freetype2 read_lwfn() integer overflow

freetype-lwfn-overflow (26553)

High Risk

Description:

freetype2 is vulnerable to an integer overflow in the read_lwfn() function. A remote attacker could exploit this vulnerability using a specially-crafted LWFN file to execute arbitrary code on a victim's system.

Platforms Affected:

• Apple, Mac OS X 10.4.11
• Apple, Mac OS X Server 10.4.11
• Canonical, Ubuntu 5.04
• Canonical, Ubuntu 5.10
• Canonical, Ubuntu 6.06 LTS
• Debian, Debian Linux 3.0
• Debian, Debian Linux 3.1
• FreeType Project, freetype2 prior to 2.2.1
• Gentoo, Linux
• MandrakeSoft, Mandrake Linux 2006
• MandrakeSoft, Mandrake Linux 2006 X86_64
• MandrakeSoft, Mandrake Linux LE2005 X86_64
• MandrakeSoft, Mandrake Linux LE2005
• MandrakeSoft, Mandrake Linux Corporate Server 3.0
• MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
• MandrakeSoft, Mandrake Multi Network Firewall 2.0
• Novell, Linux Desktop 9
• OpenPKG, OpenPKG 2-STABLE
• OpenPKG, OpenPKG 2.5
• OpenPKG, OpenPKG CURRENT
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Enterprise Linux 3 Desktop
• RedHat, Enterprise Linux 3 AS
• RedHat, Enterprise Linux 3 ES
• RedHat, Enterprise Linux 3 WS
• RedHat, Enterprise Linux 4 ES
• RedHat, Enterprise Linux 4 WS
• RedHat, Enterprise Linux 4 Desktop
• RedHat, Enterprise Linux 4 AS
• RedHat, Linux Advanced Workstation 2.1 Itanium
• SuSE, SuSE Linux 10.0
• SuSE, SuSE Linux 10.1
• SuSE, SuSE SLES 9

Remedy:

Upgrade to the latest version of freetype2 (2.2.1 or later), available from SourceForge.net. See References.

For Debian GNU/Linux:
Refer to DSA-1095-1 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 2006-07-02 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux:
Refer to RHSA-2006:0500-10 for patch, upgrade, or suggested workaround information. See References.

For OpenPKG:
Refer to OpenPKG Security Advisory OpenPKG-SA-2006-017 for patch, upgrade, or suggested workaround information. See References.

Refer to Sun Alert ID: 102705 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

Gain Access

References:

• Apple Web site, About the security content of Security Update 2009-001 at http://support.apple.com/kb/HT3438.
• SourceForge.net: Files, The FreeType Project - File Release Notes and Changelog - Release Name: 2.2.1 at http://sourceforge.net/project/shownotes.php?release_id=41 6463.
• Sun Alert ID: 102705, Security Vulnerabilities (Integer Overflows and a Denial of Service) in the FreeType 2 Font Engine at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102705-1.
• ASA-2006-176: freetype security update (RHSA-2006-0500)
• ASA-2007-039: Security Vulnerabilities (Integer Overflows and a Denial of Service) in the FreeType 2 Font Engine (Sun 102705)
• ASA-2009-226: freetype security update (RHSA-2009-0329)
• ASA-2009-243: freetype security update (RHSA-2009-1062)
• BID-18034: FreeType LWFN Files Buffer Overflow Vulnerability
• CVE-2006-1861: Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. NOTE: item 4 was originally identified by CVE-2006-2493.
• DSA-1095: freetype -- integer overflows
• GLSA-200607-02: FreeType: Multiple integer overflows
• GLSA-200710-09: NX 2.1: User-assisted execution of arbitrary code
• MDKSA-2006:099: freetype2
• MDKSA-2006:099-1: freetype2
• OpenPKG-SA-2006.017: Freetype
• RHSA-2006-0500: freetype security update
• RHSA-2009-0329: Important: freetype security update
• RHSA-2009-1062: Important: freetype security update
• SA20100: FreeType Integer Overflow and Underflow Vulnerabilities
• SA21701: Avaya Products FreeType Vulnerabilities
• SA23939: Sun Solaris FreeType Integer Overflow and Underflow Vulnerabilities
• SA27162: NX Server PCF Integer Overflow Vulnerabilities
• SA33937: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
• SECTRACK ID: 1016522: FreeType Integer Overflows Let Remote Users Execute Arbitrary Code
• SUSE-SA:2006:037: freetype integer overflow problems
• SUSE-SR:2007:021: SUSE Security Summary Report
• USN-291-1: FreeType vulnerabilities
• VUPEN/ADV-2006-1868: FreeType Font Files Handling Multiple Integer Overflow Vulnerabilities
• VUPEN/ADV-2007-0381: Sun Solaris Security Update Fixes FreeType Multiple Integer Overflow Vulnerabilities

Reported:

May 13, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page