MidnightBSD

Advisories for freetype

CVE-2006-0747 MEDIUM

Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
freetype freetype *
CVE-2006-1861 HIGH

Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. NOTE: item 4 was originally identified by CVE-2006-2493.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.1.7
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.1.3
freetype freetype 2.1.8
freetype freetype 2.1.5
CVE-2006-2661 MEDIUM

ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
canonical ubuntu_linux 5.10
freetype freetype *
canonical ubuntu_linux 5.04
canonical ubuntu_linux 6.06
debian debian_linux 3.1
debian debian_linux 3.0
CVE-2006-3467 HIGH

Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PCF file, as demonstrated by the Red Hat bad1.pcf test file, due to a partial fix of CVE-2006-1861.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
freetype freetype *
CVE-2007-2754 MEDIUM

Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
freetype freetype *
CVE-2010-2497 MEDIUM

Integer underflow in glyph handling in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-191,

Products Affected

Vendor Product Version
debian debian_linux 5.0
apple mac_os_x *
freetype freetype *
CVE-2010-2498 MEDIUM

The psh_glyph_find_strong_points function in pshinter/pshalgo.c in FreeType before 2.4.0 does not properly implement hinting masks, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted font file that triggers an invalid free operation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
canonical ubuntu_linux 8.04
debian debian_linux 5.0
apple mac_os_x *
canonical ubuntu_linux 9.04
freetype freetype *
canonical ubuntu_linux 6.06
canonical ubuntu_linux 10.04
canonical ubuntu_linux 9.10
CVE-2010-2499 MEDIUM

Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LaserWriter PS font file with an embedded PFB fragment.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
canonical ubuntu_linux 8.04
debian debian_linux 5.0
apple mac_os_x *
canonical ubuntu_linux 9.04
freetype freetype *
canonical ubuntu_linux 6.06
canonical ubuntu_linux 10.04
canonical ubuntu_linux 9.10
CVE-2010-2500 MEDIUM

Integer overflow in the gray_render_span function in smooth/ftgrays.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
canonical ubuntu_linux 8.04
debian debian_linux 5.0
apple mac_os_x *
canonical ubuntu_linux 9.04
freetype freetype *
canonical ubuntu_linux 6.06
canonical ubuntu_linux 10.04
canonical ubuntu_linux 9.10
CVE-2010-2519 MEDIUM

Heap-based buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted length value in a POST fragment header in a font file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
canonical ubuntu_linux 8.04
debian debian_linux 5.0
apple mac_os_x *
canonical ubuntu_linux 9.04
freetype freetype *
canonical ubuntu_linux 6.06
canonical ubuntu_linux 10.04
canonical ubuntu_linux 9.10
CVE-2010-2520 MEDIUM

Heap-based buffer overflow in the Ins_IUP function in truetype/ttinterp.c in FreeType before 2.4.0, when TrueType bytecode support is enabled, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
canonical ubuntu_linux 8.04
debian debian_linux 5.0
apple mac_os_x *
canonical ubuntu_linux 9.04
freetype freetype *
canonical ubuntu_linux 6.06
canonical ubuntu_linux 10.04
canonical ubuntu_linux 9.10
CVE-2010-2527 MEDIUM

Multiple buffer overflows in demo programs in FreeType before 2.4.0 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
canonical ubuntu_linux 8.04
debian debian_linux 5.0
canonical ubuntu_linux 9.04
freetype freetype *
canonical ubuntu_linux 6.06
canonical ubuntu_linux 10.04
canonical ubuntu_linux 9.10
CVE-2010-2541 MEDIUM

Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
canonical ubuntu_linux 8.04
canonical ubuntu_linux 9.04
freetype freetype *
canonical ubuntu_linux 6.06
canonical ubuntu_linux 10.04
canonical ubuntu_linux 9.10
CVE-2010-2805 MEDIUM

The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
canonical ubuntu_linux 8.04
apple mac_os_x *
canonical ubuntu_linux 9.04
freetype freetype *
apple tvos *
canonical ubuntu_linux 6.06
canonical ubuntu_linux 10.04
canonical ubuntu_linux 9.10
apple iphone_os *
CVE-2010-2806 MEDIUM

Array index error in the t42_parse_sfnts function in type42/t42parse.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via negative size values for certain strings in FontType42 font files, leading to a heap-based buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-129,

Products Affected

Vendor Product Version
canonical ubuntu_linux 8.04
apple mac_os_x *
canonical ubuntu_linux 9.04
freetype freetype *
apple tvos *
canonical ubuntu_linux 6.06
canonical ubuntu_linux 10.04
canonical ubuntu_linux 9.10
apple iphone_os *
CVE-2010-2807 MEDIUM

