ft2demos-2.7-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10172-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ft2demos-2.7-1.1 on GA media These are all security issues fixed in the ft2demos-2.7-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10172 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2009-0946/ SUSE CVE CVE-2009-0946 page https://www.suse.com/security/cve/CVE-2010-2497/ SUSE CVE CVE-2010-2497 page https://www.suse.com/security/cve/CVE-2010-2805/ SUSE CVE CVE-2010-2805 page https://www.suse.com/security/cve/CVE-2010-3053/ SUSE CVE CVE-2010-3053 page https://www.suse.com/security/cve/CVE-2010-3054/ SUSE CVE CVE-2010-3054 page https://www.suse.com/security/cve/CVE-2010-3311/ SUSE CVE CVE-2010-3311 page https://www.suse.com/security/cve/CVE-2010-3814/ SUSE CVE CVE-2010-3814 page https://www.suse.com/security/cve/CVE-2011-0226/ SUSE CVE CVE-2011-0226 page https://www.suse.com/security/cve/CVE-2012-5668/ SUSE CVE CVE-2012-5668 page https://www.suse.com/security/cve/CVE-2012-5669/ SUSE CVE CVE-2012-5669 page https://www.suse.com/security/cve/CVE-2012-5670/ SUSE CVE CVE-2012-5670 page https://www.suse.com/security/cve/CVE-2014-2240/ SUSE CVE CVE-2014-2240 page https://www.suse.com/security/cve/CVE-2014-9656/ SUSE CVE CVE-2014-9656 page https://www.suse.com/security/cve/CVE-2014-9657/ SUSE CVE CVE-2014-9657 page https://www.suse.com/security/cve/CVE-2014-9658/ SUSE CVE CVE-2014-9658 page https://www.suse.com/security/cve/CVE-2014-9659/ SUSE CVE CVE-2014-9659 page https://www.suse.com/security/cve/CVE-2014-9660/ SUSE CVE CVE-2014-9660 page https://www.suse.com/security/cve/CVE-2014-9661/ SUSE CVE CVE-2014-9661 page https://www.suse.com/security/cve/CVE-2014-9662/ SUSE CVE CVE-2014-9662 page https://www.suse.com/security/cve/CVE-2014-9663/ SUSE CVE CVE-2014-9663 page https://www.suse.com/security/cve/CVE-2014-9664/ SUSE CVE CVE-2014-9664 page https://www.suse.com/security/cve/CVE-2014-9665/ SUSE CVE CVE-2014-9665 page https://www.suse.com/security/cve/CVE-2014-9666/ SUSE CVE CVE-2014-9666 page https://www.suse.com/security/cve/CVE-2014-9667/ SUSE CVE CVE-2014-9667 page https://www.suse.com/security/cve/CVE-2014-9668/ SUSE CVE CVE-2014-9668 page https://www.suse.com/security/cve/CVE-2014-9669/ SUSE CVE CVE-2014-9669 page https://www.suse.com/security/cve/CVE-2014-9670/ SUSE CVE CVE-2014-9670 page https://www.suse.com/security/cve/CVE-2014-9671/ SUSE CVE CVE-2014-9671 page https://www.suse.com/security/cve/CVE-2014-9672/ SUSE CVE CVE-2014-9672 page https://www.suse.com/security/cve/CVE-2014-9673/ SUSE CVE CVE-2014-9673 page https://www.suse.com/security/cve/CVE-2014-9674/ SUSE CVE CVE-2014-9674 page https://www.suse.com/security/cve/CVE-2014-9675/ SUSE CVE CVE-2014-9675 page openSUSE Tumbleweed ft2demos-2.7-1.1 ft2demos-2.7-1.1 as a component of openSUSE Tumbleweed Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c. CVE-2009-0946 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-0946.html CVE-2009-0946 https://bugzilla.suse.com/485889 SUSE Bug 485889 https://bugzilla.suse.com/496289 SUSE Bug 496289 https://bugzilla.suse.com/541626 SUSE Bug 541626 Integer underflow in glyph handling in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. CVE-2010-2497 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-2497.html CVE-2010-2497 https://bugzilla.suse.com/619562 SUSE Bug 619562 https://bugzilla.suse.com/635692 SUSE Bug 635692 The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. CVE-2010-2805 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-2805.html CVE-2010-2805 https://bugzilla.suse.com/629447 SUSE Bug 629447 https://bugzilla.suse.com/635692 SUSE Bug 635692 bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) via a crafted BDF font file, related to an attempted modification of a value in a static string. CVE-2010-3053 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-3053.html CVE-2010-3053 https://bugzilla.suse.com/633938 SUSE Bug 633938 https://bugzilla.suse.com/635692 SUSE Bug 635692 https://bugzilla.suse.com/645982 SUSE Bug 645982 Unspecified vulnerability in FreeType 2.3.9, and other versions before 2.4.2, allows remote attackers to cause a denial of service via vectors involving nested Standard Encoding Accented Character (aka seac) calls, related to psaux.h, cffgload.c, cffgload.h, and t1decode.c. CVE-2010-3054 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-3054.html CVE-2010-3054 https://bugzilla.suse.com/633943 SUSE Bug 633943 https://bugzilla.suse.com/635692 SUSE Bug 