CVE-2014-9668CVE-2014-9668

Affected configuration(s):

cpe:/a:freetype:freetype:2.5.3
cpe:/o:canonical:ubuntu_linux:10.04::~~lts~~~
cpe:/o:canonical:ubuntu_linux:12.04::~~lts~~~
cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~
cpe:/o:canonical:ubuntu_linux:14.10
cpe:/o:canonical:ubuntu_linux:15.04
cpe:/o:fedoraproject:fedora:20
cpe:/o:fedoraproject:fedora:21
cpe:/o:novell:opensuse:13.1
cpe:/o:novell:opensuse:13.2

Date published: 2015-02-08T06:59:29.977-05:00

Date last modified: 2017-06-30T21:29:10.747-04:00

CVSS Score: 7.5

Principal attack vector: NETWORK

Complexity:  LOW

Reference URL: http://code.google.com/p/google-security-research/issues/detail?id=164

Summary: The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting length values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Web Open Font Format (WOFF) file.

CVE-2014-7941CVE-2014-7941

Affected configuration(s):

cpe:/a:chromium:chromium:40.0.2214.110
cpe:/a:google:chrome:40.0.2214.85
cpe:/o:novell:opensuse:13.1
cpe:/o:novell:opensuse:13.2
cpe:/o:redhat:enterprise_linux_desktop_supplementary:6.0
cpe:/o:redhat:enterprise_linux_server_supplementary:6.0
cpe:/o:redhat:enterprise_linux_server_supplementary_eus:6.6.z
cpe:/o:redhat:enterprise_linux_workstation_supplementary:6.0

Date published: 2015-01-22T17:59:21.727-05:00

Date last modified: 2017-01-02T21:59:14.593-05:00

CVSS Score: 5.0

Principal attack vector: NETWORK

Complexity:  LOW

Reference URL: http://googlechromereleases.blogspot.com/2015/01/stable-update.html

Summary: The SelectionOwner::ProcessTarget function in ui/base/x/selection_owner.cc in the UI implementation in Google Chrome before 40.0.2214.91 uses an incorrect data type for a certain length value, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted X11 data.

CVE-2014-7943CVE-2014-7943

Affected configuration(s):

cpe:/a:chromium:chromium:40.0.2214.110
cpe:/a:google:chrome:40.0.2214.85
cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~
cpe:/o:canonical:ubuntu_linux:14.10
cpe:/o:novell:opensuse:13.1
cpe:/o:novell:opensuse:13.2
cpe:/o:redhat:enterprise_linux_desktop_supplementary:6.0
cpe:/o:redhat:enterprise_linux_server_supplementary:6.0
cpe:/o:redhat:enterprise_linux_server_supplementary_eus:6.6.z
cpe:/o:redhat:enterprise_linux_workstation_supplementary:6.0

Date published: 2015-01-22T17:59:23.367-05:00

Date last modified: 2017-01-02T21:59:15.017-05:00

CVSS Score: 5.0

Principal attack vector: NETWORK

Complexity:  LOW

Reference URL: http://googlechromereleases.blogspot.com/2015/01/stable-update.html

Summary: Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.

CVE-2014-7942CVE-2014-7942

Affected configuration(s):

cpe:/a:chromium:chromium:40.0.2214.110
cpe:/a:google:chrome:40.0.2214.85
cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~
cpe:/o:canonical:ubuntu_linux:14.10
cpe:/o:novell:opensuse:13.1
cpe:/o:novell:opensuse:13.2
cpe:/o:redhat:enterprise_linux_desktop_supplementary:6.0
cpe:/o:redhat:enterprise_linux_server_supplementary:6.0
cpe:/o:redhat:enterprise_linux_server_supplementary_eus:6.6.z
cpe:/o:redhat:enterprise_linux_workstation_supplementary:6.0