FreeType before 2.4.2 uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-681,

Products Affected

Vendor Product Version
canonical ubuntu_linux 8.04
apple mac_os_x *
canonical ubuntu_linux 9.04
freetype freetype *
apple tvos *
canonical ubuntu_linux 6.06
canonical ubuntu_linux 10.04
canonical ubuntu_linux 9.10
apple iphone_os *
CVE-2010-2808 MEDIUM

Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN) font.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
canonical ubuntu_linux 8.04
apple mac_os_x *
canonical ubuntu_linux 9.04
freetype freetype *
apple tvos *
canonical ubuntu_linux 6.06
canonical ubuntu_linux 10.04
canonical ubuntu_linux 9.10
apple iphone_os *
CVE-2010-3053 MEDIUM

bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) via a crafted BDF font file, related to an attempted modification of a value in a static string.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.3.6
freetype freetype 2.3.2
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.3.7
freetype freetype 2.3.3
freetype freetype 2.1.3
freetype freetype *
freetype freetype 2.3.5
freetype freetype 2.2.1
freetype freetype 2.2.10
freetype freetype 2.3.10
freetype freetype 2.3.12
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 1.3.1
CVE-2010-3054 MEDIUM

Unspecified vulnerability in FreeType 2.3.9, and other versions before 2.4.2, allows remote attackers to cause a denial of service via vectors involving nested Standard Encoding Accented Character (aka seac) calls, related to psaux.h, cffgload.c, cffgload.h, and t1decode.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
freetype freetype 2.3.9
freetype freetype 2.3.10
freetype freetype 2.3.11
freetype freetype 2.3.12
freetype freetype 2.4.1
freetype freetype 2.4.0
CVE-2010-3311 HIGH

Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Compact Font Format (CFF) font file that triggers a heap-based buffer overflow, related to an "input stream position error" issue, a different vulnerability than CVE-2010-1797.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.3.6
freetype freetype 2.3.2
freetype freetype 2.3.8
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.3.7
freetype freetype 2.3.3
freetype freetype 2.1.3
freetype freetype *
freetype freetype 2.3.5
freetype freetype 2.2.1
freetype freetype 2.2.10
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 1.3.1
CVE-2010-3814 MEDIUM

Heap-based buffer overflow in the Ins_SHZ function in ttinterp.c in FreeType 2.4.3 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted SHZ bytecode instruction, related to TrueType opcodes, as demonstrated by a PDF document with a crafted embedded font.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.3.6
freetype freetype 2.3.2
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.3.7
freetype freetype 2.4.2
freetype freetype 2.3.3
freetype freetype 2.1.3
freetype freetype *
freetype freetype 2.3.5
freetype freetype 2.2.1
freetype freetype 2.2.10
freetype freetype 2.3.10
freetype freetype 2.3.12
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 1.3.1
CVE-2010-3855 MEDIUM

Buffer overflow in the ft_var_readpackedpoints function in truetype/ttgxvar.c in FreeType 2.4.3 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TrueType GX font.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.3.6
freetype freetype 2.3.2
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.3.7
freetype freetype 2.4.2
freetype freetype 2.3.3
freetype freetype 2.1.3
freetype freetype *
freetype freetype 2.3.5
freetype freetype 2.2.1
freetype freetype 2.2.10
freetype freetype 2.3.10
freetype freetype 2.3.12
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 1.3.1
CVE-2011-0226 HIGH

Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
apple iphone_os 1.1.3
apple iphone_os 3.2.2
freetype freetype 2.3.0
apple iphone_os 1.1.5
apple iphone_os 4.3.0
apple iphone_os 1.0.1
apple iphone_os 2.2.1
apple iphone_os 4.2
freetype freetype 2.3.2
apple iphone_os 2.0.2
apple iphone_os 3.0
apple iphone_os 3.2.1
apple iphone_os 1.0.2
apple iphone_os 4.3.1
freetype freetype 2.4.2
freetype freetype *
freetype freetype 2.3.5
freetype freetype 2.2.1
apple iphone_os 3.1
freetype freetype 2.3.12
apple iphone_os *
apple iphone_os 4.2.1
freetype freetype 2.3.4
freetype freetype 2.4.4
apple iphone_os 4.0.1
apple iphone_os 2.2
apple iphone_os 1.1.0
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
apple iphone_os 1.0.0
apple iphone_os 4.3.2
freetype freetype 2.3.8
apple iphone_os 4.2.5
freetype freetype 2.4.0
apple iphone_os 4.0.2
apple iphone_os 3.2
freetype freetype 2.3.7
freetype freetype 2.3.3
apple iphone_os 2.0.0
apple iphone_os 3.0.1
apple iphone_os 1.1.2
apple iphone_os 2.1.1
freetype freetype 2.2.10
apple iphone_os 1.1.1
apple iphone_os 4.3.3
freetype freetype 2.3.10
apple iphone_os 2.0
apple iphone_os 4.0
apple iphone_os 3.1.2
apple iphone_os 3.1.3
apple iphone_os 1.1.4
freetype freetype 2.4.1
apple iphone_os 2.1
apple iphone_os 4.1
apple iphone_os 2.0.1
CVE-2011-2895 HIGH

