Vulnerabilities > CVE-2006-1861 - Numeric Errors vulnerability in Freetype

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. NOTE: item 4 was originally identified by CVE-2006-2493.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1095.NASL
    descriptionSeveral problems have been discovered in the FreeType 2 font engine. The Common vulnerabilities and Exposures project identifies the following problems : - CVE-2006-0747 Several integer underflows have been discovered which could allow remote attackers to cause a denial of service. - CVE-2006-1861 Chris Evans discovered several integer overflows that lead to a denial of service or could possibly even lead to the execution of arbitrary code. - CVE-2006-2493 Several more integer overflows have been discovered which could possibly lead to the execution of arbitrary code. - CVE-2006-2661 A NULL pointer dereference could cause a denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id22637
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22637
    titleDebian DSA-1095-1 : freetype - integer overflows
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1095. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22637);
      script_version("1.22");
      script_cvs_date("Date: 2019/08/02 13:32:19");
    
      script_cve_id("CVE-2006-0747", "CVE-2006-1861", "CVE-2006-2661");
      script_bugtraq_id(18034);
      script_xref(name:"DSA", value:"1095");
    
      script_name(english:"Debian DSA-1095-1 : freetype - integer overflows");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several problems have been discovered in the FreeType 2 font engine.
    The Common vulnerabilities and Exposures project identifies the
    following problems :
    
      - CVE-2006-0747
        Several integer underflows have been discovered which
        could allow remote attackers to cause a denial of
        service.
    
      - CVE-2006-1861
        Chris Evans discovered several integer overflows that
        lead to a denial of service or could possibly even lead
        to the execution of arbitrary code.
    
      - CVE-2006-2493
        Several more integer overflows have been discovered
        which could possibly lead to the execution of arbitrary
        code.
    
      - CVE-2006-2661
        A NULL pointer dereference could cause a denial of
        service."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-0747"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-1861"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-2493"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-2661"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-1095"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the libfreetype packages.
    
    For the old stable distribution (woody) these problems have been fixed
    in version 2.0.9-1woody1.
    
    For the stable distribution (sarge) these problems have been fixed in
    version 2.1.7-2.5."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:freetype");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/06/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"freetype2-demos", reference:"2.0.9-1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"libfreetype6", reference:"2.0.9-1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"libfreetype6-dev", reference:"2.0.9-1woody1")) flag++;
    if (deb_check(release:"3.1", prefix:"freetype2-demos", reference:"2.1.7-2.5")) flag++;
    if (deb_check(release:"3.1", prefix:"libfreetype6", reference:"2.1.7-2.5")) flag++;
    if (deb_check(release:"3.1", prefix:"libfreetype6-dev", reference:"2.1.7-2.5")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2009-0329.NASL
    descriptionUpdated freetype packages that fix various security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide both the FreeType 1 and FreeType 2 font engines. Tavis Ormandy of the Google Security Team discovered several integer overflow flaws in the FreeType 2 font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType 2, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0946) Chris Evans discovered multiple integer overflow flaws in the FreeType font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2006-1861) An integer overflow flaw was found in the way the FreeType font engine processed TrueType(r) Font (TTF) files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2007-2754) A flaw was discovered in the FreeType TTF font-file format parser when the TrueType virtual machine Byte Code Interpreter (BCI) is enabled. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2008-1808) The CVE-2008-1808 flaw did not affect the freetype packages as distributed in Red Hat Enterprise Linux 3 and 4, as they are not compiled with TrueType BCI support. A fix for this flaw has been included in this update as users may choose to recompile the freetype packages in order to enable TrueType BCI support. Red Hat does not, however, provide support for modified and recompiled packages. Note: For the FreeType 2 font engine, the CVE-2006-1861, CVE-2007-2754, and CVE-2008-1808 flaws were addressed via RHSA-2006:0500, RHSA-2007:0403, and RHSA-2008:0556 respectively. This update provides corresponding updates for the FreeType 1 font engine, included in the freetype packages distributed in Red Hat Enterprise Linux 3 and 4. Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id38867
    published2009-05-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38867
    titleCentOS 3 / 4 : freetype (CESA-2009:0329)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2009:0329 and 
    # CentOS Errata and Security Advisory 2009:0329 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(38867);
      script_version("1.21");
      script_cvs_date("Date: 2019/10/25 13:36:04");
    
      script_cve_id("CVE-2006-1861", "CVE-2007-2754", "CVE-2008-1808", "CVE-2009-0946");
      script_bugtraq_id(24074, 29637, 29639, 34550);
      script_xref(name:"RHSA", value:"2009:0329");
    
      script_name(english:"CentOS 3 / 4 : freetype (CESA-2009:0329)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated freetype packages that fix various security issues are now
    available for Red Hat Enterprise Linux 3 and 4.
    
