Lucene search

K
certCERTVU:275247
HistoryAug 05, 2010 - 12:00 a.m.

FreeType 2 CFF font stack corruption vulnerability

2010-08-0500:00:00
www.kb.cert.org
15

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.513 Medium

EPSS

Percentile

97.5%

Overview

FreeType 2 contains a vulnerability in the processing of CFF fonts, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

FreeType is a font engine that can open and process font files. FreeType 2 includes the ability to handle a number of font types, including Compact Font Format (CFF). FreeType is used by a number of applications, including PDF readers, web browsers, and other applications. FreeType 2 contains a flaw in the handling of some CFF opcodes, which can result in stack corruption. This can allow arbitrary code execution.

This vulnerability is being used in the iPhone PDF JailBreak exploit.


Impact

By causing an application that uses FreeType to parse a specially-crafted CFF font, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. This can occur as the result of opening a PDF document or viewing a web page.


Solution

Apply an update
This vulnerability is fixed in the FreeType source tree. Please check with your vendor for an update.


Vendor Information

275247

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Inc. __ Affected

Notified: August 04, 2010 Updated: August 11, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

This issue is addressed in iOS 4.0.2 and iOS 3.2.2.

Vendor References

Addendum

We have confirmed that Safari 3.x on Windows is vulnerable, as it uses FreeType. Newer versions are not affected.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23275247 Feedback>).

Debian GNU/Linux Affected

Notified: August 10, 2010 Updated: August 11, 2010

Statement Date: August 11, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc. __ Affected

Notified: August 10, 2010 Updated: August 11, 2010

Statement Date: August 10, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

BIG-IP includes FreeType 2.2.1, however it is not allowed to generate graphs from arbitrary font files or documents. Therefore it is not vulnerable to remote attack.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23275247 Feedback>).

Foxit Software Company __ Affected

Notified: August 06, 2010 Updated: August 06, 2010

Statement Date: August 06, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

Foxit Software has released version 4.1.1.0805 to address this vulnerability. More information can be found at:

<http://www.foxitsoftware.com/pdf/reader/security_bulletins.php#iphone&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23275247 Feedback>).

Gentoo Linux Affected

Notified: August 10, 2010 Updated: August 11, 2010

Statement Date: August 10, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Affected

Updated: August 05, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

SUSE Linux Affected

Notified: August 10, 2010 Updated: September 10, 2010

Statement Date: September 08, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Wind River Systems, Inc. Affected

Notified: August 10, 2010 Updated: August 11, 2010

Statement Date: August 11, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Google Not Affected

Notified: September 10, 2010 Updated: September 14, 2010

Statement Date: September 14, 2010

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc. __ Not Affected

Notified: August 10, 2010 Updated: August 23, 2010

Statement Date: August 19, 2010

Status

Not Affected

Vendor Statement

Juniper Networks products are not susceptible to this vulnerability

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux __ Not Affected

Notified: August 10, 2010 Updated: August 23, 2010

Statement Date: August 13, 2010

Status

Not Affected

Vendor Statement

We’re not shipping FreeType 2 in any product.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc. Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc. Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A. Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc. Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX Software Systems Inc. Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sun Microsystems, Inc. Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys Unknown

Notified: August 10, 2010 Updated: August 10, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 42 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was discovered being exploited in the wild. Additional analysis was performed by Braden Thomas of Apple Product Security.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2010-1797
Severity Metric: 13.39 Date Public:

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.513 Medium

EPSS

Percentile

97.5%