FreeType Buffer Overflows and Memory Errors Let Remote Users Deny Service and Execute Arbitrary Code
|
SecurityTracker Alert ID: 1026765 |
SecurityTracker URL: http://securitytracker.com/id/1026765
|
CVE Reference:
CVE-2012-1126, CVE-2012-1127, CVE-2012-1128, CVE-2012-1129, CVE-2012-1130, CVE-2012-1131, CVE-2012-1132, CVE-2012-1133, CVE-2012-1134, CVE-2012-1135, CVE-2012-1136, CVE-2012-1137, CVE-2012-1138, CVE-2012-1139, CVE-2012-1140, CVE-2012-1141, CVE-2012-1142, CVE-2012-1143, CVE-2012-1144
(Links to External Site)
|
Date: Mar 6 2012
|
Impact:
Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 2.4.9
|
Description:
Multiple vulnerabilities were reported in FreeType. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions.
A remote user can create a specially crafted font that, when loaded by the target user or application, will trigger a write buffer overflow and execute arbitrary code on the target system or a read buffer overflow and cause the target application to crash. The code will run with the privileges of the target user or application.
An out-of-bounds buffer read in parsing, adding, or validating properties in BDF fonts can cause denial of service conditions [CVE-2012-1126].
An out-of-bounds buffer read in parsing glyph information and bitmaps for BDF fontscan cause denial of service conditions [CVE-2012-1127].
A null pointer dereference in processing TrueType fonts can cause denial of service conditions [CVE-2012-1128].
An out-of-bounds buffer read in the parsing certain SFNT strings by Type42 font parser can cause denial of service conditions [CVE-2012-1129].
An out-of-bounds buffer read in loading properties of PCF fonts can cause denial of service conditions [CVE-2012-1130].
An out-of-bounds buffer read in reading cell data can cause denial of service conditions [CVE-2012-1131].
An out-of-bounds buffer read in parsing font dictionary entries can cause denial of service conditions [CVE-2012-1132].
A heap overflow in parsing BDF glyph information and bitmaps can cause code execution [CVE-2012-1133].
A heap overflow in retrieving a font's private dictionary can cause code execution [CVE-2012-1134].
An out-of-bounds buffer read in the TrueType bytecode interpreter when executing NPUSHB and NPUSHW instructions can cause denial of service conditions [CVE-2012-1135].
A heap overflow in parsing BDF glyph and bitmaps with missing ENCODING field can cause code execution [CVE-2012-1136].
An out-of-bounds buffer read in parsing BDF font header data can cause denial of service conditions [CVE-2012-1137].
An out-of-bounds buffer read in the TrueType bytecode interpreter when executing the MIRP instruction can cause denial of service conditions [CVE-2012-1138].
An array index error in parsing BDF font glyph information can cause denial of service conditions [CVE-2012-1139].
An out-of-bounds buffer read in converting PostScript font objects can cause denial of service conditions [CVE-2012-1140].
An out-of-bounds buffer read when converting an ASCII string into a signed short integer in BDF fonts can cause denial of service conditions [CVE-2012-1141].
A heap overflow in retrieving advance values for glyph outlines can cause code execution [CVE-2012-1142].
An integer divide-by-zero error can cause denial of service conditions [CVE-2012-1143].
A buffer overflow in the TrueType bytecode interpreter can cause code execution [CVE-2012-1144].
Mateusz Jurczyk, Google Security Team, reported these vulnerabilities.
|
Impact:
A remote user can create a file that, when loaded by the target user or application, will execute arbitrary code on the target system.
A remote user can cause denial of service conditions.
|
Solution:
The vendor has issued a source code fix.
The fix will be included in future version 2.4.9.
|
Vendor URL: www.freetype.org/ (Links to External Site)
|
Cause:
Access control error, Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|