From $URL: FreeType is a font engine that can open and process font files. FreeType 2 includes the ability to handle a number of font types, including Compact Font Format (CFF). FreeType is used by a number of applications, including PDF readers, web browsers, and other applications. FreeType 2 contains a flaw in the handling of some CFF opcodes, which can result in stack corruption. This can allow arbitrary code execution. Impact ------ By causing an application that uses FreeType to parse a specially-crafted CFF font, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. This can occur as the result of opening a PDF document or viewing a web page.
fonts: I see that we don't have the 2.4.x series stable yet. Would you rather have a patch to apply to 2.3.x than bump to 2.4.2 and stable that?
Let's stabilize 2.4.2 ASAP.
All good x86.
amd64 done
x86 stable, thanks David
arm stable
Stable for PPC.
Stable for HPPA.
alpha/ia64/m68k/s390/sh/sparc stable
ppc64 done
GLSA with bug 342121.
CVE-2010-2497 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2497): Integer underflow in glyph handling in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.
CVE-2010-3311 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3311): Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Compact Font Format (CFF) font file that triggers a heap-based buffer overflow, related to an "input stream position error" issue, a different vulnerability than CVE-2010-1797. CVE-2010-3054 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3054): Unspecified vulnerability in FreeType 2.3.9, and other versions before 2.4.2, allows remote attackers to cause a denial of service via vectors involving nested Standard Encoding Accented Character (aka seac) calls, related to psaux.h, cffgload.c, cffgload.h, and t1decode.c. CVE-2010-3053 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3053): bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) via a crafted BDF font file, related to an attempted modification of a value in a static string. CVE-2010-2808 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2808): Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN) font. CVE-2010-2807 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2807): FreeType before 2.4.2 uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. CVE-2010-2806 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2806): Array index error in the t42_parse_sfnts function in type42/t42parse.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via negative size values for certain strings in FontType42 font files, leading to a heap-based buffer overflow. CVE-2010-2805 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2805): The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. CVE-2010-2541 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2541): Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. CVE-2010-2527 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2527): Multiple buffer overflows in demo programs in FreeType before 2.4.0 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. CVE-2010-2520 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2520): Heap-based buffer overflow in the Ins_IUP function in truetype/ttinterp.c in FreeType before 2.4.0, when TrueType bytecode support is enabled, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. CVE-2010-2519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2519): Heap-based buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted length value in a POST fragment header in a font file. CVE-2010-2500 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2500): Integer overflow in the gray_render_span function in smooth/ftgrays.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. CVE-2010-2499 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2499): Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LaserWriter PS font file with an embedded PFB fragment. CVE-2010-2498 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2498): The psh_glyph_find_strong_points function in pshinter/pshalgo.c in FreeType before 2.4.0 does not properly implement hinting masks, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted font file that triggers an invalid free operation.
This issue was resolved and addressed in GLSA 201201-09 at http://security.gentoo.org/glsa/glsa-201201-09.xml by GLSA coordinator Sean Amoss (ackle).
