Common Vulnerabilities and Exposures assigned CVE-2014-9658 to the following issue: The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4 enforces an incorrect minimum table length, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font. http://code.google.com/p/google-security-research/issues/detail?id=194 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f70d9342e65cd2cb44e9f26b6d7edeedf191fc6c
Created freetype tracking bugs for this issue: Affects: fedora-all [bug 1191099]
freetype-2.5.3-15.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Upstream bug is: https://savannah.nongnu.org/bugs/?43672 Issue was fixed upstream in 2.5.4. The issue here starts as a simple short buffer over-read. Existing check to ensure enough input data is still available was incorrect: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/sfnt/ttkern.c?id=73be9f9#n102 The length <= 6 only takes into account the previously read header: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/sfnt/ttkern.c?id=73be9f9#n96 p is later incremented by 8 (but only the first two bytes are actually read/accessed): http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/sfnt/ttkern.c?id=73be9f9#n115 However, when length is too short, p_next may be less than p, which leads to integer underflow in (p_next - p) in this num_pairs check: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/sfnt/ttkern.c?id=73be9f9#n118 The check aims to prevent further over-reads. Underflow bypasses the check and makes it possible to read 6 * 0xffff bytes (num_pairs is short). Crash should be possible.
freetype-2.5.0-9.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2015:0696 https://rhn.redhat.com/errata/RHSA-2015-0696.html