Ubuntu 14.04 LTS : fontforge vulnerabilities (USN-3409-1)

Ubuntu Security Notice (C) 2017 Canonical, Inc. / NASL script (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related
patches.

Description :

It was discovered that FontForge was vulnerable to a heap-based buffer
over-read. A remote attacker could use a crafted file to DoS or
execute arbitrary code. (CVE-2017-11568, CVE-2017-11569,
CVE-2017-11572)

It was discovered that FontForge was vulnerable to a stack-based
buffer overflow. A remote attacker could use a crafted file to DoS or
execute arbitrary code. (CVE-2017-11571)

It was discovered that FontForge was vulnerable to a heap-based buffer
overflow. A remote attacker could use a crafted file to DoS or execute
arbitrary code. (CVE-2017-11574)

It was discovered that FontForge was vulnerable to a buffer over-read.
A remote attacker could use a crafted file to DoS or execute arbitrary
code. (CVE-2017-11575, CVE-2017-11577)

It was discovered that FontForge wasn't correctly checking the sign of
a vector size. A remote attacker could use a crafted file to DoS.
(CVE-2017-11576).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected fontforge and / or fontforge-common packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.1
(CVSS2#E:POC/RL:U/RC:ND)
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 102957 ()

Bugtraq ID:

CVE ID: CVE-2017-11568
CVE-2017-11569
CVE-2017-11571
CVE-2017-11572
CVE-2017-11574
CVE-2017-11575
CVE-2017-11576
CVE-2017-11577

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now