ID DSA-1334 Type debian Reporter Debian Modified 2007-07-18T00:00:00
Description
A problem was discovered with freetype, a FreeType2 font engine, which could allow the execution of arbitrary code via an integer overflow in specially crafted TTF files.
For the old stable distribution (sarge), this problem has been fixed in version 2.1.7-8.
We recommend that you upgrade your freetype package.
{"result": {"cve": [{"id": "CVE-2007-2754", "type": "cve", "title": "CVE-2007-2754", "description": "Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow.", "published": "2007-05-17T18:30:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2754", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-10-11T11:07:10"}], "gentoo": [{"id": "GLSA-200705-22", "type": "gentoo", "title": "FreeType: Buffer overflow", "description": "### Background\n\nFreeType is a True Type Font rendering library. \n\n### Description\n\nVictor Stinner discovered a heap-based buffer overflow in the function Get_VMetrics() in src/truetype/ttgload.c when processing TTF files with a negative n_points attribute. \n\n### Impact\n\nA remote attacker could entice a user to open a specially crafted TTF file, possibly resulting in the execution of arbitrary code with the privileges of the user running FreeType. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll FreeType users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=media-libs/freetype-2.3.4-r2\"", "published": "2007-05-30T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/200705-22", "cvelist": ["CVE-2007-2754"], "lastseen": "2016-09-06T19:46:01"}, {"id": "GLSA-200707-02", "type": "gentoo", "title": "OpenOffice.org: Two buffer overflows", "description": "### Background\n\nOpenOffice.org is an open source office productivity suite, including word processing, spreadsheet, presentation, drawing, data charting, formula editing, and file conversion facilities. \n\n### Description\n\nJohn Heasman of NGSSoftware has discovered a heap-based buffer overflow when parsing the \"prdata\" tag in RTF files where the first token is smaller than the second one (CVE-2007-0245). Additionally, the OpenOffice binary program is shipped with a version of FreeType that contains an integer signedness error in the n_points variable in file truetype/ttgload.c, which was covered by GLSA 200705-22 (CVE-2007-2754). \n\n### Impact\n\nA remote attacker could entice a user to open a specially crafted document, possibly leading to execution of arbitrary code with the rights of the user running OpenOffice.org. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll OpenOffice.org users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-office/openoffice-2.2.1\"\n\nAll OpenOffice.org binary users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-office/openoffice-bin-2.2.1\"", "published": "2007-07-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/200707-02", "cvelist": ["CVE-2007-0245", "CVE-2007-2754"], "lastseen": "2016-09-06T19:46:51"}, {"id": "GLSA-201006-01", "type": "gentoo", "title": "FreeType 1: User-assisted execution of arbitrary code", "description": "### Background\n\nFreeType is a True Type Font rendering library. \n\n### Description\n\nMultiple issues found in FreeType 2 were also discovered in FreeType 1. For details on these issues, please review the Gentoo Linux Security Advisories and CVE identifiers referenced below. \n\n### Impact\n\nA remote attacker could entice a user to open a specially crafted TTF file, possibly resulting in the execution of arbitrary code with the privileges of the user running FreeType. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll FreeType 1 users should upgrade to an unaffected version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=media-libs/freetype-1.4_pre20080316-r2\"\n\nNOTE: This is a legacy GLSA. Updates for all affected architectures are available since May 27, 2009. It is likely that your system is already no longer affected by this issue.", "published": "2010-06-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/201006-01", "cvelist": ["CVE-2007-2754", "CVE-2006-1861"], "lastseen": "2016-09-06T19:46:57"}], "osvdb": [{"id": "OSVDB:36509", "type": "osvdb", "title": "FreeType truetype/ttgload.c TTF Image Handling Overflow", "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1018088\n[Secunia Advisory ID:25353](https://secuniaresearch.flexerasoftware.com/advisories/25353/)\n[Secunia Advisory ID:25483](https://secuniaresearch.flexerasoftware.com/advisories/25483/)\n[Secunia Advisory ID:25609](https://secuniaresearch.flexerasoftware.com/advisories/25609/)\n[Secunia Advisory ID:25705](https://secuniaresearch.flexerasoftware.com/advisories/25705/)\n[Secunia Advisory