OracleVM 3.3 : freetype (OVMSA-2015-0036)

High Nessus Plugin ID 81967

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7


The remote OracleVM host is missing a security update.


The remote OracleVM system is missing necessary patches to address critical security updates :

- Fixes (CVE-2014-9657)

- Check minimum size of `record_size'.

- Fixes (CVE-2014-9658)

- Use correct value for minimum table length test.

- Fixes (CVE-2014-9675)

- New macro that checks one character more than `strncmp'.

- Fixes (CVE-2014-9660)

- Check `_BDF_GLYPH_BITS'.

- Fixes (CVE-2014-9661)

- Initialize `face->ttf_size'.

- Always set `face->ttf_size' directly.

- Exclusively use the `truetype' font driver for loading the font contained in the `sfnts' array.

- Fixes (CVE-2014-9663)

- Fix order of validity tests.

- Fixes (CVE-2014-9664)

- Add another boundary testing.

- Fix boundary testing.

- Fixes (CVE-2014-9667)

- Protect against addition overflow.

- Fixes (CVE-2014-9669)

- Protect against overflow in additions and multiplications.

- Fixes (CVE-2014-9670)

- Add sanity checks for row and column values.

- Fixes (CVE-2014-9671)

- Check `size' and `offset' values.

- Fixes (CVE-2014-9673)

- Fix integer overflow by a broken POST table in resource-fork.

- Fixes (CVE-2014-9674)

- Fix integer overflow by a broken POST table in resource-fork.

- Additional overflow check in the summation of POST fragment lengths.

- Work around behaviour of X11's `pcfWriteFont' and `pcfReadFont' functions

- Resolves: #1197737

- Fix (CVE-2012-5669) (Use correct array size for checking `glyph_enc')

- Resolves: #903543


Update the affected freetype package.

See Also

Plugin Details

Severity: High

ID: 81967

File Name: oraclevm_OVMSA-2015-0036.nasl

Version: 1.6

Type: local

Published: 2015/03/20

Updated: 2019/09/27

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 6.7

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:freetype, cpe:/o:oracle:vm_server:3.3

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2015/03/19

Vulnerability Publication Date: 2013/01/24

Reference Information

CVE: CVE-2012-5669, CVE-2014-9657, CVE-2014-9658, CVE-2014-9660, CVE-2014-9661, CVE-2014-9663, CVE-2014-9664, CVE-2014-9667, CVE-2014-9669, CVE-2014-9670, CVE-2014-9671, CVE-2014-9673, CVE-2014-9674, CVE-2014-9675

BID: 57041, 72986