Bug 1262373 (CVE-2014-9746, CVE-2014-9747)

Summary: CVE-2014-9746 CVE-2014-9747 freetype: Use of uninitialized memory
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: behdad, erik-fedora, fedora-mingw, fonts-bugs, kevin, lfarkas, mkasik, rjones
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-14 05:56:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1262384, 1262385, 1262386    
Bug Blocks: 1262375    

Description Adam Mariš 2015-09-11 13:50:17 UTC
Three use-of-uninitialized conditions were found in psobjs.c in ps_parser_load_field, in t42parse.c in 42_parse_font_matrix and in t1load.c in tt1_parse_font_matrix.

Upstream bug:


Upstream patch:


CVE request:


Comment 1 Adam Mariš 2015-09-11 13:59:04 UTC
Created freetype tracking bugs for this issue:

Affects: fedora-all [bug 1262384]

Comment 2 Adam Mariš 2015-09-11 13:59:07 UTC
Created mingw-freetype tracking bugs for this issue:

Affects: fedora-all [bug 1262385]
Affects: epel-7 [bug 1262386]

Comment 3 Marek Kašík 2015-09-11 14:51:50 UTC
It seems to me that this is already fixed in all maintained versions of Fedora. Check it please.

Comment 4 Huzaifa S. Sidhpurwala 2015-09-14 05:49:47 UTC
Upstream freetype git suggests that this issue was addressed in freetype-2.5.3.

Therefore this issue is already fixed in all the maintained versions of Fedora.

Comment 6 Adam Mariš 2015-09-29 09:18:52 UTC
CVE-2014-9746 is for accessing uninitialized memory issues
CVE-2014-9747 is for the fix for CWE-372 ("Incomplete Internal State Distinction") issue in the sense that the possibility of immediates-only mode isn't checked (in t42parse.c)