in the Mac_Read_POST_Resource() function in 'base/ftobjs.c' [CVE-2014-9673, CVE-2014-9674].

A remote user can create a specially crafted font file that, when loaded by the target user or application, will exploit a flaw in 'bdf/bdflib.c' and read heap pointer values to bypass address space layout randomization (ASLR) features [CVE-2014-9675].

Mateusz Jurczyk of Google Security Research reported these vulnerabilities.

Impact:   A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can cause denial of service conditions.

A remote user can bypass address space layer randomization (ALSR) protection mechanisms.

Solution:   Red Hat has issued a fix.

The Red Hat advisory is available at:

https://rhn.redhat.com/errata/RHSA-2015-0696.html

Vendor URL:  www.freetype.org/ (Links to External Site)
Cause:   Access control error, Boundary error, State error
Underlying OS:  Linux (Red Hat Enterprise)
Underlying OS Comments:  6, 7

Message History:   This archive entry is a follow-up to the message listed below.
Feb 8 2015 FreeType Multiple Flaws Let Remote Users Bypass Security Features, Deny Service, and Execute Arbitrary Code



 Source Message Contents

Subject:  [RHSA-2015:0696-01] Important: freetype security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: freetype security update
Advisory ID:       RHSA-2015:0696-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-0696.html
Issue date:        2015-03-17
CVE Names:         CVE-2014-9657 CVE-2014-9658 CVE-2014-9660 
                   CVE-2014-9661 CVE-2014-9663 CVE-2014-9664 
                   CVE-2014-9667 CVE-2014-9669 CVE-2014-9670 
                   CVE-2014-9671 CVE-2014-9673 CVE-2014-9674 
                   CVE-2014-9675 
=====================================================================

1. Summary:

Updated freetype packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

FreeType is a free, high-quality, portable font engine that can open and
manage font files. It also loads, hints, and renders individual glyphs
efficiently.

Multiple integer overflow flaws and an integer signedness flaw, leading to
heap-based buffer overflows, were found in the way FreeType handled Mac
fonts. If a specially crafted font file was loaded by an application linked
against FreeType, it could cause the application to crash or, potentially,
execute arbitrary code with the privileges of the user running the
application. (CVE-2014-9673, CVE-2014-9674)

Multiple flaws were found in the way FreeType handled fonts in various
formats. If a specially crafted font file was loaded by an application
linked against FreeType, it could cause the application to crash or,
possibly, disclose a portion of the application memory. (CVE-2014-9657,
CVE-2014-9658, CVE-2014-9660, CVE-2014-9661, CVE-2014-9663, CVE-2014-9664,
CVE-2014-9667, CVE-2014-9669, CVE-2014-9670, CVE-2014-9671, CVE-2014-9675)

All freetype users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. The X server must be
restarted (log out, then log back in) for this update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1191079 - CVE-2014-9657 freetype: off-by-one buffer over-read in tt_face_load_hdmx()
1191080 - CVE-2014-9658 freetype: buffer over-read and integer underflow in tt_face_load_kern()
1191082 - CVE-2014-9660 freetype: missing ENDCHAR NULL pointer dereference in the _bdf_parse_glyphs()
1191083 - CVE-2014-9661 freetype: out of bounds read in Type42 font parser
1191085 - CVE-2014-9663 freetype: out-of-bounds read in tt_cmap4_validate()
1191086 - CVE-2014-9664 freetype: off-by-one buffer over-read in parse_charstrings() / t42_parse_charstrings()
1191090 - CVE-2014-9667 freetype: integer overflow in tt_face_load_font_dir() leading to out-of-bounds read
1191092 - CVE-2014-9669 freetype: multiple integer overflows leading to buffer over-reads in cmap handling
1191093 - CVE-2014-9670 freetype: integer overflow in pcf_get_encodings() leading to NULL pointer dereference
1191094 - CVE-2014-9671 freetype: integer overflow in pcf_get_properties() leading to NULL pointer dereference
1191096 - CVE-2014-9673 freetype: integer signedness error in Mac_Read_POST_Resource() leading to heap-based buffer overflow
1191190 - CVE-2014-9674 freetype: multiple integer overflows Mac_Read_POST_Resource() leading to heap-based buffer overflows
1191192 - CVE-2014-9675 freetype: information leak in _bdf_add_property()

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:
freetype-2.3.11-15.el6_6.1.src.rpm

i386:
freetype-2.3.11-15.el6_6.1.i686.rpm
freetype-debuginfo-2.3.11-15.el6_6.1.i686.rpm

x86_64:
freetype-2.3.11-15.el6_6.1.i686.rpm
freetype-2.3.11-15.el6_6.1.x86_64.rpm
freetype-debuginfo-2.3.11-15.el6_6.1.i686.rpm
freetype-debuginfo-2.3.11-15.el6_6.1.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

i386:
freetype-debuginfo-2.3.11-15.el6_6.1.i686.rpm
freetype-demos-2.3.11-15.el6_6.1.i686.rpm
freetype-devel-2.3.11-15.el6_6.1.i686.rpm