ID:25810](https://secuniaresearch.flexerasoftware.com/advisories/25810/)\n[Secunia Advisory ID:25350](https://secuniaresearch.flexerasoftware.com/advisories/25350/)\n[Secunia Advisory ID:25808](https://secuniaresearch.flexerasoftware.com/advisories/25808/)\n[Secunia Advisory ID:26129](https://secuniaresearch.flexerasoftware.com/advisories/26129/)\n[Secunia Advisory ID:25894](https://secuniaresearch.flexerasoftware.com/advisories/25894/)\n[Secunia Advisory ID:25386](https://secuniaresearch.flexerasoftware.com/advisories/25386/)\n[Secunia Advisory ID:25463](https://secuniaresearch.flexerasoftware.com/advisories/25463/)\n[Secunia Advisory ID:25612](https://secuniaresearch.flexerasoftware.com/advisories/25612/)\n[Secunia Advisory ID:25905](https://secuniaresearch.flexerasoftware.com/advisories/25905/)\n[Secunia Advisory ID:25654](https://secuniaresearch.flexerasoftware.com/advisories/25654/)\nRedHat RHSA: RHSA-2007:0403\nOther Advisory URL: http://lists.rpath.com/pipermail/security-announce/2007-May/000191.html\nOther Advisory URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:121\nOther Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc\nOther Advisory URL: http://lists.gnu.org/archive/html/freetype-devel/2007-04/msg00041.html\nOther Advisory URL: http://www.trustix.org/errata/2007/0019/\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200705-22.xml\nOther Advisory URL: http://www.ubuntu.com/usn/usn-466-1\nOther Advisory URL: http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00095.html\nOther Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102967-1\nOther Advisory URL: http://www.debian.org/security/2007/dsa-1302\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200707-02.xml\nOther Advisory URL: http://lists.opensuse.org/opensuse-security-announce/2007-07/msg00003.html\nOther Advisory URL: http://sourceforge.net/project/shownotes.php?release_id=518478&group_id=16768\nFrSIRT Advisory: ADV-2007-1894\nFrSIRT Advisory: ADV-2007-2229\n[CVE-2007-2754](https://vulners.com/cve/CVE-2007-2754)\nBugtraq ID: 24074\n", "published": "2007-05-22T12:03:42", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:36509", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-04-28T13:20:32"}], "openvas": [{"id": "OPENVAS:66004", "type": "openvas", "title": "SLES10: Security update for freetype2", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n freetype2\n freetype2-devel\n\n\nMore details may also be found by searching for the SuSE\nEnterprise Server 10 patch database located at\nhttp://download.novell.com/patch/finder/", "published": "2009-10-13T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=66004", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-07-26T08:55:16"}, {"id": "OPENVAS:861259", "type": "openvas", "title": "Fedora Update for freetype FEDORA-2007-0033", "description": "Check for the Version of freetype", "published": "2009-02-27T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=861259", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-07-25T10:56:15"}, {"id": "OPENVAS:850084", "type": "openvas", "title": "SuSE Update for freetype2 SUSE-SA:2007:041", "description": "Check for the Version of freetype2", "published": "2009-01-28T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=850084", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-12-12T11:19:47"}, {"id": "OPENVAS:58300", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200705-22 (freetype)", "description": "The remote host is missing updates announced in\nadvisory GLSA 200705-22.", "published": "2008-09-24T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=58300", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-07-24T12:49:56"}, {"id": "OPENVAS:840016", "type": "openvas", "title": "Ubuntu Update for freetype vulnerability USN-466-1", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-466-1", "published": "2009-03-23T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=840016", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-12-04T11:28:10"}, {"id": "OPENVAS:65057", "type": "openvas", "title": "SLES9: Security update for freetype2", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n freetype2-devel\n freetype2\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5016218 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "published": "2009-10-10T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=65057", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-07-26T08:55:41"}, {"id": "OPENVAS:136141256231066004", "type": "openvas", "title": "SLES10: Security update for freetype2", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n freetype2\n freetype2-devel\n\n\nMore details may also be found by searching