    This update has been rated as having important security impact by the
    Red Hat Security Response Team.
    
    FreeType is a free, high-quality, portable font engine that can open
    and manage font files. It also loads, hints, and renders individual
    glyphs efficiently. These packages provide both the FreeType 1 and
    FreeType 2 font engines.
    
    Tavis Ormandy of the Google Security Team discovered several integer
    overflow flaws in the FreeType 2 font engine. If a user loaded a
    carefully-crafted font file with an application linked against
    FreeType 2, it could cause the application to crash or, possibly,
    execute arbitrary code with the privileges of the user running the
    application. (CVE-2009-0946)
    
    Chris Evans discovered multiple integer overflow flaws in the FreeType
    font engine. If a user loaded a carefully-crafted font file with an
    application linked against FreeType, it could cause the application to
    crash or, possibly, execute arbitrary code with the privileges of the
    user running the application. (CVE-2006-1861)
    
    An integer overflow flaw was found in the way the FreeType font engine
    processed TrueType(r) Font (TTF) files. If a user loaded a
    carefully-crafted font file with an application linked against
    FreeType, it could cause the application to crash or, possibly,
    execute arbitrary code with the privileges of the user running the
    application. (CVE-2007-2754)
    
    A flaw was discovered in the FreeType TTF font-file format parser when
    the TrueType virtual machine Byte Code Interpreter (BCI) is enabled.
    If a user loaded a carefully-crafted font file with an application
    linked against FreeType, it could cause the application to crash or,
    possibly, execute arbitrary code with the privileges of the user
    running the application. (CVE-2008-1808)
    
    The CVE-2008-1808 flaw did not affect the freetype packages as
    distributed in Red Hat Enterprise Linux 3 and 4, as they are not
    compiled with TrueType BCI support. A fix for this flaw has been
    included in this update as users may choose to recompile the freetype
    packages in order to enable TrueType BCI support. Red Hat does not,
    however, provide support for modified and recompiled packages.
    
    Note: For the FreeType 2 font engine, the CVE-2006-1861,
    CVE-2007-2754, and CVE-2008-1808 flaws were addressed via
    RHSA-2006:0500, RHSA-2007:0403, and RHSA-2008:0556 respectively. This
    update provides corresponding updates for the FreeType 1 font engine,
    included in the freetype packages distributed in Red Hat Enterprise
    Linux 3 and 4.
    
    Users are advised to upgrade to these updated packages, which contain
    backported patches to correct these issues. The X server must be
    restarted (log out, then log back in) for this update to take effect."
      );
      # https://lists.centos.org/pipermail/centos-announce/2009-May/015887.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?ffa19826"
      );
      # https://lists.centos.org/pipermail/centos-announce/2009-May/015888.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?d4b98262"
      );
      # https://lists.centos.org/pipermail/centos-announce/2009-May/015932.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?56b1dd2b"
      );
      # https://lists.centos.org/pipermail/centos-announce/2009-May/015936.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?7732f16f"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected freetype packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:freetype");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:freetype-demos");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:freetype-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:freetype-utils");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/05/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/05/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-3", reference:"freetype-2.1.4-12.el3")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"freetype-demos-2.1.4-12.el3")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"freetype-devel-2.1.4-12.el3")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"freetype-utils-2.1.4-12.el3")) flag++;
    
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"freetype-2.1.9-10.el4.7")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"freetype-demos-2.1.9-10.el4.7")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"freetype-devel-2.1.9-10.el4.7")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"freetype-utils-2.1.9-10.el4.7")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freetype / freetype-demos / freetype-devel / freetype-utils");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200607-02.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200607-02 (FreeType: Multiple integer overflows) Multiple integer overflows exist in a variety of files (bdf/bdflib.c, sfnt/ttcmap.c, cff/cffgload.c, base/ftmac.c). Impact : A remote attacker could exploit these buffer overflows by enticing a user to load a specially crafted font, which could result in the execution of arbitrary code. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id22009
    published2006-07-10
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22009
    titleGLSA-200607-02 : FreeType: Multiple integer overflows
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200607-02.
    #
    # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22009);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:43");
    
      script_cve_id("CVE-2006-1861");
      script_xref(name:"GLSA", value:"200607-02");
    
      script_name(english:"GLSA-200607-02 : FreeType: Multiple integer overflows");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200607-02
    (FreeType: Multiple integer overflows)
    
        Multiple integer overflows exist in a variety of files (bdf/bdflib.c,
        sfnt/ttcmap.c, cff/cffgload.c, base/ftmac.c).
      
