Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 263032 (CVE-2009-0946) - <media-libs/freetype-2.3.9-r1 Multiple integer overflows (CVE-2009-0946)
Summary: <media-libs/freetype-2.3.9-r1 Multiple integer overflows (CVE-2009-0946)
Alias: CVE-2009-0946
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on:
Reported: 2009-03-19 12:55 UTC by Robert Buchholz (RETIRED)
Modified: 2009-05-25 12:16 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

freetype-2.3.8-sec.diff (freetype-2.3.8-sec.diff,3.55 KB, patch)
2009-03-19 12:56 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
freetype-2.3.9-CVE-2009-0946.patch (freetype-2.3.9-CVE-2009-0946.patch,4.32 KB, patch)
2009-05-03 18:24 UTC, Ryan Hill (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-19 12:55:20 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Tavis Ormandy of Google Security discovered multiple integer overflows in freetype.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-03-19 12:56:29 UTC
This is still lacking CVE id and upstream approval for the patch provided by Tavis. Reproducers are available.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-03-19 12:56:52 UTC
Created attachment 185509 [details, diff]
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-17 16:23:22 UTC
CVE-2009-0946 (
  Multiple integer overflows in FreeType 2.3.9 and earlier allow remote
  attackers to execute arbitrary code via vectors related to large
  values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c,
  and (3) cff/cffload.c.

Comment 5 Ryan Hill (RETIRED) gentoo-dev 2009-05-03 18:24:05 UTC
Created attachment 190235 [details, diff]
Comment 6 Ryan Hill (RETIRED) gentoo-dev 2009-05-03 18:38:18 UTC
freetype-2.3.9-r1 added to tree
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-05-03 22:29:21 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-05-04 00:10:50 UTC
ppc64 done
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-05-04 00:10:57 UTC
ppc done
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-05-04 14:02:07 UTC
amd64 stable
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-04 17:27:57 UTC
x86 stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2009-05-05 05:14:31 UTC
Stable for HPPA.
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2009-05-06 16:06:33 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-06 18:50:18 UTC
GLSA request filed.
Comment 15 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-24 18:04:14 UTC
GLSA 200905-05
Comment 16 Nick White 2009-05-25 12:16:16 UTC
Does this bug also affect freetype-1.4? I still need this for texlive, but it doesn't appear to have been patched.