[SECURITY] Fedora 21 Update: freetype-2.5.3-15.fc21

updates at fedoraproject.org updates at fedoraproject.org
Thu Feb 19 18:01:31 UTC 2015


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2015-2237
2015-02-18 00:29:04
--------------------------------------------------------------------------------

Name        : freetype
Product     : Fedora 21
Version     : 2.5.3
Release     : 15.fc21
URL         : http://www.freetype.org
Summary     : A free and portable font rendering engine
Description :
The FreeType engine is a free and portable font rendering
engine, developed to provide advanced font support for a variety of
platforms and environments. FreeType is a library which can open and
manages font files as well as efficiently load, hint and render
individual glyphs. FreeType is not a font server or a complete
text-rendering library.

--------------------------------------------------------------------------------
Update Information:

This update fixes several security issues.

--------------------------------------------------------------------------------
ChangeLog:

* Tue Feb 17 2015 Marek Kasik <mkasik at redhat.com> - 2.5.3-15
- Fixes CVE-2014-9656
   - Check `p' before `num_glyphs'.
- Fixes CVE-2014-9657
   - Check minimum size of `record_size'.
- Fixes CVE-2014-9658
   - Use correct value for minimum table length test.
- Fixes CVE-2014-9675
   - New macro that checks one character more than `strncmp'.
- Fixes CVE-2014-9660
   - Check `_BDF_GLYPH_BITS'.
- Fixes CVE-2014-9661
   - Initialize `face->ttf_size'.
   - Always set `face->ttf_size' directly.
   - Exclusively use the `truetype' font driver for loading
     the font contained in the `sfnts' array.
- Fixes CVE-2014-9662
   - Handle return values of point allocation routines.
- Fixes CVE-2014-9663
   - Fix order of validity tests.
- Fixes CVE-2014-9664
   - Add another boundary testing.
   - Fix boundary testing.
- Fixes CVE-2014-9665
   - Protect against too large bitmaps.
- Fixes CVE-2014-9666
   - Protect against addition and multiplication overflow.
- Fixes CVE-2014-9667
   - Protect against addition overflow.
- Fixes CVE-2014-9668
   - Protect against addition overflow.
- Fixes CVE-2014-9669
   - Protect against overflow in additions and multiplications.
- Fixes CVE-2014-9670
   - Add sanity checks for row and column values.
- Fixes CVE-2014-9671
   - Check `size' and `offset' values.
- Fixes CVE-2014-9672
   - Prevent a buffer overrun caused by a font including too many (> 63)
     strings to store names[] table.
- Fixes CVE-2014-9673
   - Fix integer overflow by a broken POST table in resource-fork.
- Fixes CVE-2014-9674
   - Fix integer overflow by a broken POST table in resource-fork.
   - Additional overflow check in the summation of POST fragment lengths.
- Resolves: #1191099, #1191191, #1191193
* Wed Dec 17 2014 Marek Kasik <mkasik at redhat.com> - 2.5.3-14
- Fix of URL of the bug #1172634
* Thu Dec 11 2014 Marek Kasik <mkasik at redhat.com> - 2.5.3-13
- Suppress an assert when hintMap.count == 0 in specific situations.
- Related: #1172634
* Wed Dec 10 2014 Marek Kasik <mkasik at redhat.com> - 2.5.3-12
- Don't append to stem arrays after hintmask is constructed.
- Related: #1172634
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1191078 - CVE-2014-9656 freetype: integer overflow in the tt_sbit_decoder_load_image function in sfnt/ttsbit.c
        https://bugzilla.redhat.com/show_bug.cgi?id=1191078
  [ 2 ] Bug #1191081 - CVE-2014-9659 freetype: stack-based buffer overflow in cff/cf2intrp.c in the CFF CharString interpreter
        https://bugzilla.redhat.com/show_bug.cgi?id=1191081
  [ 3 ] Bug #1191083 - CVE-2014-9661 freetype: use-after-free in type42/t42parse.c
        https://bugzilla.redhat.com/show_bug.cgi?id=1191083
  [ 4 ] Bug #1191085 - CVE-2014-9663 freetype: out-of-bounds read in the tt_cmap4_validate function in sfnt/ttcmap.c
        https://bugzilla.redhat.com/show_bug.cgi?id=1191085
  [ 5 ] Bug #1191087 - CVE-2014-9665 freetype: integer overflow and heap-based buffer overflow in the Load_SBit_Png function in sfnt/pngshim.c
        https://bugzilla.redhat.com/show_bug.cgi?id=1191087
  [ 6 ] Bug #1191090 - CVE-2014-9667 freetype: integer overflow and out-of-bounds read in sfnt/ttload.c
        https://bugzilla.redhat.com/show_bug.cgi?id=1191090
  [ 7 ] Bug #1191092 - CVE-2014-9669 freetype: Multiple integer overflows in sfnt/ttcmap.c
        https://bugzilla.redhat.com/show_bug.cgi?id=1191092
  [ 8 ] Bug #1191093 - CVE-2014-9670 freetype: Multiple integer signedness errors in the pcf_get_encodings function inpcf/pcfread.c
        https://bugzilla.redhat.com/show_bug.cgi?id=1191093
  [ 9 ] Bug #1191079 - CVE-2014-9657 freetype: DoS in the tt_face_load_hdmx function in truetype/ttpload.c
        https://bugzilla.redhat.com/show_bug.cgi?id=1191079
  [ 10 ] Bug #1191080 - CVE-2014-9658 freetype: DoS in the tt_face_load_kern function in sfnt/ttkern.c
        https://bugzilla.redhat.com/show_bug.cgi?id=1191080
  [ 11 ] Bug #1191082 - CVE-2014-9660 freetype: NULL pointer dereference in the _bdf_parse_glyphs function in bdf/bdflib.c
        https://bugzilla.redhat.com/show_bug.cgi?id=1191082
  [ 12 ] Bug #1191084 - CVE-2014-9662 freetype: heap-based buffer overflow in cff/cf2ft.c
        https://bugzilla.redhat.com/show_bug.cgi?id=1191084
  [ 13 ] Bug #1191086 - CVE-2014-9664 freetype: out-of-bounds read via a crafted Type42 font
        https://bugzilla.redhat.com/show_bug.cgi?id=1191086
  [ 14 ] Bug #1191089 - CVE-2014-9666 freetype: integer overflow and out-of-bounds read in the tt_sbit_decoder_init function in sfnt/ttsbit.c
        https://bugzilla.redhat.com/show_bug.cgi?id=1191089
  [ 15 ] Bug #1191091 - CVE-2014-9668 freetype: integer overflow and heap-based buffer overflow in the woff_open_font function in sfnt/sfobjs.c
        https://bugzilla.redhat.com/show_bug.cgi?id=1191091
  [ 16 ] Bug #1191190 - CVE-2014-9674 freetype: integer overflow and heap-based buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c
        https://bugzilla.redhat.com/show_bug.cgi?id=1191190
  [ 17 ] Bug #1191192 - CVE-2014-9675 freetype: bypass the ASLR protection mechanism via a crafted BDF font
        https://bugzilla.redhat.com/show_bug.cgi?id=1191192
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update freetype' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list