Subject: [ASA-201805-3] freetype2: denial of service Arch Linux Security Advisory ASA-201805-3 ========================================= Severity: Low Date : 2018-05-09 CVE-ID : CVE-2018-6942 Package : freetype2 Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-613 Summary ======= The package freetype2 before version 2.9.1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 2.9.1-1. # pacman -Syu "freetype2>=2.9.1-1" The problem has been fixed upstream in version 2.9.1. Workaround ========== None. Description =========== An issue was discovered in FreeType 2 before 2.9.1. A NULL pointer dereference in the Ins_GETVARIATION() function within ttinterp.c could lead to denial of service via a crafted font file. Impact ====== A remote attacker is able to cause a denial of service via a specially crafted file. References ========== https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5736 https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=29c759284e305ec428703c9a5831d0b1fc3497ef https://security.archlinux.org/CVE-2018-6942