Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. NOTE: item 4 was originally identified by CVE-2006-2493.

From Red Hat Security Advisory 2009:0329 :

Updated freetype packages that fix various security issues are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide both the FreeType 1 and FreeType 2 font engines.

Tavis Ormandy of the Google Security Team discovered several integer overflow flaws in the FreeType 2 font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType 2, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0946)

Chris Evans discovered multiple integer overflow flaws in the FreeType font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2006-1861)

An integer overflow flaw was found in the way the FreeType font engine processed TrueType(r) Font (TTF) files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2007-2754)

A flaw was discovered in the FreeType TTF font-file format parser when the TrueType virtual machine Byte Code Interpreter (BCI) is enabled.
If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2008-1808)

The CVE-2008-1808 flaw did not affect the freetype packages as distributed in Red Hat Enterprise Linux 3 and 4, as they are not compiled with TrueType BCI support. A fix for this flaw has been included in this update as users may choose to recompile the freetype packages in order to enable TrueType BCI support. Red Hat does not, however, provide support for modified and recompiled packages.

Note: For the FreeType 2 font engine, the CVE-2006-1861, CVE-2007-2754, and CVE-2008-1808 flaws were addressed via RHSA-2006:0500, RHSA-2007:0403, and RHSA-2008:0556 respectively. This update provides corresponding updates for the FreeType 1 font engine, included in the freetype packages distributed in Red Hat Enterprise Linux 3 and 4.

Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect.

Tavis Ormandy of the Google Security Team discovered several integer overflow flaws in the FreeType 2 font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType 2, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0946)

Chris Evans discovered multiple integer overflow flaws in the FreeType font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2006-1861)

An integer overflow flaw was found in the way the FreeType font engine processed TrueType&reg; Font (TTF) files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2007-2754)

A flaw was discovered in the FreeType TTF font-file format parser when the TrueType virtual machine Byte Code Interpreter (BCI) is enabled.
If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2008-1808)

The X server must be restarted (log out, then log back in) for this update to take effect.

The remote host is affected by the vulnerability described in GLSA-201006-01 (FreeType 1: User-assisted execution of arbitrary code)

    Multiple issues found in FreeType 2 were also discovered in FreeType 1.
    For details on these issues, please review the Gentoo Linux Security     Advisories and CVE identifiers referenced below.
  Impact :

    A remote attacker could entice a user to open a specially crafted TTF     file, possibly resulting in the execution of arbitrary code with the     privileges of the user running FreeType.
  Workaround :

    There is no known workaround at this time.

Port of freetype2 security fixes

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated freetype packages that fix various security issues are now available for Red Hat Enterprise Linux 2.1.

This update has been rated as having important security impact by the Red Hat Security Response Team.

FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide both the FreeType 1 and FreeType 2 font engines.

Tavis Ormandy of the Google Security Team discovered several integer overflow flaws in the FreeType 2 font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType 2, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0946)

Chris Evans discovered multiple integer overflow flaws in the FreeType font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2006-1861)

An integer overflow flaw was found in the way the FreeType font engine processed TrueType(r) Font (TTF) files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2007-2754)

Note: For the FreeType 2 font engine, the CVE-2006-1861 and CVE-2007-2754 flaws were addressed via RHSA-2006:0500 and RHSA-2007:0403 respectively. This update provides corresponding updates for the FreeType 1 font engine, included in the freetype packages distributed in Red Hat Enterprise Linux 2.1.

Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect.

Updated freetype packages that fix various security issues are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide both the FreeType 1 and FreeType 2 font engines.

Tavis Ormandy of the Google Security Team discovered several integer overflow flaws in the FreeType 2 font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType 2, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0946)

Chris Evans discovered multiple integer overflow flaws in the FreeType font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2006-1861)

An integer overflow flaw was found in the way the FreeType font engine processed TrueType(r) Font (TTF) files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2007-2754)

A flaw was discovered in the FreeType TTF font-file format parser when the TrueType virtual machine Byte Code Interpreter (BCI) is enabled.
If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2008-1808)

The CVE-2008-1808 flaw did not affect the freetype packages as distributed in Red Hat Enterprise Linux 3 and 4, as they are not compiled with TrueType BCI support. A fix for this flaw has been included in this update as users may choose to recompile the freetype packages in order to enable TrueType BCI support. Red Hat does not, however, provide support for modified and recompiled packages.