The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
x libxfont 1.2.1
x libxfont 1.2.8
x libxfont 1.4.2
openbsd openbsd 2.1
openbsd openbsd 2.2
x libxfont 1.2.5
freebsd freebsd *
openbsd openbsd 2.8
openbsd openbsd 2.7
x libxfont 1.2.0
x libxfont 1.2.2
x libxfont 1.2.7
x libxfont 1.3.4
openbsd openbsd 3.3
openbsd openbsd 3.0
openbsd openbsd 3.5
x libxfont 1.4.0
x libxfont 1.3.3
openbsd openbsd 3.1
x libxfont 1.2.3
x libxfont 1.3.1
openbsd openbsd 2.9
openbsd openbsd 2.4
openbsd openbsd *
openbsd openbsd 3.6
openbsd openbsd 2.6
openbsd openbsd 2.0
freetype freetype 2.1.9
x libxfont *
x libxfont 1.2.4
x libxfont 1.2.9
x libxfont 1.3.0
openbsd openbsd 2.3
netbsd netbsd *
openbsd openbsd 2.5
x libxfont 1.2.6
x libxfont 1.3.2
openbsd openbsd 3.2
openbsd openbsd 3.4
x libxfont 1.4.1
CVE-2012-1126 HIGH

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a BDF font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1127 HIGH

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1128 HIGH

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and memory corruption) or possibly execute arbitrary code via a crafted TrueType font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1129 HIGH

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted SFNT string in a Type 42 font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1130 HIGH

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a PCF font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1131 HIGH

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, on 64-bit platforms allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors related to the cell table of a font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1132 HIGH

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted dictionary data in a Type 1 font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1133 HIGH

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1134 HIGH

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted private-dictionary data in a Type 1 font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1135 HIGH

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the NPUSHB and NPUSHW instructions in a TrueType font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1136 HIGH

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font that lacks an ENCODING field.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1137 HIGH

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted header in a BDF font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1138 HIGH

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the MIRP instruction in a TrueType font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1139 HIGH

Array index error in FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid stack read operation and memory corruption) or possibly execute arbitrary code via crafted glyph data in a BDF font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1140 HIGH

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted PostScript font object.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1141 HIGH

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted ASCII string in a BDF font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1142 HIGH

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph-outline data in a font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1143 MEDIUM

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted font.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-1144 HIGH

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via a crafted TrueType font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
mozilla firefox_mobile 6.0
mozilla firefox_mobile 10.0.1
freetype freetype 2.0.8
freetype freetype 2.3.2
mozilla firefox_mobile 10.0.2
freetype freetype 2.0.4
mozilla firefox_mobile *
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
mozilla firefox_mobile 5.0
freetype freetype 2.3.12
freetype freetype 2.0.5
mozilla firefox_mobile 4.0
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
mozilla firefox_mobile 6.0.1
mozilla firefox_mobile 6.0.2
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
mozilla firefox_mobile 7.0
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.3.7
freetype freetype 2.3.3
mozilla firefox_mobile 9.0
freetype freetype 2.1.3
mozilla firefox_mobile 8.0
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
mozilla firefox_mobile 1.0
mozilla firefox_mobile 10.0
CVE-2012-5668 MEDIUM

FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to BDF fonts and the improper handling of an "allocation error" in the bdf_free_font function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
freetype freetype 2.4.9
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.0.8
freetype freetype 2.3.6
freetype freetype 2.3.2
freetype freetype 2.4.8
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.0.4
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.3.7
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype 2.3.3
freetype freetype 2.1.3
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
freetype freetype 2.3.10
freetype freetype 2.3.12
freetype freetype 2.0.6
freetype freetype 2.0.5
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
CVE-2012-5669 MEDIUM