for the SuSE\nEnterprise Server 10 patch database located at\nhttp://download.novell.com/patch/finder/", "published": "2009-10-13T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066004", "cvelist": ["CVE-2007-2754"], "lastseen": "2018-04-06T11:37:27"}, {"id": "OPENVAS:136141256231065057", "type": "openvas", "title": "SLES9: Security update for freetype2", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n freetype2-devel\n freetype2\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5016218 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "published": "2009-10-10T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231065057", "cvelist": ["CVE-2007-2754"], "lastseen": "2018-04-06T11:38:41"}, {"id": "OPENVAS:1361412562310830015", "type": "openvas", "title": "Mandriva Update for freetype2 MDKSA-2007:121 (freetype2)", "description": "Check for the Version of freetype2", "published": "2009-04-09T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310830015", "cvelist": ["CVE-2007-2754"], "lastseen": "2018-04-09T11:39:49"}, {"id": "OPENVAS:1361412562310122697", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2007-0403", "description": "Oracle Linux Local Security Checks ELSA-2007-0403", "published": "2015-10-08T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122697", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-07-24T12:52:42"}], "nessus": [{"id": "ORACLELINUX_ELSA-2007-0403.NASL", "type": "nessus", "title": "Oracle Linux 3 / 4 / 5 : freetype (ELSA-2007-0403)", "description": "From Red Hat Security Advisory 2007:0403 :\n\nUpdated freetype packages that fix a security flaw are now available for Red Hat Enterprise Linux 2.1, 3, 4, and 5.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nFreeType is a free, high-quality, portable font engine.\n\nAn integer overflow flaw was found in the way the FreeType font engine processed TTF font files. If a user loaded a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code. While it is uncommon for a user to explicitly load a font file, there are several application file formats which contain embedded fonts that are parsed by FreeType. (CVE-2007-2754)\n\nUsers of FreeType should upgrade to these updated packages, which contain a backported patch to correct this issue.", "published": "2013-07-12T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=67512", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-10-29T13:38:01"}, {"id": "UBUNTU_USN-466-1.NASL", "type": "nessus", "title": "Ubuntu 6.06 LTS / 6.10 / 7.04 : freetype vulnerability (USN-466-1)", "description": "Victor Stinner discovered that freetype did not correctly verify the number of points in a TrueType font. If a user were tricked into using a specially crafted font, a remote attacker could execute arbitrary code with user privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2007-11-10T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=28066", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-10-29T13:38:56"}, {"id": "MANDRAKE_MDKSA-2007-121.NASL", "type": "nessus", "title": "Mandrake Linux Security Advisory : freetype2 (MDKSA-2007:121)", "description": "An integer overflow vulnerability was discovered in the way the FreeType font engine processed TTF files. If a user were to load a special font file with a program linked against freetype, it could cause the application to crash or possibly execute arbitrary code as the user running the program.\n\nThe updated packages have been patched to prevent this issue.", "published": "2007-06-14T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=25515", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-10-29T13:33:44"}, {"id": "SOLARIS10_X86_119813.NASL", "type": "nessus", "title": "Solaris 10 (x86) : 119813-24 (deprecated)", "description": "X11 6.6.2_x86: FreeType patch.\nDate this patch was last updated by Sun : Apr/27/17\n\nThis plugin has been deprecated and either replaced with individual 119813 patch-revision plugins, or deemed non-security related.", "published": "2007-02-18T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=24382", "cvelist": ["CVE-2007-2754"], "lastseen": "2018-03-15T14:55:59"}, {"id": "SL_20070611_FREETYPE_ON_SL5_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : freetype on SL5.x, SL4.x, SL3.x i386/x86_64", "description": "An integer overflow flaw was found in the way the FreeType font engine processed TTF font files. If a user loaded a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code. While it is uncommon for a user to explicitly load a font file, there are several application file formats which contain embedded fonts that are parsed by FreeType. (CVE-2007-2754)", "published": "2012-08-01T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=60197", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-10-29T13:40:33"}, {"id": "SOLARIS9_116105.NASL", "type": "nessus", "title": "Solaris 9 (sparc) : 116105-09", "description": "X11 6.6.1: FreeType patch.