[UNIX] FreeType Integer Overflow Vulnerabilities
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 14 Jun 2006 12:20:44 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
FreeType Integer Overflow Vulnerabilities
------------------------------------------------------------------------
SUMMARY
The <http://www.freetype.org> FreeType project of David Turner attempts
to create an independent implementation of the TrueType standard (as well
as other font standards). FreeType is included in many Linux distributions
and distributes with GPL compatible license.
The FreeType library has several integer overflow vulnerabilities. If a
user can be tricked into installing a specially crafted font file,
arbitrary code can be executed with the privilege of the user.
DETAILS
Vulnerable Systems:
* FreeType version 2.2 (prior versions suspected).
* FreeType version 2.1.10 (prior versions suspected).
1) An integer overflow error exists within the "read_lwfn()" function in
src/base/ftmac.c. This can potentially be exploited to cause a heap-based
buffer overflow via a specially crafted LWFN file.
2) An integer underflow error exists within the
"src/pshinter/pshglob.c:psh_blues_set_zones_0()" function when handling a
specially crafted font file where the number of blue values is odd. This
can be exploited to cause an integer underflow which corrupts the heap.
3) Integer overflow errors exist within the BDF, PCF and Type1 font file
parsers. This can potentially be exploited to cause a heap-based buffer
overflow via a specially crafted font file.
ADDITIONAL INFORMATION
The original article can be found at:
<http://secunia.com/advisories/20100/>
http://secunia.com/advisories/20100/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [REVS] IPv6 Address Cookies
- Next by Date: [NEWS] Dell PowerEdge Server Management CD Full Remote Access
- Previous by thread: [REVS] IPv6 Address Cookies
- Next by thread: [NEWS] Dell PowerEdge Server Management CD Full Remote Access
- Index(es):
Relevant Pages
|
