Improper Input Validation Affecting freetype package, versions <2.6-1


Severity

Recommended
0.0
critical
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
2.55% (90th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Input Validation vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN11-FREETYPE-516722
  • published7 Jun 2016
  • disclosed7 Jun 2016

Introduced: 7 Jun 2016

CVE-2014-9746  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade Debian:11 freetype to version 2.6-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream freetype package and not the freetype package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

The (1) t1_parse_font_matrix function in type1/t1load.c, (2) cid_parse_font_matrix function in cid/cidload.c, (3) t42_parse_font_matrix function in type42/t42parse.c, and (4) ps_parser_load_field function in psaux/psobjs.c in FreeType before 2.5.4 do not check return values, which allows remote attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted font.

CVSS Scores

version 3.1