The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to BDF fonts and an incorrect calculation that triggers an out-of-bounds read.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
freetype freetype 2.4.9
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.0.8
freetype freetype 2.3.6
freetype freetype 2.3.2
freetype freetype 2.4.8
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.0.4
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.3.7
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype 2.3.3
freetype freetype 2.1.3
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
freetype freetype 2.3.10
freetype freetype 2.3.12
freetype freetype 2.0.6
freetype freetype 2.0.5
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
CVE-2012-5670 MEDIUM

The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) via vectors related to BDF fonts and an ENCODING field with a negative value.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
freetype freetype 2.4.9
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.0.8
freetype freetype 2.3.6
freetype freetype 2.3.2
freetype freetype 2.4.8
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.0.4
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.1.6
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.3.7
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype 2.3.3
freetype freetype 2.1.3
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
freetype freetype 2.3.10
freetype freetype 2.3.12
freetype freetype 2.0.6
freetype freetype 2.0.5
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
CVE-2014-2240 HIGH

Stack-based buffer overflow in the cf2_hintmap_build function in cff/cf2hints.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of stem hints in a font file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype 2.3.1
freetype freetype 2.1.7
freetype freetype 2.0.0
freetype freetype 2.5.1
freetype freetype 2.1.5
freetype freetype 2.2.0
freetype freetype 2.3.0
freetype freetype 2.0.8
freetype freetype 2.3.2
freetype freetype 2.4.8
freetype freetype 2.0.4
freetype freetype 2.4.10
freetype freetype 2.1.9
freetype freetype 2.1.10
freetype freetype 2.4.2
freetype freetype 2.4.7
freetype freetype *
freetype freetype 2.0.3
freetype freetype 2.3.5
freetype freetype 2.0.2
freetype freetype 2.2.1
freetype freetype 2.4.5
freetype freetype 2.3.12
freetype freetype 2.0.5
freetype freetype 2.3.4
freetype freetype 2.1
freetype freetype 2.4.6
freetype freetype 2.4.4
freetype freetype 2.4.9
freetype freetype 2.4.11
freetype freetype 2.3.9
freetype freetype 2.3.11
freetype freetype 2.4.3
freetype freetype 2.3.6
freetype freetype 2.3.8
freetype freetype 2.4.0
freetype freetype 2.1.4
freetype freetype 2.0.9
freetype freetype 2.4.12
freetype freetype 2.1.6
freetype freetype 2.5
freetype freetype 2.3.7
freetype freetype 2.3.3
freetype freetype 2.1.3
freetype freetype 2.3.10
freetype freetype 2.0.6
freetype freetype 2.1.8
freetype freetype 2.4.1
freetype freetype 2.0.7
freetype freetype 1.3.1
freetype freetype 2.0.1
CVE-2014-2241 MEDIUM

The (1) cf2_initLocalRegionBuffer and (2) cf2_initGlobalRegionBuffer functions in cff/cf2ft.c in FreeType before 2.5.3 do not properly check if a subroutine exists, which allows remote attackers to cause a denial of service (assertion failure), as demonstrated by a crafted ttf file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
canonical ubuntu_linux 13.10
freetype freetype 2.5
freetype freetype *
freetype freetype 2.5.1
CVE-2014-9656 HIGH

The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before 2.5.4 does not properly check for an integer overflow, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted OpenType font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.04
canonical ubuntu_linux 14.10
canonical ubuntu_linux 15.04
opensuse opensuse 13.1
fedoraproject fedora 20
freetype freetype *
opensuse opensuse 13.2
canonical ubuntu_linux 12.04
debian debian_linux 7.0
canonical ubuntu_linux 10.04
fedoraproject fedora 21
CVE-2014-9657 HIGH

The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4 does not establish a minimum record size, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 7.0
opensuse opensuse 13.1
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
canonical ubuntu_linux 12.04
redhat enterprise_linux_hpc_node_eus 7.1
fedoraproject fedora 21
canonical ubuntu_linux 14.04
canonical ubuntu_linux 14.10
redhat enterprise_linux_hpc_node 6.0
redhat enterprise_linux_server 6.0
opensuse opensuse 13.2
debian debian_linux 7.0
redhat enterprise_linux_server_eus 6.6.z
redhat enterprise_linux_desktop 6.0
fedoraproject fedora 20
freetype freetype *
redhat enterprise_linux_server_eus 7.1
oracle solaris 10.0
canonical ubuntu_linux 15.04
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_hpc_node 7.0
oracle solaris 11.2
canonical ubuntu_linux 10.04
CVE-2014-9658 HIGH