635692 https://bugzilla.suse.com/645982 SUSE Bug 645982 Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Compact Font Format (CFF) font file that triggers a heap-based buffer overflow, related to an "input stream position error" issue, a different vulnerability than CVE-2010-1797. CVE-2010-3311 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-3311.html CVE-2010-3311 https://bugzilla.suse.com/635692 SUSE Bug 635692 https://bugzilla.suse.com/641580 SUSE Bug 641580 https://bugzilla.suse.com/645982 SUSE Bug 645982 Heap-based buffer overflow in the Ins_SHZ function in ttinterp.c in FreeType 2.4.3 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted SHZ bytecode instruction, related to TrueType opcodes, as demonstrated by a PDF document with a crafted embedded font. CVE-2010-3814 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-3814.html CVE-2010-3814 https://bugzilla.suse.com/647375 SUSE Bug 647375 https://bugzilla.suse.com/689174 SUSE Bug 689174 Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011. CVE-2011-0226 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-0226.html CVE-2011-0226 https://bugzilla.suse.com/704612 SUSE Bug 704612 https://bugzilla.suse.com/728044 SUSE Bug 728044 FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to BDF fonts and the improper handling of an "allocation error" in the bdf_free_font function. CVE-2012-5668 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-5668.html CVE-2012-5668 https://bugzilla.suse.com/795826 SUSE Bug 795826 The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to BDF fonts and an incorrect calculation that triggers an out-of-bounds read. CVE-2012-5669 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-5669.html CVE-2012-5669 https://bugzilla.suse.com/795826 SUSE Bug 795826 The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) via vectors related to BDF fonts and an ENCODING field with a negative value. CVE-2012-5670 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-5670.html CVE-2012-5670 https://bugzilla.suse.com/795826 SUSE Bug 795826 Stack-based buffer overflow in the cf2_hintmap_build function in cff/cf2hints.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of stem hints in a font file. CVE-2014-2240 openSUSE Tumbleweed:ft2demos-2.7-1.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-2240.html CVE-2014-2240 https://bugzilla.suse.com/867620 SUSE Bug 867620 https://bugzilla.suse.com/916867 SUSE Bug 916867 The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before 2.5.4 does not properly check for an integer overflow, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted OpenType font. CVE-2014-9656 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9656.html CVE-2014-9656 https://bugzilla.suse.com/916847 SUSE Bug 916847 The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4 does not establish a minimum record size, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font. CVE-2014-9657 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9657.html CVE-2014-9657 https://bugzilla.suse.com/916856 SUSE Bug 916856 The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4 enforces an incorrect minimum table length, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font. CVE-2014-9658 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9658.html CVE-2014-9658 https://bugzilla.suse.com/916857 SUSE Bug 916857 cff/cf2intrp.c in the CFF CharString interpreter in FreeType before 2.5.4 proceeds with additional hints after the hint mask has been computed, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted OpenType font. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2240. CVE-2014-9659 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9659.html CVE-2014-9659 https://bugzilla.suse.com/916867 SUSE Bug 916867 The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5.4 does not properly handle a missing ENDCHAR record, which allows remote attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted BDF font. CVE-2014-9660 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9660.html CVE-2014-9660 https://bugzilla.suse.com/916858 SUSE Bug 916858 type42/t42parse.c in FreeType before 2.5.4 does not consider that scanning can be incomplete without triggering an error, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted Type42 font. CVE-2014-9661 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9661.html CVE-2014-9661 https://bugzilla.suse.com/916859 SUSE Bug 916859 cff/cf2ft.c in FreeType before 2.5.4 does not