Bugzilla – Bug 867620
VUL-0: CVE-2014-2240 CVE-2014-2241: freetype2: problems in CFF rasterizer
Last modified: 2019-05-22 00:58:44 UTC
public, via oss-sec and freetype2 2.5.3 release From: Raphael Geissert <geissert@debian.org> Date: Mon, 10 Mar 2014 16:31:33 +0100 Subject: [oss-security] Two stack-based issues in freetype [NOT a request] Just a heads up as I've not seen this issue anywhere. There is an "Out-of-bounds stack-based read/write in cf2_hintmap_build" in freetype If I understood things correctly, CVE-2014-2240 is: https://savannah.nongnu.org/bugs/?41697#comment0 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0eae6eb0645264c98812f0095e0f5df4541830e6 While CVE-2014-2241 is: https://savannah.nongnu.org/bugs/?41697#comment2 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=135c3faebb96f8f550bd4f318716f2e1e095a969 Release notes: http://sourceforge.net/projects/freetype/files/freetype2/2.5.3/
The pieces of code do not seem to exist in the SLE11 freetype2 2.3.7.
bugbot adjusting priority
if memory serves me correctly, cff engine is part of freetype with 13.1 and newer - will check and try to backport fixes accordingly.
so openSUSE only, no need for SLE update.
Thank you very much for quick clarification, Marcus !
done I think? or stuff for opensuse missing?