FreeType TTF File Remote Buffer Overflow Vulnerability
BID:18326
Info
FreeType TTF File Remote Buffer Overflow Vulnerability
| Bugtraq ID: | 18326 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2006-0747 |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 08 2006 12:00AM |
| Updated: | May 13 2009 06:56PM |
| Credit: | Josh Bressers discovered this vulnerability. |
| Vulnerable: |
Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Linux 5.10 i386 Ubuntu Ubuntu Linux 5.10 amd64 Ubuntu Ubuntu Linux 5.0 4 powerpc Ubuntu Ubuntu Linux 5.0 4 i386 Ubuntu Ubuntu Linux 5.0 4 amd64 Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 SuSE Linux Enterprise Server 9 Sun Solaris 9_x86 Sun Solaris 9 Sun Solaris 8_x86 Sun Solaris 8_sparc Sun Solaris 10.0_x86 Sun Solaris 10.0 SGI ProPack 3.0 SP6 S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 9.3 S.u.S.E. Linux Professional 9.2 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 9.3 S.u.S.E. Linux Personal 9.2 S.u.S.E. Linux Personal 10.1 S.u.S.E. Linux Enterprise Server for S/390 9.0 S.u.S.E. Linux Enterprise Server for S/390 rPath rPath Linux 1 Redhat Enterprise Linux WS 4 Redhat Enterprise Linux WS 3 Redhat Enterprise Linux WS 2.1 IA64 Redhat Enterprise Linux WS 2.1 Redhat Enterprise Linux ES 4 Redhat Enterprise Linux ES 3 Redhat Enterprise Linux ES 2.1 IA64 Redhat Enterprise Linux ES 2.1 Redhat Enterprise Linux AS 4 Redhat Enterprise Linux AS 3 Redhat Enterprise Linux AS 2.1 IA64 Redhat Enterprise Linux AS 2.1 Redhat Desktop 4.0 Redhat Desktop 3.0 Redhat Advanced Workstation for the Itanium Processor 2.1 IA64 Redhat Advanced Workstation for the Itanium Processor 2.1 Mandriva Linux Mandrake 2006.0 x86_64 Mandriva Linux Mandrake 2006.0 Mandriva Linux Mandrake 10.2 x86_64 Mandriva Linux Mandrake 10.2 MandrakeSoft Multi Network Firewall 2.0 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 FreeType FreeType 2.2 FreeType FreeType 0 Avaya S8710 R2.0.1 Avaya S8710 R2.0.0 Avaya S8700 R2.0.1 Avaya S8700 R2.0.0 Avaya S8500 R2.0.1 Avaya S8500 R2.0.0 Avaya S8300 R2.0.1 Avaya S8300 R2.0.0 Avaya Messaging Storage Server MM3.0 Avaya Messaging Storage Server Avaya Message Networking Avaya Intuity LX Apple Mac OS X Server 10.4.11 Apple Mac OS X Server 10.4.11 Apple Mac OS X Server 10.4.10 Apple Mac OS X Server 10.4.9 Apple Mac OS X Server 10.4.8 Apple Mac OS X Server 10.4.7 Apple Mac OS X Server 10.4.6 Apple Mac OS X Server 10.4.5 Apple Mac OS X Server 10.4.4 Apple Mac OS X Server 10.4.3 Apple Mac OS X Server 10.4.2 Apple Mac OS X Server 10.4.1 Apple Mac OS X Server 10.4 Apple Mac OS X 10.4.11 Apple Mac OS X 10.4.11 Apple Mac OS X 10.4.10 Apple Mac OS X 10.4.9 Apple Mac OS X 10.4.8 Apple Mac OS X 10.4.7 Apple Mac OS X 10.4.6 Apple Mac OS X 10.4.5 Apple Mac OS X 10.4.4 Apple Mac OS X 10.4.3 Apple Mac OS X 10.4.2 Apple Mac OS X 10.4.1 Apple Mac OS X 10.4 |
| Not Vulnerable: |
FreeType FreeType 2.2.1 |
Discussion
FreeType TTF File Remote Buffer Overflow Vulnerability
FreeType is prone to a buffer-overflow vulnerability. This issue is due to an integer-underflow that results in a buffer being overrun with attacker-supplied data.
