Bug 1763609 (CVE-2015-9382)
Summary: | CVE-2015-9382 freetype: mishandling ps_parser_skip_PS_token in an FT_New_Memory_Face operation in skip_comment, psaux/psobjs.c, leads to a buffer over-read | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ajax, caillon+fedoraproject, erack, fonts-bugs, gecko-bugs-nobody, gnome-sig, jhorak, john.j5live, kevin, mclasen, mkasik, rhughes, rstrode, sandmann, stransky, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | freetype 2.6.1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-12-17 14:09:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1763616, 1767863, 1767978, 1768021, 1768022 | ||
Bug Blocks: | 1763611 |
Description
Marian Rehak
2019-10-21 07:52:25 UTC
Upstream Issue: https://savannah.nongnu.org/bugs/?45922 Upstream fix: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/psaux/psobjs.c?id=db5a4a9ae7b0048f033361744421da8569642f73 Created freetype tracking bugs for this issue: Affects: fedora-all [bug 1763616] The freetype library is able to handle PostScript created fonts, however there's an issue when handling PostScript balanced expressions. On ps_parser_skip_PS_token() a lack of proper validation may lead the reading cursor holding the current position being processed to go beyond the end of the text content. This further causes an out of bounds read o skip_comment() function. An attacker may leverage this bug by creating a crafted input file causing low confidentiality impact as unexpected data may be exposed as a result of the over-read. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:4254 https://access.redhat.com/errata/RHSA-2019:4254 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2015-9382 |