Homepage
About Snyk

Out-of-bounds Write Affecting freetype package, versions >=0.0.0

Severity

 Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.95% (84th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-COCOAPODS-FREETYPE-470725
  • published 2 Oct 2019
  • disclosed 25 Mar 2017
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 25 Mar 2017

CVE-2017-8287 Open this link in a new tab
CWE-119 Open this link in a new tab

How to fix?

There is no fixed version for freetype.

Overview

freetype is a freely available software library to render fonts

Affected versions of this package are vulnerable to Out-of-bounds Write. These writes are caused by a heap-based buffer overflow in the t1_builder_close_contour function in psaux/psobjs.c. If a malformed font is supplied, it is possible that the contour variable is started but no points added, causing the buffer overflow.

CVSS Scores

version 3.1
Expand this section

Snyk

9.8 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High