Note: For the FreeType 2 font engine, the CVE-2006-1861, CVE-2007-2754, and CVE-2008-1808 flaws were addressed via RHSA-2006:0500, RHSA-2007:0403, and RHSA-2008:0556 respectively. This update provides corresponding updates for the FreeType 1 font engine, included in the freetype packages distributed in Red Hat Enterprise Linux 3 and 4.

Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect.

The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2009-001 applied.

This security update contains fixes for the following products :

  - AFP Server
  - Apple Pixlet Video
  - CarbonCore
  - CFNetwork
  - Certificate Assistant
  - ClamAV
  - CoreText
  - CUPS
  - DS Tools
  - fetchmail
  - Folder Manager
  - FSEvents
  - Network Time
  - perl
  - Printing
  - python
  - Remote Apple Events
  - Safari RSS
  - servermgrd
  - SMB
  - SquirrelMail
  - X11
  - XTerm

Several integer overflows have been discovered in the FreeType library. By tricking a user into installing and/or opening a specially crafted font file, these could be exploited to execute arbitrary code with the privileges of that user.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The XFree code contained in NX was prone to integer overflows (CVE-2006-1861) and insufficiently protected against specially crafted PCF files (CVE-2006-3467).

Fixes for: CVE-2006-0747, CVE-2006-1054, CVE-2006-1861, CVE-2006-2493, CVE-2006-2661. This patch fixes a few integer overflows in freetype 2.
Without this patch it is possible to create font files which make freetype 2 crash.

The remote host is affected by the vulnerability described in GLSA-200710-09 (NX 2.1: User-assisted execution of arbitrary code)

    Chris Evans reported an integer overflow within the FreeType PCF font     file parser (CVE-2006-1861). NX and NX Node are vulnerable to this due     to shipping XFree86 4.3.0, which includes the vulnerable FreeType code.
  Impact :

    A remote attacker could exploit these integer overflows by enticing a     user to load a specially crafted PCF font file which might lead to the     execution of arbitrary code with the privileges of the user on the     machine running the NX server.
  Workaround :

    There is no known workaround at this time.

Several problems have been discovered in the FreeType 2 font engine.
The Common vulnerabilities and Exposures project identifies the following problems :

  - CVE-2006-0747     Several integer underflows have been discovered which     could allow remote attackers to cause a denial of     service.

  - CVE-2006-1861     Chris Evans discovered several integer overflows that     lead to a denial of service or could possibly even lead     to the execution of arbitrary code.

  - CVE-2006-2493     Several more integer overflows have been discovered     which could possibly lead to the execution of arbitrary     code.

  - CVE-2006-2661     A NULL pointer dereference could cause a denial of     service.

SecurityTracker reports :

A vulnerability was reported in FreeType. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted font file that, when loaded by the target user's system, will trigger an integer underflow or integer overflow and crash the application or execute arbitrary code on the target system.

Chris Evans reported these vulnerabilities.

Impact: A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.

New x11 packages are available for Slackware 10.2 and -current to fix security issues. In addition, fontconfig and freetype have been split out from the x11 packages in -current, so if you run -current you'll also need to install those new packages.

Updated freetype packages that fix several security flaws are now available for Red Hat Enterprise Linux.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

FreeType is a free, high-quality, and portable font engine.

Chris Evans discovered several integer underflow and overflow flaws in the FreeType font engine. If a user loads a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code as the user. While it is uncommon for a user to explicitly load a font file, there are several application file formats which contain embedded fonts that are parsed by FreeType. (CVE-2006-0747, CVE-2006-1861, CVE-2006-3467)

A NULL pointer dereference flaw was found in the FreeType font engine.
An application linked against FreeType can crash upon loading a malformed font file. (CVE-2006-2661)

Users of FreeType should upgrade to these updated packages, which contain backported patches to correct these issues.

