CVE-2010-1797

HIGH

Description

Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload.c in FreeType before 2.4.2, as used in Apple iOS before 4.0.2 on the iPhone and iPod touch and before 3.2.2 on the iPad, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted CFF opcodes in embedded fonts in a PDF document, as demonstrated by JailbreakMe. NOTE: some of these details are obtained from third party information.

References

http://freetype.sourceforge.net/index2.html#release-freetype-2.4.2

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=018f5c27813dd7eef4648fe254632ecea0c85a50

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=11d65e8a1f1f14e56148fd991965424d9bd1cdbc

http://lists.apple.com/archives/security-announce/2010//Aug/msg00000.html

http://lists.apple.com/archives/security-announce/2010//Aug/msg00001.html

http://osvdb.org/66828

http://secunia.com/advisories/40807

http://secunia.com/advisories/40816

http://secunia.com/advisories/40982

http://secunia.com/advisories/48951

http://sourceforge.net/projects/freetype/files/freetype2/2.4.2/NEWS/view

http://support.apple.com/kb/HT4291

http://support.apple.com/kb/HT4292

http://www.exploit-db.com/exploits/14538

http://www.f-secure.com/weblog/archives/00002002.html

http://www.securityfocus.com/bid/42151

http://www.ubuntu.com/usn/USN-972-1

http://www.vupen.com/english/advisories/2010/2018

http://www.vupen.com/english/advisories/2010/2106

https://bugs.launchpad.net/ubuntu/maverick/+source/freetype/+bug/617019

https://bugzilla.redhat.com/show_bug.cgi?id=621144

https://exchange.xforce.ibmcloud.com/vulnerabilities/60856

Details

Source: MITRE

Published: 2010-08-16

Updated: 2019-09-26

Type: CWE-119

Risk Information

CVSS v2.0

Base Score: 9.3

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 8.6

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:o:apple:iphone_os:1.0.0:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.0.0:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.0.1:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.0.1:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.0.2:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.0.2:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.1.0:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.1.0:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.1.0:-:ipodtouch:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.1.1:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.1.1:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.1.2:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.1.2:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.1.2:-:ipodtouch:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.1.3:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.1.3:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.1.3:-:ipodtouch:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.1.4:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.1.4:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.1.4:-:ipodtouch:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.1.5:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.1.5:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:1.1.5:-:ipodtouch:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.0:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.0.0:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.0.0:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.0.0:-:ipodtouch:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.0.1:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.0.1:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.0.1:-:ipodtouch:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.0.2:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.0.2:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.0.2:-:ipodtouch:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.1:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.1:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.1:-:ipodtouch:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.1.1:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.2:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.2:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.2.1:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.2.1:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:2.2.1:-:ipodtouch:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.0:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.0:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.0:-:ipodtouch:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.0.1:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.0.1:-:ipodtouch:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.1:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.1:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.1:-:ipodtouch:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.1.2:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.1.2:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.1.2:-:ipodtouch:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.1.3:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.1.3:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.2:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.2:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.2:-:ipodtouch:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.2.1:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:3.2.1:-:ipad:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:4.0:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:4.0:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:4.0:-:ipodtouch:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:4.0.1:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:4.0.1:-:iphone:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:4.0.1:-:ipodtouch:*:*:*:*:*

Tenable Plugins

View all (17 total)

ID	Name	Product	Family	Severity
75578	openSUSE Security Update : libfreetype6 (openSUSE-SU-2010:0549-1)	Nessus	SuSE Local Security Checks	high
68080	Oracle Linux 3 / 4 / 5 : freetype (ELSA-2010-0607)	Nessus	Oracle Linux Local Security Checks	high
60830	Scientific Linux Security Update : freetype on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
57651	GLSA-201201-09 : FreeType: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
50905	SuSE 11 / 11.1 Security Update : freetype2 (SAT Patch Numbers 2914 / 2919)	Nessus	SuSE Local Security Checks	high
50437	Fedora 12 : freetype-2.3.11-6.fc12 (2010-15785)	Nessus	Fedora Local Security Checks	high
50026	Fedora 13 : freetype-2.3.11-6.fc13 (2010-15705)	Nessus	Fedora Local Security Checks	high
49854	SuSE 10 Security Update : freetype2 (ZYPP Patch Number 7121)	Nessus	SuSE Local Security Checks	high
49150	Debian DSA-2105-1 : freetype - several vulnerabilities	Nessus	Debian Local Security Checks	high
48900	SuSE9 Security Update : freetype2 (YOU Patch Number 12630)	Nessus	SuSE Local Security Checks	high
48755	openSUSE Security Update : freetype2 (openSUSE-SU-2010:0549-1)	Nessus	SuSE Local Security Checks	high
48753	openSUSE Security Update : freetype2 (openSUSE-SU-2010:0549-1)	Nessus	SuSE Local Security Checks	high
48361	Ubuntu 6.06 LTS / 8.04 LTS / 9.04 / 9.10 / 10.04 LTS : freetype vulnerabilities (USN-972-1)	Nessus	Ubuntu Local Security Checks	high
48319	Mandriva Linux Security Advisory : freetype2 (MDVSA-2010:149)	Nessus	Mandriva Local Security Checks	high
48276	Foxit Reader < 4.1.1.0805 FreeType CFF Opcodes RCE	Nessus	Windows	high
48269	CentOS 3 / 4 / 5 : freetype (CESA-2010:0607)	Nessus	CentOS Local Security Checks	high
48258	RHEL 3 / 4 / 5 : freetype (RHSA-2010:0607)	Nessus	Red Hat Local Security Checks	high