USN-2739-1 FreeType Vulnerabilities




Canonical Ubuntu

Versions Affected
  • libfreetype6 2.5.2-1ubuntu2.5 - FreeType 2 is a font engine library

It was discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or hang, resulting in a denial of service, or possibly expose uninitialized memory.

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • BOSH: All versions of Cloud Foundry BOSH stemcells prior to v3094 are vulnerable to the aforementioned CVEs.
  • Cloud Foundry Runtime: all versions of cf-release prior to 219 are vulnerable to the aforementioned CVEs.
  • Products in the PCF Suite which reference BOSH stemcell v3093 or earlier are vulnerable to the aforementioned CVE:
    • Ops Manager v1.5.6 or earlier
    • Elastic Runtime v1.5.5 or earlier
    • Ops Metrics 1.4.3 or earlier
    • MySQL for Pivotal Cloud Foundry v1.6.2 or earlier
    • Session State Caching Powered by Pivotal Gemfire v1.0.2 or earlier
    • RabbitMQ for Pivotal Cloud Foundry v1.4.4 or earlier
    • Redis for Pivotal Cloud Foundry v1.4.8 or earlier

Users of affected versions should apply the following mitigation: