OracleVM 3.3 : freetype (OVMSA-2015-0036)

High Nessus Plugin ID 81967


The remote OracleVM host is missing a security update.


The remote OracleVM system is missing necessary patches to address critical security updates :

- Fixes (CVE-2014-9657)

- Check minimum size of `record_size'.

- Fixes (CVE-2014-9658)

- Use correct value for minimum table length test.

- Fixes (CVE-2014-9675)

- New macro that checks one character more than `strncmp'.

- Fixes (CVE-2014-9660)

- Check `_BDF_GLYPH_BITS'.

- Fixes (CVE-2014-9661)

- Initialize `face->ttf_size'.

- Always set `face->ttf_size' directly.

- Exclusively use the `truetype' font driver for loading the font contained in the `sfnts' array.

- Fixes (CVE-2014-9663)

- Fix order of validity tests.

- Fixes (CVE-2014-9664)

- Add another boundary testing.

- Fix boundary testing.

- Fixes (CVE-2014-9667)

- Protect against addition overflow.

- Fixes (CVE-2014-9669)

- Protect against overflow in additions and multiplications.

- Fixes (CVE-2014-9670)

- Add sanity checks for row and column values.

- Fixes (CVE-2014-9671)

- Check `size' and `offset' values.

- Fixes (CVE-2014-9673)

- Fix integer overflow by a broken POST table in resource-fork.

- Fixes (CVE-2014-9674)

- Fix integer overflow by a broken POST table in resource-fork.

- Additional overflow check in the summation of POST fragment lengths.

- Work around behaviour of X11's `pcfWriteFont' and `pcfReadFont' functions

- Resolves: #1197737

- Fix (CVE-2012-5669) (Use correct array size for checking `glyph_enc')

- Resolves: #903543


Update the affected freetype package.

See Also

Plugin Details

Severity: High

ID: 81967

File Name: oraclevm_OVMSA-2015-0036.nasl

Version: $Revision: 1.4 $

Type: local

Published: 2015/03/20

Modified: 2017/02/14

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:freetype, cpe:/o:oracle:vm_server:3.3

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2015/03/19

Reference Information

CVE: CVE-2012-5669, CVE-2014-9657, CVE-2014-9658, CVE-2014-9660, CVE-2014-9661, CVE-2014-9663, CVE-2014-9664, CVE-2014-9667, CVE-2014-9669, CVE-2014-9670, CVE-2014-9671, CVE-2014-9673, CVE-2014-9674, CVE-2014-9675

BID: 57041, 72986

OSVDB: 88819, 114332, 114333, 114354, 114619, 114621, 114961, 114962, 114964, 114965, 115073, 115075, 115098