Vulnerabilities > CVE-2006-0747 - Numeric Errors vulnerability in Freetype
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| description | FreeType TTF File Remote Buffer Overflow Vulnerability. CVE-2006-0747. Remote exploit for unix platform |
| id | EDB-ID:27992 |
| last seen | 2016-02-03 |
| modified | 2006-06-08 |
| published | 2006-06-08 |
| reporter | Josh Bressers |
| source | https://www.exploit-db.com/download/27992/ |
| title | FreeType TTF File Remote Buffer Overflow Vulnerability |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1095.NASL description Several problems have been discovered in the FreeType 2 font engine. The Common vulnerabilities and Exposures project identifies the following problems : - CVE-2006-0747 Several integer underflows have been discovered which could allow remote attackers to cause a denial of service. - CVE-2006-1861 Chris Evans discovered several integer overflows that lead to a denial of service or could possibly even lead to the execution of arbitrary code. - CVE-2006-2493 Several more integer overflows have been discovered which could possibly lead to the execution of arbitrary code. - CVE-2006-2661 A NULL pointer dereference could cause a denial of service. last seen 2020-06-01 modified 2020-06-02 plugin id 22637 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22637 title Debian DSA-1095-1 : freetype - integer overflows code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1095. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22637); script_version("1.22"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2006-0747", "CVE-2006-1861", "CVE-2006-2661"); script_bugtraq_id(18034); script_xref(name:"DSA", value:"1095"); script_name(english:"Debian DSA-1095-1 : freetype - integer overflows"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several problems have been discovered in the FreeType 2 font engine. The Common vulnerabilities and Exposures project identifies the following problems : - CVE-2006-0747 Several integer underflows have been discovered which could allow remote attackers to cause a denial of service. - CVE-2006-1861 Chris Evans discovered several integer overflows that lead to a denial of service or could possibly even lead to the execution of arbitrary code. - CVE-2006-2493 Several more integer overflows have been discovered which could possibly lead to the execution of arbitrary code. - CVE-2006-2661 A NULL pointer dereference could cause a denial of service." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-0747" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-1861" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-2493" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-2661" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1095" ); script_set_attribute( attribute:"solution", value: "Upgrade the libfreetype packages. For the old stable distribution (woody) these problems have been fixed in version 2.0.9-1woody1. For the stable distribution (sarge) these problems have been fixed in version 2.1.7-2.5." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:freetype"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/06/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"freetype2-demos", reference:"2.0.9-1woody1")) flag++; if (deb_check(release:"3.0", prefix:"libfreetype6", reference:"2.0.9-1woody1")) flag++; if (deb_check(release:"3.0", prefix:"libfreetype6-dev", reference:"2.0.9-1woody1")) flag++; if (deb_check(release:"3.1", prefix:"freetype2-demos", reference:"2.1.7-2.5")) flag++; if (deb_check(release:"3.1", prefix:"libfreetype6", reference:"2.1.7-2.5")) flag++; if (deb_check(release:"3.1", prefix:"libfreetype6-dev", reference:"2.1.7-2.5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-099.NASL description Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values. (CVE-2006-0747) Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. (CVE-2006-1861) Ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference. (CVE-2006-2661) In addition, a patch is applied to 2.1.10 in Mandriva 2006 to fix a serious bug in ttkern.c that caused some programs to go into an infinite loop when dealing with fonts that don last seen 2020-06-01 modified 2020-06-02 plugin id 21715 published 2006-06-16 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21715 title Mandrake Linux Security Advisory : freetype2 (MDKSA-2006:099-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2006:099. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(21715); script_version ("1.20"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id( "CVE-2006-0747", "CVE-2006-1861", "CVE-2006-2661" ); script_bugtraq_id( 18034, 18326, 18329 ); script_xref(name:"MDKSA", value:"2006:099-1"); script_name(english:"Mandrake Linux Security Advisory : freetype2 (MDKSA-2006:099-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values. (CVE-2006-0747) Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. (CVE-2006-1861) Ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference. (CVE-2006-2661) In addition, a patch is applied to 2.1.10 in Mandriva 2006 to fix a serious bug in ttkern.c that caused some programs to go into an infinite loop when dealing with fonts that don't have a properly sorted kerning sub-table. This patch is not applicable to the earlier Mandriva releases. Update : The previous update introduced some issues with other applications and libraries linked to libfreetype, that were missed in testing for the vulnerability issues. The new packages correct these issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64freetype6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64freetype6-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64freetype6-static-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libfreetype6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libfreetype6-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libfreetype6-static-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:mandrakesoft:mandrake_linux:le2005"); script_set_attribute(attribute:"patch_publication_date", value:"2006/06/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"lib64freetype6-2.1.9-6.2.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"lib64freetype6-devel-2.1.9-6.2.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"lib64freetype6-static-devel-2.1.9-6.2.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", cpu:"i386", reference:"libfreetype6-2.1.9-6.2.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", cpu:"i386", reference:"libfreetype6-devel-2.1.9-6.2.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", cpu:"i386", reference:"libfreetype6-static-devel-2.1.9-6.2.