    Impact :
    
        A remote attacker could exploit these buffer overflows by enticing a
        user to load a specially crafted font, which could result in the
        execution of arbitrary code.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200607-02"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All FreeType users should upgrade to the latest stable version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=media-libs/freetype-2.1.10-r2'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:freetype");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/10");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"media-libs/freetype", unaffected:make_list("ge 2.1.10-r2", "lt 2.0"), vulnerable:make_list("lt 2.1.10-r2"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "FreeType");
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-099.NASL
    descriptionInteger underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values. (CVE-2006-0747) Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. (CVE-2006-1861) Ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference. (CVE-2006-2661) In addition, a patch is applied to 2.1.10 in Mandriva 2006 to fix a serious bug in ttkern.c that caused some programs to go into an infinite loop when dealing with fonts that don
    last seen2020-06-01
    modified2020-06-02
    plugin id21715
    published2006-06-16
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21715
    titleMandrake Linux Security Advisory : freetype2 (MDKSA-2006:099-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2006:099. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(21715);
      script_version ("1.20");
      script_cvs_date("Date: 2019/08/02 13:32:48");
    
      script_cve_id(
        "CVE-2006-0747",
        "CVE-2006-1861",
        "CVE-2006-2661"
      );
      script_bugtraq_id(
        18034,
        18326,
        18329
      );
      script_xref(name:"MDKSA", value:"2006:099-1");
    
      script_name(english:"Mandrake Linux Security Advisory : freetype2 (MDKSA-2006:099-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Integer underflow in Freetype before 2.2 allows remote attackers to
    cause a denial of service (crash) via a font file with an odd number
    of blue values, which causes the underflow when decrementing by 2 in a
    context that assumes an even number of values. (CVE-2006-0747)
    
    Multiple integer overflows in FreeType before 2.2 allow remote
    attackers to cause a denial of service (crash) and possibly execute
    arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2)
    sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and
    a crafted LWFN file in base/ftmac.c. (CVE-2006-1861)
    
    Ftutil.c in Freetype before 2.2 allows remote attackers to cause a
    denial of service (crash) via a crafted font file that triggers a null
    dereference. (CVE-2006-2661)
    
    In addition, a patch is applied to 2.1.10 in Mandriva 2006 to fix a
    serious bug in ttkern.c that caused some programs to go into an
    infinite loop when dealing with fonts that don't have a properly
    sorted kerning sub-table. This patch is not applicable to the earlier
    Mandriva releases.
    
    Update :
    
    The previous update introduced some issues with other applications and
    libraries linked to libfreetype, that were missed in testing for the
    vulnerability issues. The new packages correct these issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64freetype6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64freetype6-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64freetype6-static-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libfreetype6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libfreetype6-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libfreetype6-static-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:mandrakesoft:mandrake_linux:le2005");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/06/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"lib64freetype6-2.1.9-6.2.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"lib64freetype6-devel-2.1.9-6.2.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"lib64freetype6-static-devel-2.1.9-6.2.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", cpu:"i386", reference:"libfreetype6-2.1.9-6.2.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", cpu:"i386", reference:"libfreetype6-devel-2.1.9-6.2.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", cpu:"i386", reference:"libfreetype6-static-devel-2.1.9-6.2.102mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64freetype6-2.1.10-9.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64freetype6-devel-2.1.10-9.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64freetype6-static-devel-2.1.10-9.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libfreetype6-2.1.10-9.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libfreetype6-devel-2.1.10-9.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libfreetype6-static-devel-2.1.10-9.3.20060mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2009-001.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2009-001 applied. This security update contains fixes for the following products : - AFP Server - Apple Pixlet Video - CarbonCore - CFNetwork - Certificate Assistant - ClamAV - CoreText - CUPS - DS Tools - fetchmail - Folder Manager - FSEvents - Network Time - perl - Printing - python - Remote Apple Events - Safari RSS - servermgrd - SMB - SquirrelMail - X11 - XTerm
    last seen2020-06-01
    modified2020-06-02
    plugin id35684
    published2009-02-13
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35684
    titleMac OS X Multiple Vulnerabilities (Security Update 2009-001)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    if (!defined_func("bn_random")) exit(0);
    if (NASL_LEVEL < 3004) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(35684);
      script_version("1.32");
      script_cvs_date("Date: 2018/07/16 12:48:31");
    
