Braden Thomas

**Name of the Vulnerable Software and Affected Versions** Freetype versions prior to 2.4.8 Freetype versions prior to 2.4.2 **Description** The issue concerns multiple stack-based buffer overflows in the cff decoder parse charstrings function, which can be exploited remotely. This can lead to the execution of arbitrary code or cause a denial of service due to memory corruption. The exploitation can be triggered by crafted CFF opcodes in embedded fonts in a PDF document. **Recommendations** For versions prior to 2.4.2, consider updating to version 2.4.2 or later to resolve the issue. For versions prior to 2.4.8, consider updating to version 2.4.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of embedded fonts in PDF documents to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** 4d WebSTAR versions 5.33 through 5.4 **Description** A buffer overflow issue in the Tomcat plugin allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long URL. **Recommendations** For 4d WebSTAR versions 5.33 through 5.4, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Apple File Service (AFP Server) (affected versions not specified) **Description** The issue is related to an integer signedness error that allows remote attackers to cause a denial of service, resulting in an application crash. This is achieved by sending a FPLoginExt packet with a negative UAM string length. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** iSync version 1.5 **Description** A buffer overflow issue exists in the -v and -a switches in mRouter in iSync, allowing local users to execute arbitrary code. **Recommendations** For iSync version 1.5, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** cups versions prior to 1.3.10 cups-libs-x86 (affected versions not specified) kdegraphics-devel-3.5.4 (affected versions not specified) kdegraphics-3.5.4 (affected versions not specified) cups-debugsource (affected versions not specified) cups-libs-32bit (affected versions not specified) cups-client (affected versions not specified) cups-debuginfo (affected versions not specified) cups-devel (affected versions not specified) **Description** The issue concerns multiple vulnerabilities in various packages, including cups and kdegraphics, which can lead to disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. Specifically, multiple integer overflows in the JBIG2 decoder in Xpdf and CUPS allow remote attackers to cause a denial of service via a crafted PDF file, related to JBIG2Stream::readSymbolDictSeg and other functions. **Recommendations** For cups versions prior to 1.3.10, update to version 1.3.10 or later. For cups-libs-x86, consider disabling the vulnerable package until a patch is available. For kdegraphics-devel-3.5.4, restrict access to the vulnerable package to minimize the risk of exploitation. For kdegraphics-3.5.4, avoid using the vulnerable package in sensitive operations until the issue is resolved. For cups-debugsource, cups-libs-32bit, cups-client, cups-debuginfo, and cups-devel, consider temporarily disabling or restricting the use of these packages until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability for some of the affected packages.

**Name of the Vulnerable Software and Affected Versions** cups versions prior to 1.3.10 cups-libs (affected versions not specified) cups-libs-32bit (affected versions not specified) cups-libs-x86 (affected versions not specified) cups-client (affected versions not specified) cups-debuginfo (affected versions not specified) cups-debugsource (affected versions not specified) cups-devel (affected versions not specified) kdegraphics-3.5.4 (affected versions not specified) kdegraphics-devel-3.5.4 (affected versions not specified) Xpdf version 3.02pl2 and earlier **Description** The issue concerns multiple vulnerabilities in various packages, including cups and kdegraphics, which can lead to disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, allows remote attackers to cause a denial of service via a crafted PDF file. **Recommendations** For cups versions prior to 1.3.10, update to version 1.3.10 or later. For cups-libs, cups-libs-32bit, cups-libs-x86, cups-client, cups-debuginfo, cups-debugsource, and cups-devel, there is no information about a newer version that contains a fix for this vulnerability. For kdegraphics-3.5.4 and kdegraphics-devel-3.5.4, there is no information about a newer version that contains a fix for this vulnerability. For Xpdf version 3.02pl2 and earlier, update to a version later than 3.02pl2. As a temporary workaround, consider disabling the JBIG2 decoder function until a patch is available.