Buffer Over-read Vulnerability in FontForge Affects File Processing
CVE-2017-11575

7.8HIGH

Key Information:

Vendor: Fontforge
Status: Fontforge
Vendor: CVE Published:; 23 July 2017

What is CVE-2017-11575?

A vulnerability exists in FontForge 20161012 that allows for a buffer over-read in the strnmatch function (located in char.c). This issue can be exploited when processing a specially crafted OTF (OpenType Font) file, potentially leading to denial of service (DoS) or arbitrary code execution. The vulnerability is associated with the readttfcopyrights function in parsettf.c, which fails to adequately handle certain input scenarios. Users of affected versions are encouraged to apply relevant patches or updates to mitigate the risk.

References

http://www.debian.org/security/2017/dsa-3958

vendor-advisoryx_refsource_DEBIAN

https://github.com/fontforge/fontforge/issues/3096

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 23, 2017
Vulnerability Reserved
Jul 23, 2017

CVE-2017-11575 Data

JSON

Fontforge

What is CVE-2017-11575?

References

CVSS V3.1

Timeline