x86_64:
freetype-debuginfo-2.3.11-15.el6_6.1.i686.rpm
freetype-debuginfo-2.3.11-15.el6_6.1.x86_64.rpm
freetype-demos-2.3.11-15.el6_6.1.x86_64.rpm
freetype-devel-2.3.11-15.el6_6.1.i686.rpm
freetype-devel-2.3.11-15.el6_6.1.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:
freetype-2.3.11-15.el6_6.1.src.rpm

x86_64:
freetype-2.3.11-15.el6_6.1.i686.rpm
freetype-2.3.11-15.el6_6.1.x86_64.rpm
freetype-debuginfo-2.3.11-15.el6_6.1.i686.rpm
freetype-debuginfo-2.3.11-15.el6_6.1.x86_64.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

x86_64:
freetype-debuginfo-2.3.11-15.el6_6.1.i686.rpm
freetype-debuginfo-2.3.11-15.el6_6.1.x86_64.rpm
freetype-demos-2.3.11-15.el6_6.1.x86_64.rpm
freetype-devel-2.3.11-15.el6_6.1.i686.rpm
freetype-devel-2.3.11-15.el6_6.1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
freetype-2.3.11-15.el6_6.1.src.rpm

i386:
freetype-2.3.11-15.el6_6.1.i686.rpm
freetype-debuginfo-2.3.11-15.el6_6.1.i686.rpm
freetype-devel-2.3.11-15.el6_6.1.i686.rpm

ppc64:
freetype-2.3.11-15.el6_6.1.ppc.rpm
freetype-2.3.11-15.el6_6.1.ppc64.rpm
freetype-debuginfo-2.3.11-15.el6_6.1.ppc.rpm
freetype-debuginfo-2.3.11-15.el6_6.1.ppc64.rpm
freetype-devel-2.3.11-15.el6_6.1.ppc.rpm
freetype-devel-2.3.11-15.el6_6.1.ppc64.rpm

s390x:
freetype-2.3.11-15.el6_6.1.s390.rpm
freetype-2.3.11-15.el6_6.1.s390x.rpm
freetype-debuginfo-2.3.11-15.el6_6.1.s390.rpm
freetype-debuginfo-2.3.11-15.el6_6.1.s390x.rpm
freetype-devel-2.3.11-15.el6_6.1.s390.rpm
freetype-devel-2.3.11-15.el6_6.1.s390x.rpm

x86_64:
freetype-2.3.11-15.el6_6.1.i686.rpm
freetype-2.3.11-15.el6_6.1.x86_64.rpm
freetype-debuginfo-2.3.11-15.el6_6.1.i686.rpm
freetype-debuginfo-2.3.11-15.el6_6.1.x86_64.rpm
freetype-devel-2.3.11-15.el6_6.1.i686.rpm
freetype-devel-2.3.11-15.el6_6.1.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

i386:
freetype-debuginfo-2.3.11-15.el6_6.1.i686.rpm
freetype-demos-2.3.11-15.el6_6.1.i686.rpm

ppc64:
freetype-debuginfo-2.3.11-15.el6_6.1.ppc64.rpm
freetype-demos-2.3.11-15.el6_6.1.ppc64.rpm

s390x:
freetype-debuginfo-2.3.11-15.el6_6.1.s390x.rpm
freetype-demos-2.3.11-15.el6_6.1.s390x.rpm

x86_64:
freetype-debuginfo-2.3.11-15.el6_6.1.x86_64.rpm
freetype-demos-2.3.11-15.el6_6.1.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
freetype-2.3.11-15.el6_6.1.src.rpm

i386:
freetype-2.3.11-15.el6_6.1.i686.rpm
freetype-debuginfo-2.3.11-15.el6_6.1.i686.rpm
freetype-devel-2.3.11-15.el6_6.1.i686.rpm

x86_64:
freetype-2.3.11-15.el6_6.1.i686.rpm
freetype-2.3.11-15.el6_6.1.x86_64.rpm
freetype-debuginfo-2.3.11-15.el6_6.1.i686.rpm
freetype-debuginfo-2.3.11-15.el6_6.1.x86_64.rpm
freetype-devel-2.3.11-15.el6_6.1.i686.rpm
freetype-devel-2.3.11-15.el6_6.1.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

i386:
freetype-debuginfo-2.3.11-15.el6_6.1.i686.rpm
freetype-demos-2.3.11-15.el6_6.1.i686.rpm

x86_64:
freetype-debuginfo-2.3.11-15.el6_6.1.x86_64.rpm
freetype-demos-2.3.11-15.el6_6.1.x86_64.rpm

Red Hat Enterprise Linux Client (v. 7):

