1763609 – (CVE-2015-9382) CVE-2015-9382 freetype: mishandling ps_parser_skip_PS_token in an FT_New_Memory_Face operation in skip_comment, psaux/psobjs.c, leads to a buffer over-read

Bug 1763609 (CVE-2015-9382) - CVE-2015-9382 freetype: mishandling ps_parser_skip_PS_token in an FT_New_Memory_Face operation in skip_comment, psaux/psobjs.c, leads to a buffer over-read

Summary: CVE-2015-9382 freetype: mishandling ps_parser_skip_PS_token in an FT_New_Memo...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-9382
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1763616 1767863 1767978 1768021 1768022
Blocks:	1763611
TreeView+	depends on / blocked

Reported:	2019-10-21 07:52 UTC by Marian Rehak
Modified:	2023-03-24 15:42 UTC (History)
CC List:	16 users (show)
Fixed In Version:	freetype 2.6.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-12-17 14:09:26 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:4254	0	None	None	None	2019-12-17 11:05:48 UTC

Description Marian Rehak 2019-10-21 07:52:25 UTC

FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation. This may lead to a DoS.

Comment 1 Marian Rehak 2019-10-21 07:53:06 UTC

Upstream Issue:

https://savannah.nongnu.org/bugs/?45922

Comment 2 Marian Rehak 2019-10-21 07:53:26 UTC

Upstream fix:

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/psaux/psobjs.c?id=db5a4a9ae7b0048f033361744421da8569642f73

Comment 3 Marian Rehak 2019-10-21 08:00:48 UTC

Created freetype tracking bugs for this issue:

Affects: fedora-all [bug 1763616]

Comment 8 Marco Benatto 2019-11-05 15:42:35 UTC

The freetype library is able to handle PostScript created fonts, however there's an issue when handling PostScript balanced expressions. On ps_parser_skip_PS_token() a lack of proper validation may lead the reading cursor holding the current position being processed to go beyond the end of the text content. This further causes an out of bounds read o skip_comment() function. An attacker may leverage this bug by creating a crafted input file causing low confidentiality impact as unexpected data may be exposed as a result of the over-read.

Comment 9 errata-xmlrpc 2019-12-17 11:05:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:4254 https://access.redhat.com/errata/RHSA-2019:4254

Comment 10 Product Security DevOps Team 2019-12-17 14:09:26 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-9382

Note You need to log in before you can comment on or make changes to this bug.