This issue allows remote attackers to execute arbitrary machine code in the context of applications that use the affected library. Failed exploit attempts will likely crash applications, denying service to legitimate users.
FreeType versions prior to 2.2.1 are vulnerable to this issue.
FreeType is prone to a buffer-overflow vulnerability. This issue is due to an integer-underflow that results in a buffer being overrun with attacker-supplied data.
This issue allows remote attackers to execute arbitrary machine code in the context of applications that use the affected library. Failed exploit attempts will likely crash applications, denying service to legitimate users.
FreeType versions prior to 2.2.1 are vulnerable to this issue.
Exploit / POC
FreeType TTF File Remote Buffer Overflow Vulnerability
The following proof-of-concept exploit demonstrates this issue by instigating a crash in the affected library:
The following proof-of-concept exploit demonstrates this issue by instigating a crash in the affected library:
Solution / Fix
FreeType TTF File Remote Buffer Overflow Vulnerability
Solution:
The vendor has released FreeType 2.2.1 to address this issue. Please see the references for details.
Sun Solaris 10.0
FreeType FreeType 2.2
Sun Solaris 8_sparc
Sun Solaris 10.0_x86
FreeType FreeType 0
Sun Solaris 9
Sun Solaris 9_x86
Sun Solaris 8_x86
Apple Mac OS X 10.4.11
Apple Mac OS X Server 10.4.11
Solution:
The vendor has released FreeType 2.2.1 to address this issue. Please see the references for details.
Sun Solaris 10.0
-
Sun 119812-02
http://sunsolve.sun.com/
FreeType FreeType 2.2
-
FreeType freetype-2.2.1.tar.bz2
http://prdownloads.sourceforge.net/freetype/freetype-2.2.1.tar.bz2?dow nload
Sun Solaris 8_sparc
Sun Solaris 10.0_x86
-
Sun 119813-02
http://sunsolve.sun.com/
FreeType FreeType 0
-
FreeType freetype-2.2.1.tar.bz2
http://prdownloads.sourceforge.net/freetype/freetype-2.2.1.tar.bz2?dow nload
Sun Solaris 9
-
Sun 116105-06
http://sunsolve.sun.com/
Sun Solaris 9_x86
-
Sun 116106-06
http://sunsolve.sun.com/
Sun Solaris 8_x86
Apple Mac OS X 10.4.11
-
Apple SecUpd2009-002PPC.dmg
(PowerPC)
http://support.apple.com/downloads/DL818/SecUpd2009-002PPC.dmg
Apple Mac OS X Server 10.4.11
-
Apple SecUpd2009-002Intel.dmg
(Intel)
http://support.apple.com/downloads/DL817/SecUpd2009-002Intel.dmg -
Apple SecUpdSrvr2009-002PPC.dmg
(PowerPC)
http://support.apple.com/downloads/DL819/SecUpdSrvr2009-002PPC.dmg -
Apple SecUpdSrvr2009-002Univ.dmg
(Universal)
http://support.apple.com/downloads/DL816/SecUpdSrvr2009-002Univ.dmg
References
FreeType TTF File Remote Buffer Overflow Vulnerability
References:
References:
- ASA-2006-176 - freetype security update (RHSA-2006-0500) (Avaya)
- Bugzilla Bug 183676 �?? CVE-2006-0747 Freetype integer underflow (CVE-2006-2661) (Red Hat)
- FreeType Homepage (FreeType)
- Release Name: 2.2.1 (FreeType)
- RHSA-2006:0500-10 - freetype security update (RedHat)
- rPSA-2006-0100-1 freetype (rPath)
- Sun Alert ID: 102705 - Security Vulnerabilities (Integer Overflows and a Denial (Sun)