SUSE-SU-2015:0455-1: moderate: Security update for freetype2

Tue Mar 10 08:05:40 MDT 2015

   SUSE Security Update: Security update for freetype2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:0455-1
Rating:             moderate
References:         #916847 #916856 #916857 #916858 #916859 #916860 
                    #916861 #916862 #916863 #916864 #916865 #916867 
                    #916868 #916870 #916871 #916872 #916873 #916874 
                    #916879 #916881 
Cross-References:   CVE-2014-2240 CVE-2014-9656 CVE-2014-9657
                    CVE-2014-9658 CVE-2014-9659 CVE-2014-9660
                    CVE-2014-9661 CVE-2014-9662 CVE-2014-9663
                    CVE-2014-9664 CVE-2014-9665 CVE-2014-9666
                    CVE-2014-9667 CVE-2014-9668 CVE-2014-9669
                    CVE-2014-9670 CVE-2014-9671 CVE-2014-9672
                    CVE-2014-9673 CVE-2014-9674 CVE-2014-9675

Affected Products:
                    SUSE Linux Enterprise Software Development Kit 12
                    SUSE Linux Enterprise Server 12
                    SUSE Linux Enterprise Desktop 12
______________________________________________________________________________

   An update that fixes 21 vulnerabilities is now available.

Description:

   freetype2 was updated to fix 20 security issues.

   These security issues were fixed:
   - CVE-2014-9663: The tt_cmap4_validate function in sfnt/ttcmap.c in
     FreeType before 2.5.4 validates a certain length field before that
     field's value is completely calculated, which allowed remote attackers
     to cause a denial of service (out-of-bounds read) or possibly have
     unspecified other impact via a crafted cmap SFNT table (bnc#916865).
   - CVE-2014-9662: cff/cf2ft.c in FreeType before 2.5.4 did not validate the
     return values of point-allocation functions, which allowed remote
     attackers to cause a denial of service (heap-based buffer overflow) or
     possibly have unspecified other impact via a crafted OTF font
     (bnc#916860).
   - CVE-2014-9661: type42/t42parse.c in FreeType before 2.5.4 did not
     consider that scanning can be incomplete without triggering an error,
     which allowed remote attackers to cause a denial of service
     (use-after-free) or possibly have unspecified other impact via a crafted
     Type42 font (bnc#916859).
   - CVE-2014-9660: The _bdf_parse_glyphs function in bdf/bdflib.c in
     FreeType before 2.5.4 did not properly handle a missing ENDCHAR record,
     which allowed remote attackers to cause a denial of service (NULL
     pointer dereference) or possibly have unspecified other impact via a
     crafted BDF font (bnc#916858).
   - CVE-2014-9667: sfnt/ttload.c in FreeType before 2.5.4 proceeds with
     offset+length calculations without restricting the values, which allowed
     remote attackers to cause a denial of service (integer overflow and
     out-of-bounds read) or possibly have unspecified other impact via a
     crafted SFNT table (bnc#916861).
   - CVE-2014-9666: The tt_sbit_decoder_init function in sfnt/ttsbit.c in
     FreeType before 2.5.4 proceeds with a count-to-size association without
     restricting the count value, which allowed remote attackers to cause a
     denial of service (integer overflow and out-of-bounds read) or possibly
     have unspecified other impact via a crafted embedded bitmap (bnc#916862).
   - CVE-2014-9665: The Load_SBit_Png function in sfnt/pngshim.c in FreeType
     before 2.5.4 did not restrict the rows and pitch values of PNG data,
     which allowed remote attackers to cause a denial of service (integer
     overflow and heap-based buffer overflow) or possibly have unspecified
     other impact by embedding a PNG file in a .ttf font file (bnc#916863).
   - CVE-2014-9664: FreeType before 2.5.4 did not check for the end of the
     data during certain parsing actions, which allowed remote attackers to
     cause a denial of service (out-of-bounds read) or possibly have
     unspecified other impact via a crafted Type42 font, related to
     type42/t42parse.c and type1/t1load.c (bnc#916864).
   - CVE-2014-9669: Multiple integer overflows in sfnt/ttcmap.c in FreeType
     before 2.5.4 allowed remote attackers to cause a denial of service
     (out-of-bounds read or memory corruption) or possibly have unspecified
     other impact via a crafted cmap SFNT table (bnc#916870).
   - CVE-2014-9668: The woff_open_font function in sfnt/sfobjs.c in FreeType
     before 2.5.4 proceeds with offset+length calculations without
     restricting length values, which allowed remote attackers to cause a
     denial of service (integer overflow and heap-based buffer overflow) or
     possibly have unspecified other impact via a crafted Web Open Font
     Format (WOFF) file (bnc#916868).
   - CVE-2014-9656: The tt_sbit_decoder_load_image function in sfnt/ttsbit.c
     in FreeType before 2.5.4 did not properly check for an integer overflow,
     which allowed remote attackers to cause a denial of service
     (out-of-bounds read) or possibly have unspecified other impact via a
     crafted OpenType font (bnc#916847).
   - CVE-2014-9658: The tt_face_load_kern function in sfnt/ttkern.c in
     FreeType before 2.5.4 enforces an incorrect minimum table length, which
     allowed remote attackers to cause a denial of service (out-of-bounds
     read) or possibly have unspecified other impact via a crafted TrueType
     font (bnc#916857).
   - CVE-2014-9659: cff/cf2intrp.c in the CFF CharString interpreter in
     FreeType before 2.5.4 proceeds with additional hints after the hint mask
     has been computed, which allowed remote attackers to execute arbitrary
     code or cause a denial of service (stack-based buffer overflow) via a
     crafted OpenType font.  NOTE: this vulnerability exists because of an
     incomplete fix for CVE-2014-2240 (bnc#916867).
   - CVE-2014-9674: The Mac_Read_POST_Resource function in base/ftobjs.c in
     FreeType before 2.5.4 proceeds with adding to length values without
     validating the original values, which allowed remote attackers to cause
     a denial of service (integer overflow and heap-based buffer overflow) or
     possibly have unspecified other impact via a crafted Mac font
     (bnc#916879).
   - CVE-2014-9675: bdf/bdflib.c in FreeType before 2.5.4 identifies property
     names by only verifying that an initial substring is present, which
     allowed remote attackers to discover heap pointer values and bypass the
     ASLR protection mechanism via a crafted BDF font (bnc#916881).
   - CVE-2014-9657: The tt_face_load_hdmx function in truetype/ttpload.c in
     FreeType before 2.5.4 did not establish a minimum record size, which
     allowed remote attackers to cause a denial of service (out-of-bounds
     read) or possibly have unspecified other impact via a crafted TrueType
     font (bnc#916856).
   - CVE-2014-9670: Multiple integer signedness errors in the
     pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4
     allowed remote attackers to cause a denial of service (integer overflow,
     NULL pointer dereference, and application crash) via a crafted PCF file
     that specifies negative values for the first column and first row
     (bnc#916871).
   - CVE-2014-9671: Off-by-one error in the pcf_get_properties function in
     pcf/pcfread.c in FreeType before 2.5.4 allowed remote attackers to cause
     a denial of service (NULL pointer dereference and application crash) via
     a crafted PCF file with a 0xffffffff size value that is improperly
     incremented (bnc#916872).
   - CVE-2014-9672: Array index error in the parse_fond function in
     base/ftmac.c in FreeType before 2.5.4 allowed remote attackers to cause
     a denial of service (out-of-bounds read) or obtain sensitive information
     from process memory via a crafted FOND resource in a Mac font file
     (bnc#916873).
   - CVE-2014-9673: Integer signedness error in the Mac_Read_POST_Resource
     function in base/ftobjs.c in FreeType before 2.5.4 allowed remote
     attackers to cause a denial of service (heap-based buffer overflow) or
     possibly have unspecified other impact via a crafted Mac font
     (bnc#916874).

