Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 332701 (CVE-2010-1797) - <media-libs/freetype-2.4.2: Stack-based buffer overflows in the CFF module (CVE-2010-{1797,2497,2498,2499,2500,2519,2520,2527,2541,2805,2806,2807,2808,3053,3054,3311})
Summary: <media-libs/freetype-2.4.2: Stack-based buffer overflows in the CFF module (C...
Status: RESOLVED FIXED
Alias: CVE-2010-1797
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major
Assignee: Gentoo Security
URL: http://www.kb.cert.org/vuls/id/275247
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-14 08:26 UTC by Alex Legler (RETIRED)
Modified: 2012-01-23 20:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-14 08:26:01 UTC
From $URL:

FreeType is a font engine that can open and process font files. FreeType 2 includes the ability to handle a number of font types, including Compact Font Format (CFF). FreeType is used by a number of applications, including PDF readers, web browsers, and other applications. FreeType 2 contains a flaw in the handling of some CFF opcodes, which can result in stack corruption. This can allow arbitrary code execution. 

Impact
------
By causing an application that uses FreeType to parse a specially-crafted CFF font, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. This can occur as the result of opening a PDF document or viewing a web page.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-14 08:26:47 UTC
fonts: I see that we don't have the 2.4.x series stable yet. Would you rather have a patch to apply to 2.3.x than bump to 2.4.2 and stable that?
Comment 2 Ryan Hill (RETIRED) gentoo-dev 2010-08-14 20:09:10 UTC
Let's stabilize 2.4.2 ASAP.
Comment 3 David Abbott (RETIRED) gentoo-dev 2010-08-14 21:49:41 UTC
All good x86.
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2010-08-14 22:39:39 UTC
amd64 done
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-14 23:24:35 UTC
x86 stable, thanks David
Comment 6 Markus Meier gentoo-dev 2010-08-15 16:33:39 UTC
arm stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-16 16:51:24 UTC
Stable for PPC.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-16 18:14:30 UTC
Stable for HPPA.
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2010-08-28 11:13:24 UTC
alpha/ia64/m68k/s390/sh/sparc stable
Comment 10 Brent Baude (RETIRED) gentoo-dev 2010-09-06 20:33:14 UTC
ppc64 done
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2010-11-19 07:14:51 UTC
GLSA with bug 342121.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 12:09:01 UTC
CVE-2010-2497 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2497):
  Integer underflow in glyph handling in FreeType before 2.4.0 allows remote
  attackers to cause a denial of service (application crash) or possibly
  execute arbitrary code via a crafted font file.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 12:15:04 UTC
CVE-2010-3311 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3311):
  Integer overflow in base/ftstream.c in libXft (aka the X FreeType library)
  in FreeType before 2.4 allows remote attackers to cause a denial of service
  (application crash) or possibly execute arbitrary code via a crafted Compact
  Font Format (CFF) font file that triggers a heap-based buffer overflow,
  related to an "input stream position error" issue, a different vulnerability
  than CVE-2010-1797.

CVE-2010-3054 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3054):
  Unspecified vulnerability in FreeType 2.3.9, and other versions before
  2.4.2, allows remote attackers to cause a denial of service via vectors
  involving nested Standard Encoding Accented Character (aka seac) calls,
  related to psaux.h, cffgload.c, cffgload.h, and t1decode.c.

CVE-2010-3053 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3053):
  bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause a
  denial of service (application crash) via a crafted BDF font file, related
  to an attempted modification of a value in a static string.

CVE-2010-2808 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2808):
  Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in
  FreeType before 2.4.2 allows remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly execute arbitrary code
  via a crafted Adobe Type 1 Mac Font File (aka LWFN) font.

CVE-2010-2807 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2807):
  FreeType before 2.4.2 uses incorrect integer data types during bounds
  checking, which allows remote attackers to cause a denial of service
  (application crash) or possibly execute arbitrary code via a crafted font
  file.

CVE-2010-2806 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2806):
  Array index error in the t42_parse_sfnts function in type42/t42parse.c in
  FreeType before 2.4.2 allows remote attackers to cause a denial of service
  (application crash) or possibly execute arbitrary code via negative size
  values for certain strings in FontType42 font files, leading to a heap-based
  buffer overflow.

CVE-2010-2805 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2805):
  The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before
  2.4.2 does not properly validate certain position values, which allows
  remote attackers to cause a denial of service (application crash) or
  possibly execute arbitrary code via a crafted font file.

CVE-2010-2541 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2541):
  Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType before
  2.4.2 allows remote attackers to cause a denial of service (application
  crash) or possibly execute arbitrary code via a crafted font file.

CVE-2010-2527 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2527):
  Multiple buffer overflows in demo programs in FreeType before 2.4.0 allow
  remote attackers to cause a denial of service (application crash) or
  possibly execute arbitrary code via a crafted font file.

CVE-2010-2520 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2520):
  Heap-based buffer overflow in the Ins_IUP function in truetype/ttinterp.c in
  FreeType before 2.4.0, when TrueType bytecode support is enabled, allows
  remote attackers to cause a denial of service (application crash) or
  possibly execute arbitrary code via a crafted font file.

CVE-2010-2519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2519):
  Heap-based buffer overflow in the Mac_Read_POST_Resource function in
  base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a
  denial of service (application crash) or possibly execute arbitrary code via
  a crafted length value in a POST fragment header in a font file.

CVE-2010-2500 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2500):
  Integer overflow in the gray_render_span function in smooth/ftgrays.c in
  FreeType before 2.4.0 allows remote attackers to cause a denial of service
  (application crash) or possibly execute arbitrary code via a crafted font
  file.

CVE-2010-2499 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2499):
  Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in
  FreeType before 2.4.0 allows remote attackers to cause a denial of service
  (application crash) or possibly execute arbitrary code via a crafted
  LaserWriter PS font file with an embedded PFB fragment.

CVE-2010-2498 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2498):
  The psh_glyph_find_strong_points function in pshinter/pshalgo.c in FreeType
  before 2.4.0 does not properly implement hinting masks, which allows remote
  attackers to cause a denial of service (heap memory corruption and
  application crash) or possibly execute arbitrary code via a crafted font
  file that triggers an invalid free operation.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 20:35:39 UTC
This issue was resolved and addressed in
 GLSA 201201-09 at http://security.gentoo.org/glsa/glsa-201201-09.xml
by GLSA coordinator Sean Amoss (ackle).