Cairo cairo-truetype-subset.c Denial of Service Vulnerability [CVE-2017-9814]

CVE Number – CVE-2017-9814

A vulnerability in cairo-truetype-subset.c of Cairo could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.The vulnerability exists because the affected software mishandles an unexpected malloc(0) call to cairo-truetype-subset.c. An attacker could exploit this vulnerability by supplying a crafted file to the affected system. A successful exploit could allow the attacker to cause a DoS condition on the targeted system.Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.Cairo has not confirmed this vulnerability and software updates are not available; however, third-party security issues are available.

Analysis

• To exploit this vulnerability, an attacker would need network access and the ability to supply a crafted file to a targeted system. These requirements could reduce the likelihood of a successful attack.
  

Safeguards

• Administrators are advised to contact their specific vendor for future updates.Administrators are advised to allow only trusted users to have network access.Administrators are advised to monitor critical systems.

Vendor Announcements

• At the time this alert was first published, Cairo had not released a security advisory; however, a third-party security issue is available at the following link: Bug101547
  

Fixed Software

• At the time this alert was first published, Cairo had not released software updates.