Date published: 2015-01-22T17:59:22.523-05:00

Date last modified: 2017-01-02T21:59:14.737-05:00

CVSS Score: 7.5

Principal attack vector: NETWORK

Complexity:  LOW

Reference URL: http://googlechromereleases.blogspot.com/2015/01/stable-update.html

Summary: The Fonts implementation in Google Chrome before 40.0.2214.91 does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

CVE-2014-7939CVE-2014-7939

Affected configuration(s):

cpe:/a:chromium:chromium:40.0.2214.110
cpe:/a:google:chrome:40.0.2214.85
cpe:/o:novell:opensuse:13.1
cpe:/o:novell:opensuse:13.2
cpe:/o:redhat:enterprise_linux_desktop_supplementary:6.0
cpe:/o:redhat:enterprise_linux_server_supplementary:6.0
cpe:/o:redhat:enterprise_linux_server_supplementary_eus:6.6.z
cpe:/o:redhat:enterprise_linux_workstation_supplementary:6.0

Date published: 2015-01-22T17:59:20.117-05:00

Date last modified: 2017-01-02T21:59:14.437-05:00

CVSS Score: 4.3

Principal attack vector: NETWORK

Complexity:  MEDIUM

Reference URL: http://googlechromereleases.blogspot.com/2015/01/stable-update.html

Summary: Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is enabled, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code with Proxy.create and console.log calls, related to HTTP responses that lack an “X-Content-Type-Options: nosniff” header.

CVE-2014-7824CVE-2014-7824

Affected configuration(s):

cpe:/a:d-bus_project:d-bus:1.6.0
cpe:/a:d-bus_project:d-bus:1.6.2
cpe:/a:d-bus_project:d-bus:1.6.4
cpe:/a:d-bus_project:d-bus:1.6.6
cpe:/a:d-bus_project:d-bus:1.6.8
cpe:/a:d-bus_project:d-bus:1.6.10
cpe:/a:d-bus_project:d-bus:1.6.12
cpe:/a:d-bus_project:d-bus:1.6.14
cpe:/a:d-bus_project:d-bus:1.6.16
cpe:/a:d-bus_project:d-bus:1.6.18
cpe:/a:d-bus_project:d-bus:1.6.20
cpe:/a:d-bus_project:d-bus:1.6.22
cpe:/a:d-bus_project:d-bus:1.6.24
cpe:/a:d-bus_project:d-bus:1.8.0
cpe:/a:d-bus_project:d-bus:1.8.2
cpe:/a:d-bus_project:d-bus:1.8.4
cpe:/a:d-bus_project:d-bus:1.8.6
cpe:/a:d-bus_project:d-bus:1.8.8
cpe:/a:d-bus_project:d-bus:1.9.0
cpe:/o:canonical:ubuntu_linux:12.04::~~lts~~~
cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~
cpe:/o:canonical:ubuntu_linux:14.10
cpe:/o:debian:debian_linux:7.0
cpe:/o:debian:debian_linux:8.0
cpe:/o:mageia_project:mageia:3
cpe:/o:mageia_project:mageia:4

Date published: 2014-11-18T10:59:04.017-05:00

Date last modified: 2017-09-07T21:29:16.793-04:00

CVSS Score: 2.1

Principal attack vector: LOCAL

Complexity:  LOW

Reference URL: http://advisories.mageia.org/MGASA-2014-0457.html

Summary: D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636.1.

CVE-2014-3533CVE-2014-3533

Affected configuration(s):

