Bug 1444895 (CVE-2016-10328) - CVE-2016-10328 freetype: heap-based buffer overflow related to the cff_parser_run function
Summary: CVE-2016-10328 freetype: heap-based buffer overflow related to the cff_parser...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2016-10328
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1444915 1444916 1444917
Blocks: 1444919
TreeView+ depends on / blocked
 
Reported: 2017-04-24 13:57 UTC by Adam Mariš
Modified: 2019-09-29 14:11 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-06-29 04:47:10 UTC
Embargoed:


Attachments (Terms of Use)

Description Adam Mariš 2017-04-24 13:57:27 UTC
FreeType 2 before 2016-12-16 has an out-of-bounds write caused by a heap-based buffer overflow related to the cff_parser_run function in cff/cffparse.c.

Bug report:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=289

Comment 1 Adam Mariš 2017-04-24 14:28:28 UTC
Created freetype tracking bugs for this issue:

Affects: fedora-all [bug 1444917]


Created mingw-freetype tracking bugs for this issue:

Affects: epel-7 [bug 1444915]
Affects: fedora-all [bug 1444916]

Comment 2 Marek Kašík 2017-05-02 16:43:33 UTC
I can not reproduce this one too with our freetype versions.

Comment 3 Huzaifa S. Sidhpurwala 2017-06-29 04:47:10 UTC
This issue arises due to the following commit:

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=3bd79cc257499f1850a1bace21f3ae371e3b40f0

Which has not been backported to version of freetype shipped with Red Hat Enterprise Linux and Fedora, hence these versions are not affected.

Upstream versions may also not be affected, because this was a very short lived regression.


Note You need to log in before you can comment on or make changes to this bug.