      script_cve_id("CVE-2006-1861", "CVE-2006-3467", "CVE-2007-1351", "CVE-2007-1352", "CVE-2007-1667",
                    "CVE-2007-4565", "CVE-2007-4965", "CVE-2008-1377", "CVE-2008-1379", "CVE-2008-1679",
                    "CVE-2008-1721", "CVE-2008-1806", "CVE-2008-1807", "CVE-2008-1808", "CVE-2008-1887",
                    "CVE-2008-1927", "CVE-2008-2315", "CVE-2008-2316", "CVE-2008-2360", "CVE-2008-2361",
                    "CVE-2008-2362", "CVE-2008-2379", "CVE-2008-2711", "CVE-2008-3142", "CVE-2008-3144",
                    "CVE-2008-3663", "CVE-2008-4864", "CVE-2008-5031", "CVE-2008-5050", "CVE-2008-5183",
                    "CVE-2008-5314", "CVE-2009-0009", "CVE-2009-0011", "CVE-2009-0012", "CVE-2009-0013",
                    "CVE-2009-0014", "CVE-2009-0015", "CVE-2009-0017", "CVE-2009-0018", "CVE-2009-0019",
                    "CVE-2009-0020", "CVE-2009-0137", "CVE-2009-0138", "CVE-2009-0139", "CVE-2009-0140",
                    "CVE-2009-0141", "CVE-2009-0142");
      script_bugtraq_id(25495, 25696, 28715, 28749, 28928, 29705, 30491, 31976, 32207, 32555,
                        33187, 33796, 33798, 33800, 33806, 33808, 33809, 33810, 33811, 33812,
                        33813, 33814, 33815, 33816, 33820, 33821);
    
      script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2009-001)");
      script_summary(english:"Check for the presence of Security Update 2009-001");
    
      script_set_attribute(  attribute:"synopsis",   value:
    "The remote host is missing a Mac OS X update that fixes various
    security issues."  );
      script_set_attribute( attribute:"description", value:
    "The remote host is running a version of Mac OS X 10.5 or 10.4 that
    does not have Security Update 2009-001 applied.
    
    This security update contains fixes for the following products :
    
      - AFP Server
      - Apple Pixlet Video
      - CarbonCore
      - CFNetwork
      - Certificate Assistant
      - ClamAV
      - CoreText
      - CUPS
      - DS Tools
      - fetchmail
      - Folder Manager
      - FSEvents
      - Network Time
      - perl
      - Printing
      - python
      - Remote Apple Events
      - Safari RSS
      - servermgrd
      - SMB
      - SquirrelMail
      - X11
      - XTerm"  );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://support.apple.com/kb/ht3438"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html"
      );
      script_set_attribute( attribute:"solution", value:
        "Install Security Update 2009-001 or later." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(20, 79, 119, 189, 255, 264, 287, 310, 362, 399);
      script_set_attribute(attribute:"plugin_publication_date", value: "2009/02/13");
      script_set_attribute(attribute:"patch_publication_date", value: "2009/02/12");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/MacOSX/packages", "Host/uname");
      exit(0);
    }
    
    #
    
    uname = get_kb_item("Host/uname");
    if (!uname) exit(1, "The 'Host/uname' KB item is missing.");
    
    if (egrep(pattern:"Darwin.* (8\.[0-9]\.|8\.1[01]\.)", string:uname))
    {
      packages = get_kb_item("Host/MacOSX/packages");
      if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing.");
    
      if (egrep(pattern:"^SecUpd(Srvr)?(2009-00[1-9]|20[1-9][0-9]-)", string:packages))
        exit(0, "The host has Security Update 2009-001 or later installed and therefore is not affected.");
      else
        security_hole(0);
    }
    else if (egrep(pattern:"Darwin.* (9\.[0-6]\.)", string:uname))
    {
      packages = get_kb_item("Host/MacOSX/packages/boms");
      if (!packages) exit(1, "The 'Host/MacOSX/packages/boms' KB item is missing.");
    
