https://bugzilla.redhat.com/show_bug.cgi?id=1191085
Tomas Hoger <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |low Fixed In Version| |freetype 2.5.4 Summary|CVE-2014-9663 freetype: |CVE-2014-9663 freetype: |out-of-bounds read in the |out-of-bounds read in |tt_cmap4_validate function |tt_cmap4_validate() |in sfnt/ttcmap.c | Whiteboard|impact=moderate,public=2014 |impact=low,public=20141124, |1124,reported=20150210,sour |reported=20150210,source=cv |ce=cve,cvss2=3.7/AV:L/AC:H/ |e,cvss2=2.6/AV:N/AC:H/Au:N/ |Au:N/C:P/I:P/A:P,fedora-all |C:N/I:N/A:P,cwe=CWE-125,rhe |/freetype=affected,rhel-5/f |l-4/freetype=wontfix,rhel-5 |reetype=new,rhel-6/freetype |/freetype=wontfix,rhel-6/fr |=new,rhel-7/freetype=new |eetype=affected,rhel-7/free | |type=affected,rhev-m-3/ming | |w-virt-viewer=affected,fedo | |ra-all/freetype=affected,fe | |dora-all/mingw-freetype=aff | |ected,epel-7/mingw-freetype | |=affected Severity|medium |low --- Comment #4 from Tomas Hoger <[email protected]> --- Upstream bug is: https://savannah.nongnu.org/bugs/?43656 Issue was fixed upstream in 2.5.4. This is a very limited buffer over-read. Two bytes are read from at max 7th and 8th byte after the end of the buffer. After that, another check is reached that detects the problem. This is rather unlikely to cause crash. Issue is caused by a misplaced check to ensure enough input it still available for further parsing. After the check, length variable indicating remaining input size is decremented to the size of the actually available data. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=WUnMucqzZC&a=cc_unsubscribe _______________________________________________ fonts-bugs mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/fonts-bugs http://fonts.fedoraproject.org/