Source:
freetype-2.4.11-10.el7_1.1.src.rpm

x86_64:
freetype-2.4.11-10.el7_1.1.i686.rpm
freetype-2.4.11-10.el7_1.1.x86_64.rpm
freetype-debuginfo-2.4.11-10.el7_1.1.i686.rpm
freetype-debuginfo-2.4.11-10.el7_1.1.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:
freetype-debuginfo-2.4.11-10.el7_1.1.i686.rpm
freetype-debuginfo-2.4.11-10.el7_1.1.x86_64.rpm
freetype-demos-2.4.11-10.el7_1.1.x86_64.rpm
freetype-devel-2.4.11-10.el7_1.1.i686.rpm
freetype-devel-2.4.11-10.el7_1.1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
freetype-2.4.11-10.el7_1.1.src.rpm

x86_64:
freetype-2.4.11-10.el7_1.1.i686.rpm
freetype-2.4.11-10.el7_1.1.x86_64.rpm
freetype-debuginfo-2.4.11-10.el7_1.1.i686.rpm
freetype-debuginfo-2.4.11-10.el7_1.1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:
freetype-debuginfo-2.4.11-10.el7_1.1.i686.rpm
freetype-debuginfo-2.4.11-10.el7_1.1.x86_64.rpm
freetype-demos-2.4.11-10.el7_1.1.x86_64.rpm
freetype-devel-2.4.11-10.el7_1.1.i686.rpm
freetype-devel-2.4.11-10.el7_1.1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
freetype-2.4.11-10.el7_1.1.src.rpm

ppc64:
freetype-2.4.11-10.el7_1.1.ppc.rpm
freetype-2.4.11-10.el7_1.1.ppc64.rpm
freetype-debuginfo-2.4.11-10.el7_1.1.ppc.rpm
freetype-debuginfo-2.4.11-10.el7_1.1.ppc64.rpm
freetype-devel-2.4.11-10.el7_1.1.ppc.rpm
freetype-devel-2.4.11-10.el7_1.1.ppc64.rpm

s390x:
freetype-2.4.11-10.el7_1.1.s390.rpm
freetype-2.4.11-10.el7_1.1.s390x.rpm
freetype-debuginfo-2.4.11-10.el7_1.1.s390.rpm
freetype-debuginfo-2.4.11-10.el7_1.1.s390x.rpm
freetype-devel-2.4.11-10.el7_1.1.s390.rpm
freetype-devel-2.4.11-10.el7_1.1.s390x.rpm

x86_64:
freetype-2.4.11-10.el7_1.1.i686.rpm
freetype-2.4.11-10.el7_1.1.x86_64.rpm
freetype-debuginfo-2.4.11-10.el7_1.1.i686.rpm
freetype-debuginfo-2.4.11-10.el7_1.1.x86_64.rpm
freetype-devel-2.4.11-10.el7_1.1.i686.rpm
freetype-devel-2.4.11-10.el7_1.1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
freetype-2.4.11-10.ael7b_1.1.src.rpm

ppc64le:
freetype-2.4.11-10.ael7b_1.1.ppc64le.rpm
freetype-debuginfo-2.4.11-10.ael7b_1.1.ppc64le.rpm
freetype-devel-2.4.11-10.ael7b_1.1.ppc64le.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:
freetype-debuginfo-2.4.11-10.el7_1.1.ppc64.rpm
freetype-demos-2.4.11-10.el7_1.1.ppc64.rpm

s390x:
freetype-debuginfo-2.4.11-10.el7_1.1.s390x.rpm
freetype-demos-2.4.11-10.el7_1.1.s390x.rpm

x86_64:
freetype-debuginfo-2.4.11-10.el7_1.1.x86_64.rpm
freetype-demos-2.4.11-10.el7_1.1.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64le:
freetype-debuginfo-2.4.11-10.ael7b_1.1.ppc64le.rpm
freetype-demos-2.4.11-10.ael7b_1.1.ppc64le.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
freetype-2.4.11-10.el7_1.1.src.rpm

x86_64:
freetype-2.4.11-10.el7_1.1.i686.rpm
freetype-2.4.11-10.el7_1.1.x86_64.rpm
freetype-debuginfo-2.4.11-10.el7_1.1.i686.rpm
freetype-debuginfo-2.4.11-10.el7_1.1.x86_64.rpm
freetype-devel-2.4.11-10.el7_1.1.i686.rpm
freetype-devel-2.4.11-10.el7_1.1.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
freetype-debuginfo-2.4.11-10.el7_1.1.x86_64.rpm
freetype-demos-2.4.11-10.el7_1.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2014-9657
https://access.redhat.com/security/cve/CVE-2014-9658
https://access.redhat.com/security/cve/CVE-2014-9660
https://access.redhat.com/security/cve/CVE-2014-9661
https://access.redhat.com/security/cve/CVE-2014-9663
https://access.redhat.com/security/cve/CVE-2014-9664
https://access.redhat.com/security/cve/CVE-2014-9667
https://access.redhat.com/security/cve/CVE-2014-9669
https://access.redhat.com/security/cve/CVE-2014-9670
https://access.redhat.com/security/cve/CVE-2014-9671
https://access.redhat.com/security/cve/CVE-2014-9673
https://access.redhat.com/security/cve/CVE-2014-9674
https://access.redhat.com/security/cve/CVE-2014-9675
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVCQSFXlSAg2UNWIIRAi09AKCi+NdbNftG8xgFCLHnIYGfonayfwCfbP5t
ZzKu+VCPF8dY67ybuIOxMyk=
=d2k2
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC