Heap-based Buffer Over-read in FreeType Affects Multiple Systems
CVE-2015-9381

8.8HIGH

Key Information:

Vendor
Freetype
Status
Freetype
Vendor
CVE Published:
3 September 2019

Summary

A vulnerability in FreeType affects its ability to parse Type 1 fonts, resulting in a heap-based buffer over-read. This can lead to potential exposure of sensitive information or cause unexpected behavior in applications utilizing this library. The issue stems from the T1_Get_Private_Dict function found in t1parse.c, which can mishandle memory allocation when processing malformed font files. This vulnerability underscores the importance of keeping FreeType updated to the latest version to mitigate security risks.

References

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/c...
x_refsource_MISC
https://savannah.nongnu.org/bugs/?45955
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2019/09/msg0...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.