The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4 enforces an incorrect minimum table length, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 7.0
opensuse opensuse 13.1
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
canonical ubuntu_linux 12.04
redhat enterprise_linux_hpc_node_eus 7.1
fedoraproject fedora 21
canonical ubuntu_linux 14.04
canonical ubuntu_linux 14.10
redhat enterprise_linux_server 6.0
opensuse opensuse 13.2
debian debian_linux 7.0
redhat enterprise_linux_server_eus 6.6.z
redhat enterprise_linux_desktop 6.0
fedoraproject fedora 20
freetype freetype *
redhat enterprise_linux_server_eus 7.1
oracle solaris 10.0
canonical ubuntu_linux 15.04
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_hpc_node 6
redhat enterprise_linux_hpc_node 7.0
oracle solaris 11.2
canonical ubuntu_linux 10.04
CVE-2014-9659 HIGH

cff/cf2intrp.c in the CFF CharString interpreter in FreeType before 2.5.4 proceeds with additional hints after the hint mask has been computed, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted OpenType font. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2240.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
opensuse opensuse 13.1
fedoraproject fedora 20
freetype freetype *
canonical ubuntu_linux 12.04
fedoraproject fedora 21
canonical ubuntu_linux 14.04
oracle solaris 10.0
canonical ubuntu_linux 14.10
canonical ubuntu_linux 15.04
opensuse opensuse 13.2
oracle solaris 11.2
canonical ubuntu_linux 10.04
CVE-2014-9660 HIGH

The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5.4 does not properly handle a missing ENDCHAR record, which allows remote attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted BDF font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-476,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 7.0
opensuse opensuse 13.1
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
canonical ubuntu_linux 12.04
redhat enterprise_linux_hpc_node_eus 7.1
fedoraproject fedora 21
canonical ubuntu_linux 14.04
canonical ubuntu_linux 14.10
redhat enterprise_linux_server 6.0
opensuse opensuse 13.2
debian debian_linux 7.0
redhat enterprise_linux_server_eus 6.6.z
redhat enterprise_linux_desktop 6.0
fedoraproject fedora 20
freetype freetype *
redhat enterprise_linux_server_eus 7.1
oracle solaris 10.0
canonical ubuntu_linux 15.04
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_hpc_node 6
redhat enterprise_linux_hpc_node 7.0
oracle solaris 11.2
canonical ubuntu_linux 10.04
CVE-2014-9661 HIGH

type42/t42parse.c in FreeType before 2.5.4 does not consider that scanning can be incomplete without triggering an error, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted Type42 font.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_desktop 7.0
opensuse opensuse 13.1
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
fedoraproject fedora 20
freetype freetype *
canonical ubuntu_linux 12.04
redhat enterprise_linux_hpc_node_eus 7.1
fedoraproject fedora 21
redhat enterprise_linux_server_eus 7.1
canonical ubuntu_linux 14.04
canonical ubuntu_linux 14.10
canonical ubuntu_linux 15.04
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_hpc_node 6
redhat enterprise_linux_hpc_node 7.0
redhat enterprise_linux_server 6.0
opensuse opensuse 13.2
debian debian_linux 7.0
canonical ubuntu_linux 10.04
redhat enterprise_linux_server_eus 6.6.z
CVE-2014-9662 HIGH

cff/cf2ft.c in FreeType before 2.5.4 does not validate the return values of point-allocation functions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted OTF font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.04
canonical ubuntu_linux 14.10
canonical ubuntu_linux 15.04
opensuse opensuse 13.1
fedoraproject fedora 20
freetype freetype *
opensuse opensuse 13.2
canonical ubuntu_linux 12.04
debian debian_linux 7.0
canonical ubuntu_linux 10.04
fedoraproject fedora 21
CVE-2014-9663 HIGH

The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5.4 validates a certain length field before that field's value is completely calculated, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted cmap SFNT table.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 7.0
opensuse opensuse 13.1
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
canonical ubuntu_linux 12.04
redhat enterprise_linux_hpc_node_eus 7.1
fedoraproject fedora 21
canonical ubuntu_linux 14.04
canonical ubuntu_linux 14.10
redhat enterprise_linux_server 6.0
opensuse opensuse 13.2
debian debian_linux 7.0
redhat enterprise_linux_server_eus 6.6.z
redhat enterprise_linux_desktop 6.0
fedoraproject fedora 20
freetype freetype *
redhat enterprise_linux_server_eus 7.1
oracle solaris 10.0
canonical ubuntu_linux 15.04
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_hpc_node 6
redhat enterprise_linux_hpc_node 7.0
oracle solaris 11.2
canonical ubuntu_linux 10.04
CVE-2014-9664 MEDIUM