\nDate this patch was last updated by Sun : Aug/11/08", "published": "2006-11-20T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=23693", "cvelist": ["CVE-2007-2754"], "lastseen": "2016-09-26T17:26:04"}, {"id": "CENTOS_RHSA-2007-0403.NASL", "type": "nessus", "title": "CentOS 3 / 4 : freetype (CESA-2007:0403)", "description": "Updated freetype packages that fix a security flaw are now available for Red Hat Enterprise Linux 2.1, 3, 4, and 5.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nFreeType is a free, high-quality, portable font engine.\n\nAn integer overflow flaw was found in the way the FreeType font engine processed TTF font files. If a user loaded a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code. While it is uncommon for a user to explicitly load a font file, there are several application file formats which contain embedded fonts that are parsed by FreeType. (CVE-2007-2754)\n\nUsers of FreeType should upgrade to these updated packages, which contain a backported patch to correct this issue.", "published": "2007-06-12T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=25462", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-10-29T13:41:23"}, {"id": "SUSE9_11554.NASL", "type": "nessus", "title": "SuSE9 Security Update : freetype2 (YOU Patch Number 11554)", "description": "This update of freetype2 fixes an integer signedness bug when handling TTF images. This bug can lead to a heap overflow that can be exploited to execute arbitrary code. (CVE-2007-2754)", "published": "2009-09-24T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=41135", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-10-29T13:42:28"}, {"id": "SOLARIS8_X86_124421.NASL", "type": "nessus", "title": "Solaris 8 (x86) : 124421-04", "description": "X11 6.4.1_x86: freetype2 patch.\nDate this patch was last updated by Sun : Aug/11/08", "published": "2007-02-18T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=24400", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-10-29T13:37:46"}, {"id": "SOLARIS8_124420.NASL", "type": "nessus", "title": "Solaris 8 (sparc) : 124420-04", "description": "X11 6.4.1: freetype2 patch.\nDate this patch was last updated by Sun : Aug/11/08", "published": "2007-02-18T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=24396", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-10-29T13:44:42"}], "freebsd": [{"id": "DE2FAB2D-0A37-11DC-AAE2-00304881AC9A", "type": "freebsd", "title": "FreeType 2 -- Heap overflow vulnerability", "description": "\n\nInteger signedness error in truetype/ttgload.c in Freetype 2.3.4 and\n earlier might allow remote attackers to execute arbitrary code via a\n crafted TTF image with a negative n_points value, which leads to an\n integer overflow and heap-based buffer overflow.\n\n", "published": "2007-04-27T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/de2fab2d-0a37-11dc-aae2-00304881ac9a.html", "cvelist": ["CVE-2007-2754"], "lastseen": "2016-09-26T17:25:02"}], "centos": [{"id": "CESA-2007:0403", "type": "centos", "title": "freetype security update", "description": "**CentOS Errata and Security Advisory** CESA-2007:0403\n\n\nFreeType is a free, high-quality, portable font engine.\r\n\r\nAn integer overflow flaw was found in the way the FreeType font engine\r\nprocessed TTF font files. If a user loaded a carefully crafted font file\r\nwith a program linked against FreeType, it could cause the application to\r\ncrash or execute arbitrary code. While it is uncommon for a user to\r\nexplicitly load a font file, there are several application file formats\r\nwhich contain embedded fonts that are parsed by FreeType. (CVE-2007-2754)\r\n\r\nUsers of FreeType should upgrade to these updated packages, which contain\r\na backported patch to correct this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2007-June/013887.html\nhttp://lists.centos.org/pipermail/centos-announce/2007-June/013888.html\nhttp://lists.centos.org/pipermail/centos-announce/2007-June/013889.html\nhttp://lists.centos.org/pipermail/centos-announce/2007-June/013890.html\nhttp://lists.centos.org/pipermail/centos-announce/2007-June/013894.html\nhttp://lists.centos.org/pipermail/centos-announce/2007-June/013895.html\nhttp://lists.centos.org/pipermail/centos-announce/2007-June/013906.html\nhttp://lists.centos.org/pipermail/centos-announce/2007-June/013907.html\n\n**Affected packages:**\nfreetype\nfreetype-demos\nfreetype-devel\nfreetype-utils\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2007-0403.html", "published": "2007-06-11T09:27:08", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2007-June/013887.html", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-10-03T18:25:08"}, {"id": "CESA-2007:0403-01", "type": "centos", "title": "freetype security update", "description": "**CentOS Errata and Security Advisory** CESA-2007:0403-01\n\n\nFreeType is a free, high-quality, portable font engine.