USN-3409-1: FontForge vulnerabilities

4 September 2017

fontforge vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in FontForge.

Software Description

  • fontforge - font editor

Details

It was discovered that FontForge was vulnerable to a heap-based buffer over-read. A remote attacker could use a crafted file to DoS or execute arbitrary code. (CVE-2017-11568, CVE-2017-11569, CVE-2017-11572)

It was discovered that FontForge was vulnerable to a stack-based buffer overflow. A remote attacker could use a crafted file to DoS or execute arbitrary code. (CVE-2017-11571)

It was discovered that FontForge was vulnerable to a heap-based buffer overflow. A remote attacker could use a crafted file to DoS or execute arbitrary code. (CVE-2017-11574)

It was discovered that FontForge was vulnerable to a buffer over-read. A remote attacker could use a crafted file to DoS or execute arbitrary code. (CVE-2017-11575, CVE-2017-11577)

It was discovered that FontForge wasn’t correctly checking the sign of a vector size. A remote attacker could use a crafted file to DoS. (CVE-2017-11576)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 LTS
fontforge - 20120731.b-5ubuntu0.1
fontforge-common - 20120731.b-5ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References