cpe:/a:d-bus_project:d-bus:1.3.0
cpe:/a:d-bus_project:d-bus:1.3.1
cpe:/a:d-bus_project:d-bus:1.4.0
cpe:/a:d-bus_project:d-bus:1.4.1
cpe:/a:d-bus_project:d-bus:1.4.4
cpe:/a:d-bus_project:d-bus:1.4.6
cpe:/a:d-bus_project:d-bus:1.4.8
cpe:/a:d-bus_project:d-bus:1.4.10
cpe:/a:d-bus_project:d-bus:1.4.12
cpe:/a:d-bus_project:d-bus:1.4.14
cpe:/a:d-bus_project:d-bus:1.4.16
cpe:/a:d-bus_project:d-bus:1.4.18
cpe:/a:d-bus_project:d-bus:1.4.20
cpe:/a:d-bus_project:d-bus:1.4.22
cpe:/a:d-bus_project:d-bus:1.4.24
cpe:/a:d-bus_project:d-bus:1.4.26
cpe:/a:d-bus_project:d-bus:1.5.0
cpe:/a:d-bus_project:d-bus:1.5.2
cpe:/a:d-bus_project:d-bus:1.5.4
cpe:/a:d-bus_project:d-bus:1.5.6
cpe:/a:d-bus_project:d-bus:1.5.8
cpe:/a:d-bus_project:d-bus:1.5.10
cpe:/a:d-bus_project:d-bus:1.5.12
cpe:/a:d-bus_project:d-bus:1.6.0
cpe:/a:d-bus_project:d-bus:1.6.2
cpe:/a:d-bus_project:d-bus:1.6.10
cpe:/a:d-bus_project:d-bus:1.6.12
cpe:/a:d-bus_project:d-bus:1.6.14
cpe:/a:d-bus_project:d-bus:1.6.16
cpe:/a:d-bus_project:d-bus:1.6.18
cpe:/a:d-bus_project:d-bus:1.6.20
cpe:/a:d-bus_project:d-bus:1.8.0
cpe:/a:d-bus_project:d-bus:1.8.2
cpe:/a:d-bus_project:d-bus:1.8.4
cpe:/o:debian:debian_linux:7.0
cpe:/o:mageia_project:mageia:3
cpe:/o:mageia_project:mageia:4
cpe:/o:novell:opensuse:12.3

Date published: 2014-07-19T15:55:08.013-04:00

Date last modified: 2016-10-14T21:59:37.873-04:00

CVSS Score: 2.1

Principal attack vector: LOCAL

Complexity:  LOW

Reference URL: http://advisories.mageia.org/MGASA-2014-0294.html

Summary: dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor.

CVE-2014-3532CVE-2014-3532

Affected configuration(s):

cpe:/a:d-bus_project:d-bus:1.3.0
cpe:/a:d-bus_project:d-bus:1.3.1
cpe:/a:d-bus_project:d-bus:1.4.0
cpe:/a:d-bus_project:d-bus:1.4.1
cpe:/a:d-bus_project:d-bus:1.4.4
cpe:/a:d-bus_project:d-bus:1.4.6
cpe:/a:d-bus_project:d-bus:1.4.8
cpe:/a:d-bus_project:d-bus:1.4.10
cpe:/a:d-bus_project:d-bus:1.4.12
cpe:/a:d-bus_project:d-bus:1.4.14
cpe:/a:d-bus_project:d-bus:1.4.16
cpe:/a:d-bus_project:d-bus:1.4.18
cpe:/a:d-bus_project:d-bus:1.4.20
cpe:/a:d-bus_project:d-bus:1.4.22
cpe:/a:d-bus_project:d-bus:1.4.24
cpe:/a:d-bus_project:d-bus:1.4.26
cpe:/a:d-bus_project:d-bus:1.5.0
cpe:/a:d-bus_project:d-bus:1.5.2
cpe:/a:d-bus_project:d-bus:1.5.4
cpe:/a:d-bus_project:d-bus:1.5.6
cpe:/a:d-bus_project:d-bus:1.5.8
cpe:/a:d-bus_project:d-bus:1.5.10
cpe:/a:d-bus_project:d-bus:1.5.12
cpe:/a:d-bus_project:d-bus:1.6.0
cpe:/a:d-bus_project:d-bus:1.6.2
cpe:/a:d-bus_project:d-bus:1.6.10
cpe:/a:d-bus_project:d-bus:1.6.12
cpe:/a:d-bus_project:d-bus:1.6.14
cpe:/a:d-bus_project:d-bus:1.6.16
cpe:/a:d-bus_project:d-bus:1.6.18
cpe:/a:d-bus_project:d-bus:1.6.20
cpe:/a:d-bus_project:d-bus:1.8.0
cpe:/a:d-bus_project:d-bus:1.8.2
cpe:/a:d-bus_project:d-bus:1.8.4
cpe:/o:debian:debian_linux:7.0
cpe:/o:mageia_project:mageia:3
cpe:/o:mageia_project:mageia:4
cpe:/o:novell:opensuse:12.3

