Bug 1444904 (CVE-2017-7858) - CVE-2017-7858 freetype: out-of-bounds write related to the TT_Get_MM_Var and sfnt_init_face functions
Summary: CVE-2017-7858 freetype: out-of-bounds write related to the TT_Get_MM_Var and ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-7858
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1444915 1444916 1444917
Blocks: 1444919
TreeView+ depends on / blocked
 
Reported: 2017-04-24 14:12 UTC by Adam Mariš
Modified: 2019-09-29 14:11 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-06-29 04:48:58 UTC
Embargoed:

Attachments (Terms of Use)

Description Adam Mariš 2017-04-24 14:12:43 UTC 
FreeType 2 before 2017-03-07 has an out-of-bounds write related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.

Bug report:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=738

Upstream patch:

https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=779309744222a736eba0f1731e8162fce6288d4e
Comment 1 Adam Mariš 2017-04-24 14:29:13 UTC 
Created freetype tracking bugs for this issue:

Affects: fedora-all [bug 1444917]


Created mingw-freetype tracking bugs for this issue:

Affects: epel-7 [bug 1444915]
Affects: fedora-all [bug 1444916]
Comment 2 Marek Kašík 2017-04-28 16:05:45 UTC 
This is the same case as in https://bugzilla.redhat.com/show_bug.cgi?id=1444898#c2, I can not reproduce the issue with any freetype version which we currently support in Fedora.
Note You need to log in before you can comment on or make changes to this bug.