SUSE-SU-2015:0455-1: moderate: Security update for freetype2
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Tue Mar 10 08:05:40 MDT 2015
SUSE Security Update: Security update for freetype2
______________________________________________________________________________
Announcement ID: SUSE-SU-2015:0455-1
Rating: moderate
References: #916847 #916856 #916857 #916858 #916859 #916860
#916861 #916862 #916863 #916864 #916865 #916867
#916868 #916870 #916871 #916872 #916873 #916874
#916879 #916881
Cross-References: CVE-2014-2240 CVE-2014-9656 CVE-2014-9657
CVE-2014-9658 CVE-2014-9659 CVE-2014-9660
CVE-2014-9661 CVE-2014-9662 CVE-2014-9663
CVE-2014-9664 CVE-2014-9665 CVE-2014-9666
CVE-2014-9667 CVE-2014-9668 CVE-2014-9669
CVE-2014-9670 CVE-2014-9671 CVE-2014-9672
CVE-2014-9673 CVE-2014-9674 CVE-2014-9675
Affected Products:
SUSE Linux Enterprise Software Development Kit 12
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Desktop 12
______________________________________________________________________________
An update that fixes 21 vulnerabilities is now available.
Description:
freetype2 was updated to fix 20 security issues.
These security issues were fixed:
- CVE-2014-9663: The tt_cmap4_validate function in sfnt/ttcmap.c in
FreeType before 2.5.4 validates a certain length field before that
field's value is completely calculated, which allowed remote attackers
to cause a denial of service (out-of-bounds read) or possibly have
unspecified other impact via a crafted cmap SFNT table (bnc#916865).
- CVE-2014-9662: cff/cf2ft.c in FreeType before 2.5.4 did not validate the
return values of point-allocation functions, which allowed remote
attackers to cause a denial of service (heap-based buffer overflow) or
possibly have unspecified other impact via a crafted OTF font
(bnc#916860).
- CVE-2014-9661: type42/t42parse.c in FreeType before 2.5.4 did not
consider that scanning can be incomplete without triggering an error,
which allowed remote attackers to cause a denial of service
(use-after-free) or possibly have unspecified other impact via a crafted
Type42 font (bnc#916859).
- CVE-2014-9660: The _bdf_parse_glyphs function in bdf/bdflib.c in
FreeType before 2.5.4 did not properly handle a missing ENDCHAR record,
which allowed remote attackers to cause a denial of service (NULL
pointer dereference) or possibly have unspecified other impact via a
crafted BDF font (bnc#916858).
- CVE-2014-9667: sfnt/ttload.c in FreeType before 2.5.4 proceeds with
offset+length calculations without restricting the values, which allowed
remote attackers to cause a denial of service (integer overflow and
out-of-bounds read) or possibly have unspecified other impact via a
crafted SFNT table (bnc#916861).
- CVE-2014-9666: The tt_sbit_decoder_init function in sfnt/ttsbit.c in
FreeType before 2.5.4 proceeds with a count-to-size association without
restricting the count value, which allowed remote attackers to cause a
denial of service (integer overflow and out-of-bounds read) or possibly
have unspecified other impact via a crafted embedded bitmap (bnc#916862).
- CVE-2014-9665: The Load_SBit_Png function in sfnt/pngshim.c in FreeType
before 2.5.4 did not restrict the rows and pitch values of PNG data,
which allowed remote attackers to cause a denial of service (integer
overflow and heap-based buffer overflow) or possibly have unspecified
other impact by embedding a PNG file in a .ttf font file (bnc#916863).
- CVE-2014-9664: FreeType before 2.5.4 did not check for the end of the
data during certain parsing actions, which allowed remote attackers to
cause a denial of service (out-of-bounds read) or possibly have
unspecified other impact via a crafted Type42 font, related to
type42/t42parse.c and type1/t1load.c (bnc#916864).
- CVE-2014-9669: Multiple integer overflows in sfnt/ttcmap.c in FreeType
before 2.5.4 allowed remote attackers to cause a denial of service
(out-of-bounds read or memory corruption) or possibly have unspecified
other impact via a crafted cmap SFNT table (bnc#916870).
- CVE-2014-9668: The woff_open_font function in sfnt/sfobjs.c in FreeType
before 2.5.4 proceeds with offset+length calculations without
restricting length values, which allowed remote attackers to cause a
denial of service (integer overflow and heap-based buffer overflow) or
possibly have unspecified other impact via a crafted Web Open Font
Format (WOFF) file (bnc#916868).
- CVE-2014-9656: The tt_sbit_decoder_load_image function in sfnt/ttsbit.c
in FreeType before 2.5.4 did not properly check for an integer overflow,
which allowed remote attackers to cause a denial of service
(out-of-bounds read) or possibly have unspecified other impact via a
crafted OpenType font (bnc#916847).
- CVE-2014-9658: The tt_face_load_kern function in sfnt/ttkern.c in
FreeType before 2.5.4 enforces an incorrect minimum table length, which
allowed remote attackers to cause a denial of service (out-of-bounds
read) or possibly have unspecified other impact via a crafted TrueType
font (bnc#916857).
- CVE-2014-9659: cff/cf2intrp.c in the CFF CharString interpreter in
FreeType before 2.5.4 proceeds with additional hints after the hint mask
has been computed, which allowed remote attackers to execute arbitrary
code or cause a denial of service (stack-based buffer overflow) via a
crafted OpenType font. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2014-2240 (bnc#916867).