\r\n\r\nAn integer overflow flaw was found in the way the FreeType font engine\r\nprocessed TTF font files. If a user loaded a carefully crafted font file\r\nwith a program linked against FreeType, it could cause the application to\r\ncrash or execute arbitrary code. While it is uncommon for a user to\r\nexplicitly load a font file, there are several application file formats\r\nwhich contain embedded fonts that are parsed by FreeType. (CVE-2007-2754)\r\n\r\nUsers of FreeType should upgrade to these updated packages, which contain\r\na backported patch to correct this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2007-June/013901.html\n\n**Affected packages:**\nfreetype\nfreetype-devel\nfreetype-utils\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/rh21as-errata.html", "published": "2007-06-12T00:56:26", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2007-June/013901.html", "cvelist": ["CVE-2007-2754"], "lastseen": "2017-10-03T18:24:50"}, {"id": "CESA-2009:0329", "type": "centos", "title": "freetype security update", "description": "**CentOS Errata and Security Advisory** CESA-2009:0329\n\n\nFreeType is a free, high-quality, portable font engine that can open and\nmanage font files. It also loads, hints, and renders individual glyphs\nefficiently. These packages provide both the FreeType 1 and FreeType 2\nfont engines.\n\nTavis Ormandy of the Google Security Team discovered several integer\noverflow flaws in the FreeType 2 font engine. If a user loaded a\ncarefully-crafted font file with an application linked against FreeType 2,\nit could cause the application to crash or, possibly, execute arbitrary\ncode with the privileges of the user running the application.\n(CVE-2009-0946)\n\nChris Evans discovered multiple integer overflow flaws in the FreeType font\nengine. If a user loaded a carefully-crafted font file with an application\nlinked against FreeType, it could cause the application to crash or,\npossibly, execute arbitrary code with the privileges of the user running\nthe application. (CVE-2006-1861)\n\nAn integer overflow flaw was found in the way the FreeType font engine\nprocessed TrueType\u00ae Font (TTF) files. If a user loaded a carefully-crafted\nfont file with an application linked against FreeType, it could cause the\napplication to crash or, possibly, execute arbitrary code with the\nprivileges of the user running the application. (CVE-2007-2754)\n\nA flaw was discovered in the FreeType TTF font-file format parser when the\nTrueType virtual machine Byte Code Interpreter (BCI) is enabled. If a user\nloaded a carefully-crafted font file with an application linked against\nFreeType, it could cause the application to crash or, possibly, execute\narbitrary code with the privileges of the user running the application.\n(CVE-2008-1808)\n\nThe CVE-2008-1808 flaw did not affect the freetype packages as distributed\nin Red Hat Enterprise Linux 3 and 4, as they are not compiled with TrueType\nBCI support. A fix for this flaw has been included in this update as users\nmay choose to recompile the freetype packages in order to enable TrueType\nBCI support. Red Hat does not, however, provide support for modified and\nrecompiled packages.\n\nNote: For the FreeType 2 font engine, the CVE-2006-1861, CVE-2007-2754,\nand CVE-2008-1808 flaws were addressed via RHSA-2006:0500, RHSA-2007:0403,\nand RHSA-2008:0556 respectively. This update provides corresponding\nupdates for the FreeType 1 font engine, included in the freetype packages\ndistributed in Red Hat Enterprise Linux 3 and 4.\n\nUsers are advised to upgrade to these updated packages, which contain\nbackported patches to correct these issues. The X server must be restarted\n(log out, then log back in) for this update to take effect.