http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/type42/t42parse.c?id=8b281f83e8516535756f92dbf90940ac44bd45e1

DSA-3370

[oss-security] 20150911 CVE Request: 2 FreeType issues

[oss-security] 20150925 Re: CVE Request: 2 FreeType issues

https://savannah.nongnu.org/bugs/?41309

According to the versions of the freetype package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The t42_parse_encoding function in type42/t42parse.c in     FreeType before 2.5.4 does not properly update the     current position for immediates-only mode, which allows     remote attackers to cause a denial of service (infinite     loop) via a Type42 font.(CVE-2014-9747)

  - FreeType before 2.6.2 has a heap-based buffer over-read     in tt_cmap14_validate in sfnt/ttcmap.c.(CVE-2015-9383)

  - FreeType before 2.6.1 has a buffer over-read in     skip_comment in psaux/psobjs.c because     ps_parser_skip_PS_token is mishandled in an     FT_New_Memory_Face operation.(CVE-2015-9382)

  - FreeType before 2.6.1 has a heap-based buffer over-read     in T1_Get_Private_Dict in     type1/t1parse.c.(CVE-2015-9381)

  - In FreeType before 2.6.1, a buffer over-read occurs in     type1/t1parse.c on function T1_Get_Private_Dict where     there is no check that the new values of cur and limit     are sensible before going to Again.(CVE-2015-9290)

  - The parse_encoding function in type1/t1load.c in     FreeType before 2.5.3 allows remote attackers to cause     a denial of service (infinite loop) via a 'broken     number-with-base' in a Postscript stream, as     demonstrated by 8#garbage.(CVE-2014-9745)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the freetype package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The FreeType engine is a free and portable font     rendering engine, developed to provide advanced font     support for a variety of platforms and environments.
    FreeType is a library which can open and manages font     files as well as efficiently load, hint and render     individual glyphs. FreeType is not a font server or a     complete text-rendering library. Security Fix(es):The     t42_parse_encoding function in type42/t42parse.c in     FreeType before 2.5.4 does not properly update the     current position for immediates-only mode, which allows     remote attackers to cause a denial of service (infinite     loop) via a Type42 font.(CVE-2014-9747)In Sudo before     1.8.28, an attacker with access to a Runas ALL sudoer     account can bypass certain policy blacklists and     session PAM modules, and can cause incorrect logging,     by invoking sudo with a crafted user ID. For example,     this allows bypass of !root configuration, and USER=     logging, for a 'sudo -u \#$((0xffffffff))'     command.(CVE-2015-9383)FreeType before 2.6.1 has a     buffer over-read in skip_comment in psaux/psobjs.c     because ps_parser_skip_PS_token is mishandled in an     FT_New_Memory_Face operation.(CVE-2015-9382)FreeType     before 2.6.1 has a heap-based buffer over-read in     T1_Get_Private_Dict in     type1/t1parse.c.(CVE-2015-9381)In FreeType before     2.6.1, a buffer over-read occurs in type1/t1parse.c on     function T1_Get_Private_Dict where there is no check     that the new values of cur and limit are sensible     before going to Again.(CVE-2015-9290)The parse_encoding     function in type1/t1load.c in FreeType before 2.5.3     allows remote attackers to cause a denial of service     (infinite loop) via a 'broken number-with-base' in a     Postscript stream, as demonstrated by     8#garbage.(CVE-2014-9745)The parse_charstrings function     in type1/t1load.c in FreeType 2 before 2.7 does not     ensure that a font contains a glyph name, which allows     remote attackers to cause a denial of service     (heap-based buffer over-read) or possibly have     unspecified other impact via a crafted     file.(CVE-2016-10244)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the freetype packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The parse_encoding function in type1/t1load.c in     FreeType before 2.5.3 allows remote attackers to cause     a denial of service (infinite loop) via a 'broken     number-with-base' in a Postscript stream, as     demonstrated by 8#garbage.(CVE-2014-9745)

  - The t42_parse_encoding function in type42/t42parse.c in     FreeType before 2.5.4 does not properly update the     current position for immediates-only mode, which allows     remote attackers to cause a denial of service (infinite     loop) via a Type42 font.(CVE-2014-9747)

  - FreeType before 2.6.1 has a heap-based buffer over-read     in T1_Get_Private_Dict in     type1/t1parse.c.(CVE-2015-9381)

  - FreeType before 2.6.1 has a buffer over-read in     skip_comment in psaux/psobjs.c because     ps_parser_skip_PS_token is mishandled in an     FT_New_Memory_Face operation.(CVE-2015-9382)

  - FreeType before 2.6.2 has a heap-based buffer over-read     in tt_cmap14_validate in sfnt/ttcmap.c.(CVE-2015-9383)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the freetype packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The parse_encoding function in type1/t1load.c in     FreeType before 2.5.3 allows remote attackers to cause     a denial of service (infinite loop) via a 'broken     number-with-base' in a Postscript stream, as     demonstrated by 8#garbage.(CVE-2014-9745)