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 12:

      zypper in -t patch SUSE-SLE-SDK-12-2015-111=1

   - SUSE Linux Enterprise Server 12:

      zypper in -t patch SUSE-SLE-SERVER-12-2015-111=1

   - SUSE Linux Enterprise Desktop 12:

      zypper in -t patch SUSE-SLE-DESKTOP-12-2015-111=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):

      freetype2-debugsource-2.5.3-5.1
      freetype2-devel-2.5.3-5.1

   - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):

      freetype2-debugsource-2.5.3-5.1
      ft2demos-2.5.3-5.1
      libfreetype6-2.5.3-5.1
      libfreetype6-debuginfo-2.5.3-5.1

   - SUSE Linux Enterprise Server 12 (s390x x86_64):

      libfreetype6-32bit-2.5.3-5.1
      libfreetype6-debuginfo-32bit-2.5.3-5.1

   - SUSE Linux Enterprise Desktop 12 (x86_64):

      freetype2-debugsource-2.5.3-5.1
      ft2demos-2.5.3-5.1
      libfreetype6-2.5.3-5.1
      libfreetype6-32bit-2.5.3-5.1
      libfreetype6-debuginfo-2.5.3-5.1
      libfreetype6-debuginfo-32bit-2.5.3-5.1

References:

   http://support.novell.com/security/cve/CVE-2014-2240.html
   http://support.novell.com/security/cve/CVE-2014-9656.html
   http://support.novell.com/security/cve/CVE-2014-9657.html
   http://support.novell.com/security/cve/CVE-2014-9658.html
   http://support.novell.com/security/cve/CVE-2014-9659.html
   http://support.novell.com/security/cve/CVE-2014-9660.html
   http://support.novell.com/security/cve/CVE-2014-9661.html
   http://support.novell.com/security/cve/CVE-2014-9662.html
   http://support.novell.com/security/cve/CVE-2014-9663.html
   http://support.novell.com/security/cve/CVE-2014-9664.html
   http://support.novell.com/security/cve/CVE-2014-9665.html
   http://support.novell.com/security/cve/CVE-2014-9666.html
   http://support.novell.com/security/cve/CVE-2014-9667.html
   http://support.novell.com/security/cve/CVE-2014-9668.html
   http://support.novell.com/security/cve/CVE-2014-9669.html
   http://support.novell.com/security/cve/CVE-2014-9670.html
   http://support.novell.com/security/cve/CVE-2014-9671.html
   http://support.novell.com/security/cve/CVE-2014-9672.html
   http://support.novell.com/security/cve/CVE-2014-9673.html
   http://support.novell.com/security/cve/CVE-2014-9674.html
   http://support.novell.com/security/cve/CVE-2014-9675.html
   https://bugzilla.suse.com/916847
   https://bugzilla.suse.com/916856
   https://bugzilla.suse.com/916857
   https://bugzilla.suse.com/916858
   https://bugzilla.suse.com/916859
   https://bugzilla.suse.com/916860
   https://bugzilla.suse.com/916861
   https://bugzilla.suse.com/916862
   https://bugzilla.suse.com/916863
   https://bugzilla.suse.com/916864
   https://bugzilla.suse.com/916865
   https://bugzilla.suse.com/916867
   https://bugzilla.suse.com/916868
   https://bugzilla.suse.com/916870
   https://bugzilla.suse.com/916871
   https://bugzilla.suse.com/916872
   https://bugzilla.suse.com/916873
   https://bugzilla.suse.com/916874
   https://bugzilla.suse.com/916879
   https://bugzilla.suse.com/916881