The remote host is affected by the vulnerability described in GLSA-200607-02 (FreeType: Multiple integer overflows)

    Multiple integer overflows exist in a variety of files (bdf/bdflib.c,     sfnt/ttcmap.c, cff/cffgload.c, base/ftmac.c).
  Impact :

    A remote attacker could exploit these buffer overflows by enticing a     user to load a specially crafted font, which could result in the     execution of arbitrary code.
  Workaround :

    There is no known workaround at this time.

Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values. (CVE-2006-0747)

Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. (CVE-2006-1861)

Ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference. (CVE-2006-2661)

In addition, a patch is applied to 2.1.10 in Mandriva 2006 to fix a serious bug in ttkern.c that caused some programs to go into an infinite loop when dealing with fonts that don't have a properly sorted kerning sub-table. This patch is not applicable to the earlier Mandriva releases.

Update :

The previous update introduced some issues with other applications and libraries linked to libfreetype, that were missed in testing for the vulnerability issues. The new packages correct these issues.

ID	Name	Product	Family	Severity
67813	Oracle Linux 3 / 4 : freetype (ELSA-2009-0329)	Nessus	Oracle Linux Local Security Checks	critical
60588	Scientific Linux Security Update : freetype on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	critical
46768	GLSA-201006-01 : FreeType 1: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
38943	Fedora 11 : freetype1-1.4-0.8.pre.fc11 (2009-5644)	Nessus	Fedora Local Security Checks	high
38938	Fedora 10 : freetype1-1.4-0.8.pre.fc10 (2009-5558)	Nessus	Fedora Local Security Checks	high
38874	RHEL 2.1 : freetype (RHSA-2009:1062)	Nessus	Red Hat Local Security Checks	critical
38870	RHEL 3 / 4 : freetype (RHSA-2009:0329)	Nessus	Red Hat Local Security Checks	critical
38867	CentOS 3 / 4 : freetype (CESA-2009:0329)	Nessus	CentOS Local Security Checks	critical
35684	Mac OS X Multiple Vulnerabilities (Security Update 2009-001)	Nessus	MacOS X Local Security Checks	critical
27863	Ubuntu 5.04 / 5.10 / 6.06 LTS : freetype vulnerabilities (USN-291-1)	Nessus	Ubuntu Local Security Checks	high
27510	openSUSE 10 Security Update : NX (NX-4555)	Nessus	SuSE Local Security Checks	high
27224	openSUSE 10 Security Update : freetype2 (freetype2-1608)	Nessus	SuSE Local Security Checks	high
26980	GLSA-200710-09 : NX 2.1: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
22637	Debian DSA-1095-1 : freetype - integer overflows	Nessus	Debian Local Security Checks	high
22503	FreeBSD : freetype -- LWFN Files Buffer Overflow Vulnerability (b975763f-5210-11db-8f1a-000a48049292)	Nessus	FreeBSD Local Security Checks	high
22099	Slackware 10.2 / current : x11 (SSA:2006-207-02)	Nessus	Slackware Local Security Checks	high
22068	RHEL 2.1 / 3 / 4 : freetype (RHSA-2006:0500)	Nessus	Red Hat Local Security Checks	high
22064	CentOS 3 / 4 : freetype (CESA-2006:0500)	Nessus	CentOS Local Security Checks	high
22009	GLSA-200607-02 : FreeType: Multiple integer overflows	Nessus	Gentoo Local Security Checks	high
21715	Mandrake Linux Security Advisory : freetype2 (MDKSA-2006:099-1)	Nessus	Mandriva Local Security Checks	high

Detections

Analytics

CVE-2006-1861

critical

Tenable Plugins

critical

critical

high

high

high

critical

critical

critical

critical

high

high

high

high

high

high

high

high

high

high

high