CVE-2014-9665

Published: Feb 8, 2015Modified: May 6, 2026

7.5

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability: 10.0 / Impact: 6.4

Source: NVD

Description

The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 does not restrict the rows and pitch values of PNG data, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact by embedding a PNG file in a .ttf font file.

Affected (10)

Products: Fedoraproject: Fedora · Canonical: Ubuntu Linux · Freetype: Freetype · +1 more

Show all products

Fedoraproject: Fedora · Canonical: Ubuntu Linux · Freetype: Freetype · Opensuse: Opensuse

1 product

1 product

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 20
Fedoraproject Fedora	Version 21

Configuration B

5 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 10.04
Canonical Ubuntu Linux	Version 12.04
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 14.10
Canonical Ubuntu Linux	Version 15.10

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Freetype Freetype	Up to 2.5.3

Configuration D

2 vulnerable

Vulnerable Software	Affected Versions
Opensuse Opensuse	Version 13.1
Opensuse Opensuse	Version 13.2

Related CWEs

Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

References (20)

http://code.google.com/p/google-security-research/issues/detail?id=168

Source: cve@mitre.org

Exploit

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=54abd22891bd51ef8b533b24df53b3019b5cee81

Source: cve@mitre.org

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=b3500af717010137046ec4076d1e1c0641e33727

Source: cve@mitre.org

http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150148.html

Source: cve@mitre.org

http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150162.html

Source: cve@mitre.org

http://lists.opensuse.org/opensuse-updates/2015-03/msg00091.html

Source: cve@mitre.org

http://www.securityfocus.com/bid/72986

Source: cve@mitre.org

http://www.ubuntu.com/usn/USN-2510-1

Source: cve@mitre.org

http://www.ubuntu.com/usn/USN-2739-1

Source: cve@mitre.org

https://security.gentoo.org/glsa/201503-05

Source: cve@mitre.org

http://code.google.com/p/google-security-research/issues/detail?id=168

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=54abd22891bd51ef8b533b24df53b3019b5cee81

Source: af854a3a-2127-422b-91ae-364da2661108

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=b3500af717010137046ec4076d1e1c0641e33727

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150148.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150162.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-updates/2015-03/msg00091.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/72986

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ubuntu.com/usn/USN-2510-1

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ubuntu.com/usn/USN-2739-1

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/201503-05

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.