Bug 38465

Summary: freetype: Multiple issues (4.0)
Product: UCS Reporter: Janek Walkenhorst <walkenhorst>
Component: Security updatesAssignee: Security maintainers <security-maintainers>
Status: CLOSED WONTFIX QA Contact:
Severity: normal    
Priority: P3 CC: gohmann, jmm, requate
Version: UCS 4.0Flags: requate: Patch_Available+
Target Milestone: UCS 4.0-x-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 37757    
Bug Blocks: 40548    

Description Janek Walkenhorst univentionstaff 2015-05-06 16:32:54 CEST 
Multiple bugs in processing font files allow denial of service or the execution of arbitrary code:

CVE-2014-9674:

The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without validating the original values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font.
Comment 1 Arvid Requate univentionstaff 2015-10-15 15:06:26 CEST 
Debian package version 2.4.9-1.1+deb7u2 fixes:

* remote denial of service (infinite loop) via a "broken number-with-base" in a Postscript stream (CVE-2014-9745)
* use of uninitialized data (CVE-2014-9746)
* t42parse.c vulnerability (CVE-2014-9747)
Comment 2 Arvid Requate univentionstaff 2016-02-01 11:50:35 CET 
Debian package version 2.4.9-1.1+deb7u3 fixes CVE-2014-9674.
Comment 3 Arvid Requate univentionstaff 2016-06-01 19:11:02 CEST 
UCS 4.0 is out of maintenance. See Blocks field for the UCS 4.1 specific bug.