[Secure-testing-team] Bug#777656: freetype: various new security issues

[Salvatore Bonaccorso]

Source: freetype
Version: 2.5.2-2
Severity: grave
Tags: security upstream fixed-upstream

Hi,

the following vulnerabilities were published for freetype. I filled
this as "RC" since at least one seems to allow code execution. Could
you help identify which also affect wheezy?

CVE-2014-9656[0]:
| The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType
| before 2.5.4 does not properly check for an integer overflow, which
| allows remote attackers to cause a denial of service (out-of-bounds
| read) or possibly have unspecified other impact via a crafted OpenType
| font.

CVE-2014-9657[1]:
| The tt_face_load_hdmx function in truetype/ttpload.c in FreeType
| before 2.5.4 does not establish a minimum record size, which allows
| remote attackers to cause a denial of service (out-of-bounds read) or
| possibly have unspecified other impact via a crafted TrueType font.

CVE-2014-9658[2]:
| The tt_face_load_kern function in sfnt/ttkern.c in FreeType before
| 2.5.4 enforces an incorrect minimum table length, which allows remote
| attackers to cause a denial of service (out-of-bounds read) or
| possibly have unspecified other impact via a crafted TrueType font.

CVE-2014-9659[3]:
| cff/cf2intrp.c in the CFF CharString interpreter in FreeType before
| 2.5.4 proceeds with additional hints after the hint mask has been
| computed, which allows remote attackers to execute arbitrary code or
| cause a denial of service (stack-based buffer overflow) via a crafted
| OpenType font.  NOTE: this vulnerability exists because of an
| incomplete fix for CVE-2014-2240.

CVE-2014-9660[4]:
| The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before
| 2.5.4 does not properly handle a missing ENDCHAR record, which allows
| remote attackers to cause a denial of service (NULL pointer
| dereference) or possibly have unspecified other impact via a crafted
| BDF font.

CVE-2014-9661[5]:
| type42/t42parse.c in FreeType before 2.5.4 does not consider that
| scanning can be incomplete without triggering an error, which allows
| remote attackers to cause a denial of service (use-after-free) or
| possibly have unspecified other impact via a crafted Type42 font.

CVE-2014-9662[6]:
| cff/cf2ft.c in FreeType before 2.5.4 does not validate the return
| values of point-allocation functions, which allows remote attackers to
| cause a denial of service (heap-based buffer overflow) or possibly
| have unspecified other impact via a crafted OTF font.

CVE-2014-9663[7]:
| The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before
| 2.5.4 validates a certain length field before that field's value is
| completely calculated, which allows remote attackers to cause a denial
| of service (out-of-bounds read) or possibly have unspecified other
| impact via a crafted cmap SFNT table.

CVE-2014-9664[8]:
| FreeType before 2.5.4 does not check for the end of the data during
| certain parsing actions, which allows remote attackers to cause a
| denial of service (out-of-bounds read) or possibly have unspecified
| other impact via a crafted Type42 font, related to type42/t42parse.c
| and type1/t1load.c.

CVE-2014-9665[9]:
| The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4
| does not restrict the rows and pitch values of PNG data, which allows
| remote attackers to cause a denial of service (integer overflow and
| heap-based buffer overflow) or possibly have unspecified other impact
| by embedding a PNG file in a .ttf font file.

CVE-2014-9666[10]:
| The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before
| 2.5.4 proceeds with a count-to-size association without restricting
| the count value, which allows remote attackers to cause a denial of
| service (integer overflow and out-of-bounds read) or possibly have
| unspecified other impact via a crafted embedded bitmap.

CVE-2014-9667[11]:
| sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length
| calculations without restricting the values, which allows remote
| attackers to cause a denial of service (integer overflow and
| out-of-bounds read) or possibly have unspecified other impact via a
| crafted SFNT table.

CVE-2014-9668[12]:
| The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4
| proceeds with offset+length calculations without restricting length
| values, which allows remote attackers to cause a denial of service
| (integer overflow and heap-based buffer overflow) or possibly have
| unspecified other impact via a crafted Web Open Font Format (WOFF)
| file.

CVE-2014-9669[13]:
| Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4
| allow remote attackers to cause a denial of service (out-of-bounds
| read or memory corruption) or possibly have unspecified other impact
| via a crafted cmap SFNT table.

CVE-2014-9670[14]:
| Multiple integer signedness errors in the pcf_get_encodings function
| in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to
| cause a denial of service (integer overflow, NULL pointer dereference,
| and application crash) via a crafted PCF file that specifies negative
| values for the first column and first row.

CVE-2014-9671[15]:
| Off-by-one error in the pcf_get_properties function in pcf/pcfread.c
| in FreeType before 2.5.4 allows remote attackers to cause a denial of
| service (NULL pointer dereference and application crash) via a crafted
| PCF file with a 0xffffffff size value that is improperly incremented.

CVE-2014-9672[16]:
| Array index error in the parse_fond function in base/ftmac.c in
| FreeType before 2.5.4 allows remote attackers to cause a denial of
| service (out-of-bounds read) or obtain sensitive information from
| process memory via a crafted FOND resource in a Mac font file.

CVE-2014-9673[17]:
| Integer signedness error in the Mac_Read_POST_Resource function in
| base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to
| cause a denial of service (heap-based buffer overflow) or possibly
| have unspecified other impact via a crafted Mac font.

CVE-2014-9674[18]:
| The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType
| before 2.5.4 proceeds with adding to length values without validating
| the original values, which allows remote attackers to cause a denial
| of service (integer overflow and heap-based buffer overflow) or
| possibly have unspecified other impact via a crafted Mac font.

CVE-2014-9675[19]:
| bdf/bdflib.c in FreeType before 2.5.4 identifies property names by
| only verifying that an initial substring is present, which allows
| remote attackers to discover heap pointer values and bypass the ASLR
| protection mechanism via a crafted BDF font.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-9656
[1] https://security-tracker.debian.org/tracker/CVE-2014-9657
[2] https://security-tracker.debian.org/tracker/CVE-2014-9658
[3] https://security-tracker.debian.org/tracker/CVE-2014-9659
[4] https://security-tracker.debian.org/tracker/CVE-2014-9660
[5] https://security-tracker.debian.org/tracker/CVE-2014-9661
[6] https://security-tracker.debian.org/tracker/CVE-2014-9662
[7] https://security-tracker.debian.org/tracker/CVE-2014-9663
[8] https://security-tracker.debian.org/tracker/CVE-2014-9664
[9] https://security-tracker.debian.org/tracker/CVE-2014-9665
[10] https://security-tracker.debian.org/tracker/CVE-2014-9666
[11] https://security-tracker.debian.org/tracker/CVE-2014-9667
[12] https://security-tracker.debian.org/tracker/CVE-2014-9668
[13] https://security-tracker.debian.org/tracker/CVE-2014-9669
[14] https://security-tracker.debian.org/tracker/CVE-2014-9670
[15] https://security-tracker.debian.org/tracker/CVE-2014-9671
[16] https://security-tracker.debian.org/tracker/CVE-2014-9672
[17] https://security-tracker.debian.org/tracker/CVE-2014-9673
[18] https://security-tracker.debian.org/tracker/CVE-2014-9674
[19] https://security-tracker.debian.org/tracker/CVE-2014-9675

Regards,
Salvatore