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64freetype6-2.1.10-9.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64freetype6-devel-2.1.10-9.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64freetype6-static-devel-2.1.10-9.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libfreetype6-2.1.10-9.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libfreetype6-devel-2.1.10-9.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libfreetype6-static-devel-2.1.10-9.3.20060mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0500.NASL description Updated freetype packages that fix several security flaws are now available for Red Hat Enterprise Linux. This update has been rated as having moderate security impact by the Red Hat Security Response Team. FreeType is a free, high-quality, and portable font engine. Chris Evans discovered several integer underflow and overflow flaws in the FreeType font engine. If a user loads a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code as the user. While it is uncommon for a user to explicitly load a font file, there are several application file formats which contain embedded fonts that are parsed by FreeType. (CVE-2006-0747, CVE-2006-1861, CVE-2006-3467) A NULL pointer dereference flaw was found in the FreeType font engine. An application linked against FreeType can crash upon loading a malformed font file. (CVE-2006-2661) Users of FreeType should upgrade to these updated packages, which contain backported patches to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 22064 published 2006-07-19 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22064 title CentOS 3 / 4 : freetype (CESA-2006:0500) NASL family SuSE Local Security Checks NASL id SUSE_FREETYPE2-1608.NASL description Fixes for: CVE-2006-0747, CVE-2006-1054, CVE-2006-1861, CVE-2006-2493, CVE-2006-2661. This patch fixes a few integer overflows in freetype 2. Without this patch it is possible to create font files which make freetype 2 crash. last seen 2020-06-01 modified 2020-06-02 plugin id 27224 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27224 title openSUSE 10 Security Update : freetype2 (freetype2-1608) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_B975763F521011DB8F1A000A48049292.NASL description SecurityTracker reports : A vulnerability was reported in FreeType. A remote user can cause arbitrary code to be executed on the target user last seen 2020-06-01 modified 2020-06-02 plugin id 22503 published 2006-10-05 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22503 title FreeBSD : freetype -- LWFN Files Buffer Overflow Vulnerability (b975763f-5210-11db-8f1a-000a48049292) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-291-1.NASL description Several integer overflows have been discovered in the FreeType library. By tricking a user into installing and/or opening a specially crafted font file, these could be exploited to execute arbitrary code with the privileges of that user. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 27863 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27863 title Ubuntu 5.04 / 5.10 / 6.06 LTS : freetype vulnerabilities (USN-291-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0500.NASL description Updated freetype packages that fix several security flaws are now available for Red Hat Enterprise Linux. This update has been rated as having moderate security impact by the Red Hat Security Response Team. FreeType is a free, high-quality, and portable font engine. Chris Evans discovered several integer underflow and overflow flaws in the FreeType font engine. If a user loads a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code as the user. While it is uncommon for a user to explicitly load a font file, there are several application file formats which contain embedded fonts that are parsed by FreeType. (CVE-2006-0747, CVE-2006-1861, CVE-2006-3467) A NULL pointer dereference flaw was found in the FreeType font engine. An application linked against FreeType can crash upon loading a malformed font file. (CVE-2006-2661) Users of FreeType should upgrade to these updated packages, which contain backported patches to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 22068 published 2006-07-19 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22068 title RHEL 2.1 / 3 / 4 : freetype (RHSA-2006:0500) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2009-002.NASL description The remote host is running a version of Mac OS X 10.4 that does not have Security Update 2009-002 applied. This security update contains fixes for the following products : - Apache - ATS - BIND - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - IPSec - Kerberos - Launch Services - libxml - Net-SNMP - Network Time - OpenSSL - QuickDraw Manager - Spotlight - system_cmds - telnet - Terminal - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 38743 published 2009-05-13 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38743 title Mac OS X Multiple Vulnerabilities (Security Update 2009-002)
Oval
| accepted | 2013-04-29T04:19:52.527-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:9508 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||
| rpms |
|
References
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183676
- http://www.debian.org/security/2006/dsa-1095
- http://www.securityfocus.com/bid/18326
- http://secunia.com/advisories/20525
- http://secunia.com/advisories/20591
- http://secunia.com/advisories/20638
- http://lists.suse.com/archive/suse-security-announce/2006-Jun/0012.html
- http://secunia.com/advisories/20791
- http://www.redhat.com/support/errata/RHSA-2006-0500.html
- http://secunia.com/advisories/21062
- ftp://patches.sgi.com/support/free/security/advisories/20060701-01-U
- http://securitytracker.com/id?1016522
- http://secunia.com/advisories/21135
- https://issues.rpath.com/browse/RPL-429
- http://secunia.com/advisories/21385
- http://support.avaya.com/elmodocs2/security/ASA-2006-176.htm
- http://secunia.com/advisories/21701
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102705-1
- http://secunia.com/advisories/23939
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:099
- http://support.apple.com/kb/HT3549
- http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
- http://www.us-cert.gov/cas/techalerts/TA09-133A.html
- http://www.vupen.com/english/advisories/2009/1297
- http://secunia.com/advisories/35074
- http://www.vupen.com/english/advisories/2007/0381
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9508
- https://usn.ubuntu.com/291-1/
- http://www.securityfocus.com/archive/1/436836/100/0/threaded