  - The t42_parse_encoding function in type42/t42parse.c in     FreeType before 2.5.4 does not properly update the     current position for immediates-only mode, which allows     remote attackers to cause a denial of service (infinite     loop) via a Type42 font.(CVE-2014-9747)

  - FreeType before 2.6.1 has a buffer over-read in     skip_comment in psaux/psobjs.c because     ps_parser_skip_PS_token is mishandled in an     FT_New_Memory_Face operation.(CVE-2015-9382)

  - FreeType before 2.6.2 has a heap-based buffer over-read     in tt_cmap14_validate in sfnt/ttcmap.c.(CVE-2015-9383)

  - FreeType before 2.6.1 has a heap-based buffer over-read     in T1_Get_Private_Dict in     type1/t1parse.c.(CVE-2015-9381)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the freetype packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The t42_parse_encoding function in type42/t42parse.c in     FreeType before 2.5.4 does not properly update the     current position for immediates-only mode, which allows     remote attackers to cause a denial of service (infinite     loop) via a Type42 font.(CVE-2014-9747)

  - The parse_encoding function in type1/t1load.c in     FreeType before 2.5.3 allows remote attackers to cause     a denial of service (infinite loop) via a 'broken     number-with-base' in a Postscript stream, as     demonstrated by 8#garbage.(CVE-2014-9745)

  - In FreeType before 2.6.1, a buffer over-read occurs in     type1/t1parse.c on function T1_Get_Private_Dict where     there is no check that the new values of cur and limit     are sensible before going to Again.(CVE-2015-9290)

  - FreeType before 2.6.1 has a heap-based buffer over-read     in T1_Get_Private_Dict in     type1/t1parse.c.(CVE-2015-9381)

  - FreeType before 2.6.1 has a buffer over-read in     skip_comment in psaux/psobjs.c because     ps_parser_skip_PS_token is mishandled in an     FT_New_Memory_Face operation.(CVE-2015-9382)

  - FreeType before 2.6.2 has a heap-based buffer over-read     in tt_cmap14_validate in sfnt/ttcmap.c.(CVE-2015-9383)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update of the freetype2 library fixes two security issues :

  - An infinite loop in parse_encoding in t1load.c     (CVE-2014-9745, bsc#945849)

  - Use of uninitialized memory in ps_parser_load_field,     t42_parse_font_matrix and t1_parse_font_matrix     (CVE-2014-9747, bsc#947966)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update of the freetype2 library fixes two security issues.

These security issues were fixed :

  - CVE-2014-9745: Infinite loop in parse_encoding in     t1load.c (bsc#945849)

  - CVE-2014-9747: Use of uninitialized memory in     ps_parser_load_field, t42_parse_font_matrix and     t1_parse_font_matrix (bsc#947966)

It was discovered that FreeType did not properly handle some malformed inputs. This could allow remote attackers to cause a denial of service (crash) via crafted font files.

Sergey Gorbaty reported issues related to the FreeType font engine.
FreeType improperly handled certain malformed font files, allowing remote attackers to cause a Denial of Service when specially crafted font files were used.

For Debian 6 'Squeeze', these issues have been fixed in freetype version 2.4.2-2.1+squeeze6. We recommend you to upgrade your freetype packages.

Learn more about the Debian Long Term Support (LTS) Project and how to apply these updates at: https://wiki.debian.org/LTS/

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
135653	EulerOS Virtualization 3.0.2.2 : freetype (EulerOS-SA-2020-1491)	Nessus	Huawei Local Security Checks	critical
134513	EulerOS Virtualization for ARM 64 3.0.2.0 : freetype (EulerOS-SA-2020-1224)	Nessus	Huawei Local Security Checks	critical
132298	EulerOS 2.0 SP3 : freetype (EulerOS-SA-2019-2581)	Nessus	Huawei Local Security Checks	high
131667	EulerOS 2.0 SP2 : freetype (EulerOS-SA-2019-2514)	Nessus	Huawei Local Security Checks	high
130857	EulerOS 2.0 SP5 : freetype (EulerOS-SA-2019-2148)	Nessus	Huawei Local Security Checks	critical
90758	SUSE SLES11 Security Update : freetype2 (SUSE-SU-2016:1149-1)	Nessus	SuSE Local Security Checks	high
86336	openSUSE Security Update : freetype2 (openSUSE-2015-639)	Nessus	SuSE Local Security Checks	high
86304	Debian DSA-3370-1 : freetype - security update	Nessus	Debian Local Security Checks	critical
86211	Debian DLA-319-1 : freetype security update	Nessus	Debian Local Security Checks	critical

CVE-2014-9747

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

critical

high

high

critical

high

high

critical

critical