- CVE-2014-9674: The Mac_Read_POST_Resource function in base/ftobjs.c in
FreeType before 2.5.4 proceeds with adding to length values without
validating the original values, which allowed remote attackers to cause
a denial of service (integer overflow and heap-based buffer overflow) or
possibly have unspecified other impact via a crafted Mac font
(bnc#916879).
- CVE-2014-9675: bdf/bdflib.c in FreeType before 2.5.4 identifies property
names by only verifying that an initial substring is present, which
allowed remote attackers to discover heap pointer values and bypass the
ASLR protection mechanism via a crafted BDF font (bnc#916881).
- CVE-2014-9657: The tt_face_load_hdmx function in truetype/ttpload.c in
FreeType before 2.5.4 did not establish a minimum record size, which
allowed remote attackers to cause a denial of service (out-of-bounds
read) or possibly have unspecified other impact via a crafted TrueType
font (bnc#916856).
- CVE-2014-9670: Multiple integer signedness errors in the
pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4
allowed remote attackers to cause a denial of service (integer overflow,
NULL pointer dereference, and application crash) via a crafted PCF file
that specifies negative values for the first column and first row
(bnc#916871).
- CVE-2014-9671: Off-by-one error in the pcf_get_properties function in
pcf/pcfread.c in FreeType before 2.5.4 allowed remote attackers to cause
a denial of service (NULL pointer dereference and application crash) via
a crafted PCF file with a 0xffffffff size value that is improperly
incremented (bnc#916872).
- CVE-2014-9672: Array index error in the parse_fond function in
base/ftmac.c in FreeType before 2.5.4 allowed remote attackers to cause
a denial of service (out-of-bounds read) or obtain sensitive information
from process memory via a crafted FOND resource in a Mac font file
(bnc#916873).
- CVE-2014-9673: Integer signedness error in the Mac_Read_POST_Resource
function in base/ftobjs.c in FreeType before 2.5.4 allowed remote
attackers to cause a denial of service (heap-based buffer overflow) or
possibly have unspecified other impact via a crafted Mac font
(bnc#916874).
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 12:
zypper in -t patch SUSE-SLE-SDK-12-2015-111=1
- SUSE Linux Enterprise Server 12:
zypper in -t patch SUSE-SLE-SERVER-12-2015-111=1
- SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2015-111=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):
freetype2-debugsource-2.5.3-5.1
freetype2-devel-2.5.3-5.1
- SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
freetype2-debugsource-2.5.3-5.1
ft2demos-2.5.3-5.1
libfreetype6-2.5.3-5.1
libfreetype6-debuginfo-2.5.3-5.1
- SUSE Linux Enterprise Server 12 (s390x x86_64):
libfreetype6-32bit-2.5.3-5.1
libfreetype6-debuginfo-32bit-2.5.3-5.1
- SUSE Linux Enterprise Desktop 12 (x86_64):
freetype2-debugsource-2.5.3-5.1
ft2demos-2.5.3-5.1
libfreetype6-2.5.3-5.1
libfreetype6-32bit-2.5.3-5.1
libfreetype6-debuginfo-2.5.3-5.1
libfreetype6-debuginfo-32bit-2.5.3-5.1
References:
http://support.novell.com/security/cve/CVE-2014-2240.html
http://support.novell.com/security/cve/CVE-2014-9656.html
http://support.novell.com/security/cve/CVE-2014-9657.html
http://support.novell.com/security/cve/CVE-2014-9658.html
http://support.novell.com/security/cve/CVE-2014-9659.html
http://support.novell.com/security/cve/CVE-2014-9660.html
http://support.novell.com/security/cve/CVE-2014-9661.html
http://support.novell.com/security/cve/CVE-2014-9662.html
http://support.novell.com/security/cve/CVE-2014-9663.html
http://support.novell.com/security/cve/CVE-2014-9664.html
http://support.novell.com/security/cve/CVE-2014-9665.html
http://support.novell.com/security/cve/CVE-2014-9666.html
http://support.novell.com/security/cve/CVE-2014-9667.html
http://support.novell.com/security/cve/CVE-2014-9668.html
http://support.novell.com/security/cve/CVE-2014-9669.html
http://support.novell.com/security/cve/CVE-2014-9670.html
http://support.novell.com/security/cve/CVE-2014-9671.html
http://support.novell.com/security/cve/CVE-2014-9672.html
http://support.novell.com/security/cve/CVE-2014-9673.html
http://support.novell.com/security/cve/CVE-2014-9674.html
http://support.novell.com/security/cve/CVE-2014-9675.html
https://bugzilla.suse.com/916847
https://bugzilla.suse.com/916856
https://bugzilla.suse.com/916857
https://bugzilla.suse.com/916858
https://bugzilla.suse.com/916859
https://bugzilla.suse.com/916860
https://bugzilla.suse.com/916861
https://bugzilla.suse.com/916862
https://bugzilla.suse.com/916863
https://bugzilla.suse.com/916864
https://bugzilla.suse.com/916865
https://bugzilla.suse.com/916867
https://bugzilla.suse.com/916868
https://bugzilla.suse.com/916870
https://bugzilla.suse.com/916871
https://bugzilla.suse.com/916872
https://bugzilla.suse.com/916873
https://bugzilla.suse.com/916874
https://bugzilla.suse.com/916879
https://bugzilla.suse.com/916881
More information about the sle-updates
mailing list