Bug 1763609 (CVE-2015-9382) - CVE-2015-9382 freetype: mishandling ps_parser_skip_PS_token in an FT_New_Memory_Face operation in skip_comment, psaux/psobjs.c, leads to a buffer over-read
Summary: CVE-2015-9382 freetype: mishandling ps_parser_skip_PS_token in an FT_New_Memo...
Alias: CVE-2015-9382
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1763616 1767863 1767978 1768021 1768022
Blocks: 1763611
TreeView+ depends on / blocked
Reported: 2019-10-21 07:52 UTC by Marian Rehak
Modified: 2023-03-24 15:42 UTC (History)
16 users (show)

Fixed In Version: freetype 2.6.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-12-17 14:09:26 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:4254 0 None None None 2019-12-17 11:05:48 UTC

Description Marian Rehak 2019-10-21 07:52:25 UTC
FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation. This may lead to a DoS.

Comment 1 Marian Rehak 2019-10-21 07:53:06 UTC
Upstream Issue:


Comment 3 Marian Rehak 2019-10-21 08:00:48 UTC
Created freetype tracking bugs for this issue:

Affects: fedora-all [bug 1763616]

Comment 8 Marco Benatto 2019-11-05 15:42:35 UTC
The freetype library is able to handle PostScript created fonts, however there's an issue when handling PostScript balanced expressions. On ps_parser_skip_PS_token() a lack of proper validation may lead the reading cursor holding the current position being processed to go beyond the end of the text content. This further causes an out of bounds read o skip_comment() function. An attacker may leverage this bug by creating a crafted input file causing low confidentiality impact as unexpected data may be exposed as a result of the over-read.

Comment 9 errata-xmlrpc 2019-12-17 11:05:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:4254 https://access.redhat.com/errata/RHSA-2019:4254

Comment 10 Product Security DevOps Team 2019-12-17 14:09:26 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.