Cairo cairo-truetype-subset.c Denial of Service Vulnerability [CVE-2017-9814]
CVE Number – CVE-2017-9814
A vulnerability in cairo-truetype-subset.c of Cairo could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.The vulnerability exists because the affected software mishandles an unexpected malloc(0) call to cairo-truetype-subset.c. An attacker could exploit this vulnerability by supplying a crafted file to the affected system. A successful exploit could allow the attacker to cause a DoS condition on the targeted system.Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.Cairo has not confirmed this vulnerability and software updates are not available; however, third-party security issues are available.
Analysis
- To exploit this vulnerability, an attacker would need network access and the ability to supply a crafted file to a targeted system. These requirements could reduce the likelihood of a successful attack.
Safeguards
- Administrators are advised to contact their specific vendor for future updates.Administrators are advised to allow only trusted users to have network access.Administrators are advised to monitor critical systems.
Vendor Announcements
- At the time this alert was first published, Cairo had not released a security advisory; however, a third-party security issue is available at the following link: Bug101547
Fixed Software
- At the time this alert was first published, Cairo had not released software updates.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.