Vulnerability Details : CVE-2014-9665
Potential exploit
The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 does not restrict the rows and pitch values of PNG data, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact by embedding a PNG file in a .ttf font file.
Vulnerability category: OverflowDenial of service
Products affected by CVE-2014-9665
- cpe:2.3:a:freetype:freetype:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-9665
2.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 83 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-9665
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2014-9665
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-9665
-
http://www.securityfocus.com/bid/72986
FreeType Versions Prior to 2.5.4 Multiple Remote Vulnerabilities
-
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=54abd22891bd51ef8b533b24df53b3019b5cee81
freetype/freetype2.git - The FreeType 2 library
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150162.html
[SECURITY] Fedora 20 Update: freetype-2.5.0-9.fc20
-
http://lists.opensuse.org/opensuse-updates/2015-03/msg00091.html
openSUSE-SU-2015:0627-1: moderate: Security update for freetype2
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150148.html
[SECURITY] Fedora 21 Update: freetype-2.5.3-15.fc21
-
https://security.gentoo.org/glsa/201503-05
FreeType: Multiple vulnerabilities (GLSA 201503-05) — Gentoo security
-
http://www.ubuntu.com/usn/USN-2510-1
USN-2510-1: FreeType vulnerabilities | Ubuntu security notices
-
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=b3500af717010137046ec4076d1e1c0641e33727
freetype/freetype2.git - The FreeType 2 library
-
http://www.ubuntu.com/usn/USN-2739-1
USN-2739-1: FreeType vulnerabilities | Ubuntu security notices
-
http://code.google.com/p/google-security-research/issues/detail?id=168
168 - FreeType 2.5.3 sbix PNG handling heap-based buffer overflow due to integer overflow - project-zero - MonorailExploit
Jump to