validate the return values of point-allocation functions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted OTF font. CVE-2014-9662 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9662.html CVE-2014-9662 https://bugzilla.suse.com/916860 SUSE Bug 916860 The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5.4 validates a certain length field before that field's value is completely calculated, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted cmap SFNT table. CVE-2014-9663 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9663.html CVE-2014-9663 https://bugzilla.suse.com/916865 SUSE Bug 916865 FreeType before 2.5.4 does not check for the end of the data during certain parsing actions, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted Type42 font, related to type42/t42parse.c and type1/t1load.c. CVE-2014-9664 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9664.html CVE-2014-9664 https://bugzilla.suse.com/916864 SUSE Bug 916864 The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 does not restrict the rows and pitch values of PNG data, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact by embedding a PNG file in a .ttf font file. CVE-2014-9665 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9665.html CVE-2014-9665 https://bugzilla.suse.com/916863 SUSE Bug 916863 The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4 proceeds with a count-to-size association without restricting the count value, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted embedded bitmap. CVE-2014-9666 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9666.html CVE-2014-9666 https://bugzilla.suse.com/916862 SUSE Bug 916862 sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting the values, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted SFNT table. CVE-2014-9667 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9667.html CVE-2014-9667 https://bugzilla.suse.com/916861 SUSE Bug 916861 The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting length values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Web Open Font Format (WOFF) file. CVE-2014-9668 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9668.html CVE-2014-9668 https://bugzilla.suse.com/916868 SUSE Bug 916868 Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (out-of-bounds read or memory corruption) or possibly have unspecified other impact via a crafted cmap SFNT table. CVE-2014-9669 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9669.html CVE-2014-9669 https://bugzilla.suse.com/916870 SUSE Bug 916870 Multiple integer signedness errors in the pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (integer overflow, NULL pointer dereference, and application crash) via a crafted PCF file that specifies negative values for the first column and first row. CVE-2014-9670 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9670.html CVE-2014-9670 https://bugzilla.suse.com/916871 SUSE Bug 916871 https://bugzilla.suse.com/933247 SUSE Bug 933247 Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PCF file with a 0xffffffff size value that is improperly incremented. CVE-2014-9671 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9671.html CVE-2014-9671 https://bugzilla.suse.com/916872 SUSE Bug 916872 https://bugzilla.suse.com/933247 SUSE Bug 933247 Array index error in the parse_fond function in base/ftmac.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information from process memory via a crafted FOND resource in a Mac font file. CVE-2014-9672 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9672.html CVE-2014-9672 https://bugzilla.suse.com/916873 SUSE Bug 916873 Integer signedness error in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font. CVE-2014-9673 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9673.html CVE-2014-9673 https://bugzilla.suse.com/916874 SUSE Bug 916874 The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without validating the original values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font. CVE-2014-9674 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9674.html CVE-2014-9674 https://bugzilla.suse.com/916879 SUSE Bug 916879 bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allows remote attackers to discover heap pointer values and bypass the ASLR protection mechanism via a crafted BDF font. CVE-2014-9675 openSUSE Tumbleweed:ft2demos-2.7-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9675.html CVE-2014-9675 https://bugzilla.suse.com/916881 SUSE Bug 916881