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2009-May/015887.html\nhttp://lists.centos.org/pipermail/centos-announce/2009-May/015888.html\nhttp://lists.centos.org/pipermail/centos-announce/2009-May/015932.html\nhttp://lists.centos.org/pipermail/centos-announce/2009-May/015934.html\nhttp://lists.centos.org/pipermail/centos-announce/2009-May/015936.html\nhttp://lists.centos.org/pipermail/centos-announce/2009-May/015939.html\n\n**Affected packages:**\nfreetype\nfreetype-demos\nfreetype-devel\nfreetype-utils\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2009-0329.html", "published": "2009-05-22T15:02:05", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2009-May/015887.html", "cvelist": ["CVE-2009-0946", "CVE-2008-1808", "CVE-2007-2754", "CVE-2006-1861"], "lastseen": "2017-10-03T18:24:49"}], "debian": [{"id": "DSA-1302", "type": "debian", "title": "freetype -- integer overflow", "description": "A problem was discovered in freetype, a FreeType2 font engine, which could allow the execution of arbitrary code via an integer overflow in specially crafted TTF files.\n\nFor the stable distribution (etch), this problem has been fixed in version 2.2.1-5+etch1.\n\nFor the unstable distribution (sid), this problem has been fixed in version 2.2.1-6.\n\nWe recommend that you upgrade your freetype package.", "published": "2007-06-10T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-1302", "cvelist": ["CVE-2007-2754"], "lastseen": "2016-09-02T18:33:13"}], "oraclelinux": [{"id": "ELSA-2007-0403", "type": "oraclelinux", "title": "Moderate: freetype security update ", "description": " [2.1.9-6.el4]\n - Add freetype-2.1.9-ttf-overflow.patch\n - Resolves: #240574 ", "published": "2007-06-11T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2007-0403.html", "cvelist": ["CVE-2007-2754"], "lastseen": "2016-09-04T11:16:55"}, {"id": "ELSA-2009-0329", "type": "oraclelinux", "title": "freetype security update", "description": "[2.1.9-10.el4.7]\n- Improve freetype-1.4pre-CVE-2008-1808.patch\n[2.1.9-9.el4.7]\n- Add freetype-2009-CVEs.patch (Fixes CVE-2009-0946)\n (Doesn't apply to freetype1)\n- Add freetype-1.4pre-CVE-2008-1808.patch\n (Corresponds to freetype-2.3.5-CVEs.patch)\n- Add freetype-pre1.4-ttf-overflow.patch\n (Corresponds to freetype-2.1.9-ttf-overflow.patch;\n freetype-2.2.1-bdf-overflow.patch doesn't apply to freetype1)\n- Add freetype-pre1.4-CVE-2006-1861-null-pointer.patch\n (Corresponds to freetype-2.1.9-CVE-2006-1861-null-pointer.patch;\n The rest of CVS-2006-1861 doesn't apply to freetype1)\n- Resolves: #484443\n[2.1.9-8.1.el4]\n- Update patches to remove fuzz, such that it builds again\n- In preparation to fix:\n- Resolves: #484443", "published": "2009-05-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2009-0329.html", "cvelist": ["CVE-2009-0946", "CVE-2008-1808", "CVE-2007-2754", "CVE-2006-1861"], "lastseen": "2016-09-04T11:16:48"}], "ubuntu": [{"id": "USN-466-1", "type": "ubuntu", "title": "freetype vulnerability", "description": "Victor Stinner discovered that freetype did not correctly verify the number of points in a TrueType font. If a user were tricked into using a specially crafted font, a remote attacker could execute arbitrary code with user privileges.", "published": "2007-05-30T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/466-1/", "cvelist": ["CVE-2007-2754"], "lastseen": "2018-03-29T18:21:07"}], "suse": [{"id": "SUSE-SA:2007:041", "type": "suse", "title": "remote code execution in freetype2", "description": "The TTF rendering library freetype2 was updated to fix an integer signedness bug when handling TTF images.\n#### Solution\nThere is no known workaround, please install the update packages.", "published": "2007-07-04T13:46:33", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2007-07/msg00003.html", "cvelist": ["CVE-2007-2754"], "lastseen": "2016-09-04T12:07:54"}], "redhat": [{"id": "RHSA-2007:0403", "type": "redhat", "title": "(RHSA-2007:0403) Moderate: freetype security update", "description": "FreeType is a free, high-quality, portable font engine.\r\n\r\nAn integer overflow flaw was found in the way the FreeType font engine\r\nprocessed TTF font files. If a user loaded a carefully crafted font file\r\nwith a program linked against FreeType, it could cause the application to\r\ncrash or execute arbitrary code. While it is uncommon for a user to\r\nexplicitly load a font file, there are several application file formats\r\nwhich contain embedded fonts that are parsed by FreeType. (CVE-2007-2754)\r\n\r\nUsers of FreeType should upgrade to these updated packages, which contain\r\na backported patch to correct this issue.", "published": "2007-06-11T04:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2007:0403", "cvelist": ["CVE-2007-2754"], "lastseen": "2018-03-28T01:01:06"}, {"id": "RHSA-2009:1062", "type": "redhat", "title": "(RHSA-2009:1062) Important: freetype security update", "description": "FreeType is a free, high-quality, portable font engine that can open and\nmanage font files. It also loads, hints, and renders individual glyphs\nefficiently. These packages provide both the FreeType 1 and FreeType 2\nfont engines.