OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] [ GLSA 200806-10 ] FreeType: User-assisted execution of arbitrary code

From: Robert Buchholz (rbugentoo.org)
Date: Mon Jun 23 2008 - 19:01:30 CDT

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200806-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: FreeType: User-assisted execution of arbitrary code
      Date: June 23, 2008
      Bugs: #225851
        ID: 200806-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Font parsing vulnerabilities in FreeType might lead to user-assisted
execution of arbitrary code.

Background
==========

FreeType is a font rendering library for TrueType Font (TTF) and
Printer Font Binary (PFB).

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 media-libs/freetype < 2.3.6 >= 2.3.6

Description
===========

Regenrecht reported multiple vulnerabilities in FreeType via iDefense:

* An integer overflow when parsing values in the Private dictionary
  table in a PFB file, leading to a heap-based buffer overflow
  (CVE-2008-1806).

* An invalid free() call related to parsing an invalid "number of
  axes" field in a PFB file (CVE-2008-1807).

* Multiple off-by-one errors when parsing PBF and TTF files, leading
  to heap-based buffer overflows (CVE-2008-1808).

Impact
======

A remote attacker could entice a user to open a specially crafted TTF
or PBF file, possibly resulting in the execution of arbitrary code with
the privileges of the user running an application linked against
FreeType (such as the X.org X server, running as root).

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All FreeType users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-libs/freetype-2.3.6"

References
==========

  [ 1 ] CVE-2008-1806
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1806
  [ 2 ] CVE-2008-1807
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1807
  [ 3 ] CVE-2008-1808
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1808

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200806-10.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iQIcBAABAgAGBQJIYDlcAAoJECaaHo/OfoM5DuUP/2XTKwSsyGDBqw/nmxAB+moD
3H+aX/2oSnGHvaQHz+Ney//fGvS+Esi5hyP/wAQveePKhhmN8CZT/YYzPM9BLCwi
4wWxQpjl5YsA1YnXOev405HbkRVWzGOmezG7cmkFzjNs9EQKzIHsvPNL+CtNCClm
gyWWuXqIegsIRHQe/SOWbQaoAjUbURhAA2NrrPQmi58BIzkzWjYz8VVdmS6WRkqR
kE9niueNARx6gBXM6G59WisGWXOb82o6MOpnh7olW2112JSJYoNBhZxaR0px15vD
rxb2UEc3JLBeYogVYACGT4BN5tHVGNHdymkUCSY08bpL9EJoVx7xT05Z86k+Hgyh
Fxw2yD/45CU0zXYG1pt0qJuw+wLUH7RCvFO1dtAveGG9f8vOklLApbrJ8PRox57I
qqn8cgL3QbY5lpUxbwYRtxjz3mDWfTijK8U9qRfaXkZKVK0UmUp3fC/gBVDNNok0
Vo87TfHY9H8gYhLdgX469dTLVECiooi1fTgBYhPQGZrgOs6K7zgzepKf06u84EWL
3KAdNNTtpHQGGFlBecCYwiR2aX7Syuwmayq38nlu3+NupZ5wuQWEJ4g37JoAvuwv
qmDYXR53QOtRHR906Esim0LHnt5fDYEpEEzPKNYhZJJOyRblMNiaciBMwKzOLsxv
DRtX4qq1eWjA1Gd5ES4U
=it/J
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/