FreeType before 2.5.4 does not check for the end of the data during certain parsing actions, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted Type42 font, related to type42/t42parse.c and type1/t1load.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 7.0
opensuse opensuse 13.1
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
canonical ubuntu_linux 12.04
redhat enterprise_linux_hpc_node_eus 7.1
fedoraproject fedora 21
canonical ubuntu_linux 14.04
canonical ubuntu_linux 14.10
redhat enterprise_linux_server 6.0
opensuse opensuse 13.2
debian debian_linux 7.0
redhat enterprise_linux_server_eus 6.6.z
redhat enterprise_linux_desktop 6.0
fedoraproject fedora 20
freetype freetype *
redhat enterprise_linux_server_eus 7.1
oracle solaris 10.0
canonical ubuntu_linux 15.04
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_hpc_node 6
redhat enterprise_linux_hpc_node 7.0
oracle solaris 11.2
canonical ubuntu_linux 10.04
CVE-2014-9665 HIGH

The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 does not restrict the rows and pitch values of PNG data, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact by embedding a PNG file in a .ttf font file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.04
canonical ubuntu_linux 14.10
opensuse opensuse 13.1
fedoraproject fedora 20
freetype freetype *
canonical ubuntu_linux 15.10
opensuse opensuse 13.2
canonical ubuntu_linux 12.04
canonical ubuntu_linux 10.04
fedoraproject fedora 21
CVE-2014-9666 MEDIUM

The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4 proceeds with a count-to-size association without restricting the count value, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted embedded bitmap.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 7.0
opensuse opensuse 13.1
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
canonical ubuntu_linux 12.04
redhat enterprise_linux_hpc_node_eus 7.1
fedoraproject fedora 21
canonical ubuntu_linux 14.04
canonical ubuntu_linux 14.10
redhat enterprise_linux_server 6.0
opensuse opensuse 13.2
debian debian_linux 7.0
redhat enterprise_linux_server_eus 6.6.z
redhat enterprise_linux_desktop 6.0
fedoraproject fedora 20
freetype freetype *
redhat enterprise_linux_server_eus 7.1
oracle solaris 10.0
canonical ubuntu_linux 15.04
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_hpc_node 6
redhat enterprise_linux_hpc_node 7.0
oracle solaris 11.2
canonical ubuntu_linux 10.04
CVE-2014-9667 MEDIUM

sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting the values, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted SFNT table.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_desktop 7.0
opensuse opensuse 13.1
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
fedoraproject fedora 20
freetype freetype *
canonical ubuntu_linux 12.04
redhat enterprise_linux_hpc_node_eus 7.1
fedoraproject fedora 21
redhat enterprise_linux_server_eus 7.1
canonical ubuntu_linux 14.04
canonical ubuntu_linux 14.10
canonical ubuntu_linux 15.04
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_hpc_node 6
redhat enterprise_linux_hpc_node 7.0
redhat enterprise_linux_server 6.0
opensuse opensuse 13.2
debian debian_linux 7.0
canonical ubuntu_linux 10.04
redhat enterprise_linux_server_eus 6.6.z
CVE-2014-9668 HIGH

The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting length values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Web Open Font Format (WOFF) file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.04
canonical ubuntu_linux 14.10
canonical ubuntu_linux 15.04
opensuse opensuse 13.1
fedoraproject fedora 20
freetype freetype *
opensuse opensuse 13.2
canonical ubuntu_linux 12.04
canonical ubuntu_linux 10.04
fedoraproject fedora 21
CVE-2014-9669 MEDIUM

Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (out-of-bounds read or memory corruption) or possibly have unspecified other impact via a crafted cmap SFNT table.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 7.0
opensuse opensuse 13.1
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
canonical ubuntu_linux 12.04
redhat enterprise_linux_hpc_node_eus 7.1
fedoraproject fedora 21
canonical ubuntu_linux 14.04
canonical ubuntu_linux 14.10
redhat enterprise_linux_server 6.0
opensuse opensuse 13.2
debian debian_linux 7.0
redhat enterprise_linux_server_eus 6.6.z
redhat enterprise_linux_desktop 6.0
fedoraproject fedora 20
freetype freetype *
redhat enterprise_linux_server_eus 7.1
oracle solaris 10.0
canonical ubuntu_linux 15.04
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_hpc_node 6
redhat enterprise_linux_hpc_node 7.0
oracle solaris 11.2
canonical ubuntu_linux 10.04
CVE-2014-9670 MEDIUM