\n\nTavis Ormandy of the Google Security Team discovered several integer\noverflow flaws in the FreeType 2 font engine. If a user loaded a\ncarefully-crafted font file with an application linked against FreeType 2,\nit could cause the application to crash or, possibly, execute arbitrary\ncode with the privileges of the user running the application.\n(CVE-2009-0946)\n\nChris Evans discovered multiple integer overflow flaws in the FreeType font\nengine. If a user loaded a carefully-crafted font file with an application\nlinked against FreeType, it could cause the application to crash or,\npossibly, execute arbitrary code with the privileges of the user running\nthe application. (CVE-2006-1861)\n\nAn integer overflow flaw was found in the way the FreeType font engine\nprocessed TrueType\u00ae Font (TTF) files. If a user loaded a carefully-crafted\nfont file with an application linked against FreeType, it could cause the\napplication to crash or, possibly, execute arbitrary code with the\nprivileges of the user running the application. (CVE-2007-2754)\n\nNote: For the FreeType 2 font engine, the CVE-2006-1861 and CVE-2007-2754\nflaws were addressed via RHSA-2006:0500 and RHSA-2007:0403 respectively.\nThis update provides corresponding updates for the FreeType 1 font engine,\nincluded in the freetype packages distributed in Red Hat Enterprise Linux\n2.1.\n\nUsers are advised to upgrade to these updated packages, which contain\nbackported patches to correct these issues. The X server must be restarted\n(log out, then log back in) for this update to take effect.", "published": "2009-05-22T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2009:1062", "cvelist": ["CVE-2006-1861", "CVE-2007-2754", "CVE-2009-0946"], "lastseen": "2018-03-14T15:44:10"}, {"id": "RHSA-2009:0329", "type": "redhat", "title": "(RHSA-2009:0329) Important: freetype security update", "description": "FreeType is a free, high-quality, portable font engine that can open and\nmanage font files. It also loads, hints, and renders individual glyphs\nefficiently. These packages provide both the FreeType 1 and FreeType 2\nfont engines.\n\nTavis Ormandy of the Google Security Team discovered several integer\noverflow flaws in the FreeType 2 font engine. If a user loaded a\ncarefully-crafted font file with an application linked against FreeType 2,\nit could cause the application to crash or, possibly, execute arbitrary\ncode with the privileges of the user running the application.\n(CVE-2009-0946)\n\nChris Evans discovered multiple integer overflow flaws in the FreeType font\nengine. If a user loaded a carefully-crafted font file with an application\nlinked against FreeType, it could cause the application to crash or,\npossibly, execute arbitrary code with the privileges of the user running\nthe application. (CVE-2006-1861)\n\nAn integer overflow flaw was found in the way the FreeType font engine\nprocessed TrueType\u00ae Font (TTF) files. If a user loaded a carefully-crafted\nfont file with an application linked against FreeType, it could cause the\napplication to crash or, possibly, execute arbitrary code with the\nprivileges of the user running the application. (CVE-2007-2754)\n\nA flaw was discovered in the FreeType TTF font-file format parser when the\nTrueType virtual machine Byte Code Interpreter (BCI) is enabled. If a user\nloaded a carefully-crafted font file with an application linked against\nFreeType, it could cause the application to crash or, possibly, execute\narbitrary code with the privileges of the user running the application.\n(CVE-2008-1808)\n\nThe CVE-2008-1808 flaw did not affect the freetype packages as distributed\nin Red Hat Enterprise Linux 3 and 4, as they are not compiled with TrueType\nBCI support. A fix for this flaw has been included in this update as users\nmay choose to recompile the freetype packages in order to enable TrueType\nBCI support. Red Hat does not, however, provide support for modified and\nrecompiled packages.\n\nNote: For the FreeType 2 font engine, the CVE-2006-1861, CVE-2007-2754,\nand CVE-2008-1808 flaws were addressed via RHSA-2006:0500, RHSA-2007:0403,\nand RHSA-2008:0556 respectively. This update provides corresponding\nupdates for the FreeType 1 font engine, included in the freetype packages\ndistributed in Red Hat Enterprise Linux 3 and 4.\n\nUsers are advised to upgrade to these updated packages, which contain\nbackported patches to correct these issues. The X server must be restarted\n(log out, then log back in) for this update to take effect.", "published": "2009-05-22T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2009:0329", "cvelist": ["CVE-2006-1861", "CVE-2007-2754", "CVE-2008-1808", "CVE-2009-0946"], "lastseen": "2017-09-09T07:19:58"}]}}
