Bug 40548

Summary: freetype: Multiple issues (4.1)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Janek Walkenhorst <walkenhorst>
Severity: normal    
Priority: P3 CC: gohmann, jmm, requate, walkenhorst
Version: UCS 4.1Flags: requate: Patch_Available+
Target Milestone: UCS 4.1-4-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Bug Depends on: 38465    
Bug Blocks:    

Description Arvid Requate univentionstaff 2016-02-01 11:52:55 CET 
Multiple bugs in processing font files allow denial of service or the execution of arbitrary code:

Debian package version 2.4.9-1.1+deb7u2 fixes:

* remote denial of service (infinite loop) via a "broken number-with-base" in a Postscript stream (CVE-2014-9745)
* use of uninitialized data (CVE-2014-9746)
* t42parse.c vulnerability (CVE-2014-9747)

Debian package version 2.4.9-1.1+deb7u3 fixes

* The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without validating the original values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font (CVE-2014-9674)
Comment 1 Arvid Requate univentionstaff 2017-03-07 13:55:48 CET 
Upstream Debian package version 2.4.9-1.1+deb7u4 fixes this issue:

* The parse_charstrings function in type1/t1load.c in FreeType 2 before 2.7 does not ensure that a font contains a glyph name, which allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted file. (CVE-2016-10244)
Comment 2 Arvid Requate univentionstaff 2017-03-07 13:56:43 CET 
Imported and built. Advisory: freetype.yaml
Comment 3 Janek Walkenhorst univentionstaff 2017-04-13 11:51:19 CEST 
Tests (amd64): OK
Advisory: OK
Comment 4 Arvid Requate univentionstaff 2017-04-18 14:14:41 CEST 
Upstream Debian package version 2.4.9-1.1+deb7u5 additionally fixes:

* out-of-bounds write caused by a heap-based buffer overflow related to the cff_parser_run function in cff/cffparse.c. (CVE-2016-10328)

Package imported and built, advisory updated.
Comment 5 Janek Walkenhorst univentionstaff 2017-05-04 11:45:18 CEST 
Tests (amd64): OK
Advisory: OK
Comment 6 Janek Walkenhorst univentionstaff 2017-05-10 15:38:51 CEST 
<http://errata.software-univention.de/ucs/4.1/416.html>