https://bugzilla.redhat.com/show_bug.cgi?id=1191190
Tomas Hoger <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |high Summary|CVE-2014-9674 freetype: |CVE-2014-9674 freetype: |integer overflow and |multiple integer overflows |heap-based buffer overflow |Mac_Read_POST_Resource() |in the |leading to heap-based |Mac_Read_POST_Resource |buffer overflows |function in base/ftobjs.c | Whiteboard|impact=moderate,public=2015 |impact=important,public=201 |0208,reported=20150209,sour |50208,reported=20150209,sou |ce=suse,cvss2=3.7/AV:L/AC:H |rce=suse,cvss2=6.8/AV:N/AC: |/Au:N/C:P/I:P/A:P,fedora-al |M/Au:N/C:P/I:P/A:P,cwe=CWE- |l/freetype=affected,rhel-5/ |190->CWE-122,rhel-4/freetyp |freetype=new,rhel-6/freetyp |e=wontfix,rhel-5/freetype=a |e=new,rhel-7/freetype=new |ffected,rhel-6/freetype=aff | |ected,rhel-7/freetype=affec | |ted,rhev-m-3/mingw-virt-vie | |wer=affected,fedora-all/fre | |etype=affected,fedora-all/m | |ingw-freetype=affected,epel | |-7/mingw-freetype=affected Severity|medium |high --- Comment #4 from Tomas Hoger <[email protected]> --- (Private) upstream bug: https://savannah.nongnu.org/bugs/?43538 Issue was fixed upstream in 2.5.4. There are multiple integer overflow issues in the Mac_Read_POST_Resource() function. They can cause freetype to allocate buffer of insufficient size and later write data past its boundaries. This will lead to memory corruption that can cause crash and possibly code execution. These flaw make it possible to bypass boundary check added to address CVE-2010-2808 (see bug 621907). This is related to issue tracked via bug 1191096, and the following patches were applied to address problems reported via these two bugs: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=240c94a http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=35252ae http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=4533167 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=1720e81 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=cd4a5a2 Unified diff for all the above changes: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/diff/src/base/ftobjs.c?id2=5aff853&id=cd4a5a2 -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=snnJKz84uT&a=cc_unsubscribe _______________________________________________ fonts-bugs mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/fonts-bugs http://fonts.fedoraproject.org/