Multiple integer signedness errors in the pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (integer overflow, NULL pointer dereference, and application crash) via a crafted PCF file that specifies negative values for the first column and first row.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 7.0
opensuse opensuse 13.1
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
canonical ubuntu_linux 12.04
redhat enterprise_linux_hpc_node_eus 7.1
fedoraproject fedora 21
canonical ubuntu_linux 14.04
canonical ubuntu_linux 14.10
redhat enterprise_linux_server 6.0
opensuse opensuse 13.2
debian debian_linux 7.0
redhat enterprise_linux_server_eus 6.6.z
redhat enterprise_linux_desktop 6.0
fedoraproject fedora 20
freetype freetype *
redhat enterprise_linux_server_eus 7.1
oracle solaris 10.0
canonical ubuntu_linux 15.04
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_hpc_node 6
redhat enterprise_linux_hpc_node 7.0
oracle solaris 11.2
canonical ubuntu_linux 10.04
CVE-2014-9671 MEDIUM

Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PCF file with a 0xffffffff size value that is improperly incremented.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_desktop 7.0
opensuse opensuse 13.1
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
freetype freetype *
canonical ubuntu_linux 12.04
redhat enterprise_linux_hpc_node_eus 7.1
redhat enterprise_linux_server_eus 7.1
canonical ubuntu_linux 14.04
oracle solaris 10.0
canonical ubuntu_linux 14.10
canonical ubuntu_linux 15.04
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_hpc_node 6
redhat enterprise_linux_hpc_node 7.0
redhat enterprise_linux_server 6.0
opensuse opensuse 13.2
oracle solaris 11.2
debian debian_linux 7.0
canonical ubuntu_linux 10.04
redhat enterprise_linux_server_eus 6.6.z
CVE-2014-9672 MEDIUM

Array index error in the parse_fond function in base/ftmac.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information from process memory via a crafted FOND resource in a Mac font file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.04
oracle solaris 10.0
canonical ubuntu_linux 14.10
canonical ubuntu_linux 15.04
opensuse opensuse 13.1
freetype freetype *
opensuse opensuse 13.2
canonical ubuntu_linux 12.04
oracle solaris 11.2
debian debian_linux 7.0
canonical ubuntu_linux 10.04
CVE-2014-9673 MEDIUM

Integer signedness error in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_desktop 7.0
opensuse opensuse 13.1
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
freetype freetype *
canonical ubuntu_linux 12.04
redhat enterprise_linux_hpc_node_eus 7.1
redhat enterprise_linux_server_eus 7.1
canonical ubuntu_linux 14.04
canonical ubuntu_linux 14.10
canonical ubuntu_linux 15.04
redhat enterprise_linux_hpc_node 6.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_hpc_node 7.0
redhat enterprise_linux_server 6.0
opensuse opensuse 13.2
debian debian_linux 7.0
canonical ubuntu_linux 10.04
redhat enterprise_linux_server_eus 6.6.z
CVE-2014-9674 HIGH

The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without validating the original values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_desktop 7.0
opensuse opensuse 13.1
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
fedoraproject fedora 20
freetype freetype *
canonical ubuntu_linux 12.04
redhat enterprise_linux_hpc_node_eus 7.1
fedoraproject fedora 21
redhat enterprise_linux_server_eus 7.1
canonical ubuntu_linux 14.04
oracle solaris 10.0
canonical ubuntu_linux 14.10
canonical ubuntu_linux 15.04
redhat enterprise_linux_hpc_node 6.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_hpc_node 7.0
redhat enterprise_linux_server 6.0
opensuse opensuse 13.2
oracle solaris 11.2
canonical ubuntu_linux 10.04
redhat enterprise_linux_server_eus 6.6.z
CVE-2014-9675 MEDIUM

bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allows remote attackers to discover heap pointer values and bypass the ASLR protection mechanism via a crafted BDF font.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_desktop 7.0
opensuse opensuse 13.1
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
fedoraproject fedora 20
freetype freetype *
canonical ubuntu_linux 12.04
redhat enterprise_linux_hpc_node_eus 7.1
fedoraproject fedora 21
redhat enterprise_linux_server_eus 7.1
canonical ubuntu_linux 14.04
canonical ubuntu_linux 14.10
canonical ubuntu_linux 15.04
redhat enterprise_linux_hpc_node 6.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_hpc_node 7.0
redhat enterprise_linux_server 6.0
opensuse opensuse 13.2
debian debian_linux 7.0
canonical ubuntu_linux 10.04
redhat enterprise_linux_server_eus 6.6.z
CVE-2014-9745 MEDIUM