Date published: 2014-07-19T15:55:07.950-04:00

Date last modified: 2016-10-14T21:59:36.517-04:00

CVSS Score: 2.1

Principal attack vector: LOCAL

Complexity:  LOW

Reference URL: http://advisories.mageia.org/MGASA-2014-0294.html

Summary: dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded.

CVE-2014-9661CVE-2014-9661

Affected configuration(s):

cpe:/a:freetype:freetype:2.5.3
cpe:/o:canonical:ubuntu_linux:10.04::~~lts~~~
cpe:/o:canonical:ubuntu_linux:12.04::~~lts~~~
cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~
cpe:/o:canonical:ubuntu_linux:14.10
cpe:/o:canonical:ubuntu_linux:15.04
cpe:/o:debian:debian_linux:7.0
cpe:/o:fedoraproject:fedora:20
cpe:/o:fedoraproject:fedora:21
cpe:/o:novell:opensuse:13.1
cpe:/o:novell:opensuse:13.2
cpe:/o:redhat:enterprise_linux_desktop:6.0
cpe:/o:redhat:enterprise_linux_desktop:7.0
cpe:/o:redhat:enterprise_linux_hpc_node:6
cpe:/o:redhat:enterprise_linux_hpc_node:7.0
cpe:/o:redhat:enterprise_linux_hpc_node_eus:7.1
cpe:/o:redhat:enterprise_linux_server:6.0
cpe:/o:redhat:enterprise_linux_server:7.0
cpe:/o:redhat:enterprise_linux_server_eus:6.6.z
cpe:/o:redhat:enterprise_linux_server_eus:7.1
cpe:/o:redhat:enterprise_linux_workstation:6.0
cpe:/o:redhat:enterprise_linux_workstation:7.0

Date published: 2015-02-08T06:59:23.587-05:00

Date last modified: 2017-06-30T21:29:10.297-04:00

CVSS Score: 7.5

Principal attack vector: NETWORK

Complexity:  LOW

Reference URL: http://advisories.mageia.org/MGASA-2015-0083.html

Summary: type42/t42parse.c in FreeType before 2.5.4 does not consider that scanning can be incomplete without triggering an error, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted Type42 font.

CVE-2014-9662CVE-2014-9662

Affected configuration(s):

cpe:/a:freetype:freetype:2.5.3
cpe:/o:canonical:ubuntu_linux:10.04::~~lts~~~
cpe:/o:canonical:ubuntu_linux:12.04::~~lts~~~
cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~
cpe:/o:canonical:ubuntu_linux:14.10
cpe:/o:canonical:ubuntu_linux:15.04
cpe:/o:debian:debian_linux:7.0
cpe:/o:fedoraproject:fedora:20
cpe:/o:fedoraproject:fedora:21
cpe:/o:novell:opensuse:13.1
cpe:/o:novell:opensuse:13.2

Date published: 2015-02-08T06:59:24.537-05:00

Date last modified: 2017-06-30T21:29:10.357-04:00

CVSS Score: 7.5

Principal attack vector: NETWORK

Complexity:  LOW

Reference URL: http://advisories.mageia.org/MGASA-2015-0083.html

Summary: cff/cf2ft.c in FreeType before 2.5.4 does not validate the return values of point-allocation functions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted OTF font.