The parse_encoding function in type1/t1load.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (infinite loop) via a "broken number-with-base" in a Postscript stream, as demonstrated by 8#garbage.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.04
canonical ubuntu_linux 15.04
opensuse opensuse 13.1
freetype freetype *
canonical ubuntu_linux 12.04
debian debian_linux 7.0
debian debian_linux 8.0
CVE-2014-9746 HIGH

The (1) t1_parse_font_matrix function in type1/t1load.c, (2) cid_parse_font_matrix function in cid/cidload.c, (3) t42_parse_font_matrix function in type42/t42parse.c, and (4) ps_parser_load_field function in psaux/psobjs.c in FreeType before 2.5.4 do not check return values, which allows remote attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted font.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
freetype freetype *
debian debian_linux 7.0
debian debian_linux 8.0
CVE-2014-9747 MEDIUM

The t42_parse_encoding function in type42/t42parse.c in FreeType before 2.5.4 does not properly update the current position for immediates-only mode, which allows remote attackers to cause a denial of service (infinite loop) via a Type42 font.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
freetype freetype *
debian debian_linux 7.0
debian debian_linux 8.0
CVE-2015-9290 HIGH

In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1_Get_Private_Dict where there is no check that the new values of cur and limit are sensible before going to Again.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
freetype freetype *
CVE-2015-9381 MEDIUM

FreeType before 2.6.1 has a heap-based buffer over-read in T1_Get_Private_Dict in type1/t1parse.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
freetype freetype *
debian debian_linux 8.0
CVE-2015-9382 MEDIUM

FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
freetype freetype *
debian debian_linux 8.0
CVE-2015-9383 MEDIUM

FreeType before 2.6.2 has a heap-based buffer over-read in tt_cmap14_validate in sfnt/ttcmap.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.04
freetype freetype *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
debian debian_linux 8.0
CVE-2016-10244 MEDIUM

The parse_charstrings function in type1/t1load.c in FreeType 2 before 2.7 does not ensure that a font contains a glyph name, which allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
freetype freetype *
debian debian_linux 8.0
CVE-2016-10328 HIGH

FreeType 2 before 2016-12-16 has an out-of-bounds write caused by a heap-based buffer overflow related to the cff_parser_run function in cff/cffparse.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
oracle outside_in_technology 8.5.4
freetype freetype *
CVE-2017-7857 HIGH

FreeType 2 before 2017-03-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
freetype freetype *
CVE-2017-7858 HIGH

FreeType 2 before 2017-03-07 has an out-of-bounds write related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
freetype freetype *
CVE-2017-7864 HIGH

FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a heap-based buffer overflow related to the tt_size_reset function in truetype/ttobjs.c.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
freetype freetype *
CVE-2017-8105 HIGH

FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
freetype freetype *
debian debian_linux 8.0
CVE-2017-8287 HIGH

FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
freetype freetype *
CVE-2018-6942 MEDIUM

An issue was discovered in FreeType 2 through 2.9. A NULL pointer dereference in the Ins_GETVARIATION() function within ttinterp.c could lead to DoS via a crafted font file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
canonical ubuntu_linux 17.10
freetype freetype *
CVE-2020-15999 MEDIUM

Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-120,

Products Affected

Vendor Product Version
fedoraproject fedora 31
freetype freetype *
netapp ontap_select_deploy_administration_utility -
opensuse backports_sle 15.0
debian debian_linux 10.0
google chrome *
CVE-2022-27404 HIGH

FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
fedoraproject fedora 35
fedoraproject fedora 36
fedoraproject fedora 34
freetype freetype *
CVE-2022-27405 MEDIUM

FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
fedoraproject fedora 35
fedoraproject fedora 36
fedoraproject fedora 34
freetype freetype *
CVE-2022-27406 MEDIUM

FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
fedoraproject fedora 35
fedoraproject fedora 36
fedoraproject fedora 34
freetype freetype *
CVE-2025-23022

FreeType 2.8.1 has a signed integer overflow in cf2_doFlex in cff/cf2intrp.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.5 3.6
cve@mitre.org 4.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.5 1.4

Products Affected

Vendor Product Version
freetype freetype 2.8.1
CVE-2025-27363

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9
cve-assign@fb.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
debian debian_linux 11.0
freetype freetype *