      if (egrep(pattern:"^com\.apple\.pkg\.update\.security\.(2009\.00[1-9]|20[1-9][0-9]\.[0-9]+)\.bom", string:packages))
        exit(0, "The host has Security Update 2009-001 or later installed and therefore is not affected.");
      else
        security_hole(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201006-01.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201006-01 (FreeType 1: User-assisted execution of arbitrary code) Multiple issues found in FreeType 2 were also discovered in FreeType 1. For details on these issues, please review the Gentoo Linux Security Advisories and CVE identifiers referenced below. Impact : A remote attacker could entice a user to open a specially crafted TTF file, possibly resulting in the execution of arbitrary code with the privileges of the user running FreeType. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id46768
    published2010-06-02
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/46768
    titleGLSA-201006-01 : FreeType 1: User-assisted execution of arbitrary code
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-5558.NASL
    descriptionPort of freetype2 security fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id38938
    published2009-05-28
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38938
    titleFedora 10 : freetype1-1.4-0.8.pre.fc10 (2009-5558)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0500.NASL
    descriptionUpdated freetype packages that fix several security flaws are now available for Red Hat Enterprise Linux. This update has been rated as having moderate security impact by the Red Hat Security Response Team. FreeType is a free, high-quality, and portable font engine. Chris Evans discovered several integer underflow and overflow flaws in the FreeType font engine. If a user loads a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code as the user. While it is uncommon for a user to explicitly load a font file, there are several application file formats which contain embedded fonts that are parsed by FreeType. (CVE-2006-0747, CVE-2006-1861, CVE-2006-3467) A NULL pointer dereference flaw was found in the FreeType font engine. An application linked against FreeType can crash upon loading a malformed font file. (CVE-2006-2661) Users of FreeType should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id22064
    published2006-07-19
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22064
    titleCentOS 3 / 4 : freetype (CESA-2006:0500)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_FREETYPE2-1608.NASL
    descriptionFixes for: CVE-2006-0747, CVE-2006-1054, CVE-2006-1861, CVE-2006-2493, CVE-2006-2661. This patch fixes a few integer overflows in freetype 2. Without this patch it is possible to create font files which make freetype 2 crash.
    last seen2020-06-01
    modified2020-06-02
    plugin id27224
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27224
    titleopenSUSE 10 Security Update : freetype2 (freetype2-1608)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-0329.NASL
    descriptionUpdated freetype packages that fix various security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide both the FreeType 1 and FreeType 2 font engines. Tavis Ormandy of the Google Security Team discovered several integer overflow flaws in the FreeType 2 font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType 2, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0946) Chris Evans discovered multiple integer overflow flaws in the FreeType font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2006-1861) An integer overflow flaw was found in the way the FreeType font engine processed TrueType(r) Font (TTF) files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2007-2754) A flaw was discovered in the FreeType TTF font-file format parser when the TrueType virtual machine Byte Code Interpreter (BCI) is enabled. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2008-1808) The CVE-2008-1808 flaw did not affect the freetype packages as distributed in Red Hat Enterprise Linux 3 and 4, as they are not compiled with TrueType BCI support. A fix for this flaw has been included in this update as users may choose to recompile the freetype packages in order to enable TrueType BCI support. Red Hat does not, however, provide support for modified and recompiled packages. Note: For the FreeType 2 font engine, the CVE-2006-1861, CVE-2007-2754, and CVE-2008-1808 flaws were addressed via RHSA-2006:0500, RHSA-2007:0403, and RHSA-2008:0556 respectively. This update provides corresponding updates for the FreeType 1 font engine, included in the freetype packages distributed in Red Hat Enterprise Linux 3 and 4. Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id38870
    published2009-05-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38870
    titleRHEL 3 / 4 : freetype (RHSA-2009:0329)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2006-207-02.NASL
    descriptionNew x11 packages are available for Slackware 10.2 and -current to fix security issues. In addition, fontconfig and freetype have been split out from the x11 packages in -current, so if you run -current you
    last seen2020-06-01
    modified2020-06-02
    plugin id22099
    published2006-07-28
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22099
    titleSlackware 10.2 / current : x11 (SSA:2006-207-02)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-129.NASL
    descriptionAn additional overflow, similar to those corrected by patches for CVE-2006-1861 was found in libfreetype. If a user loads a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code as the user. Updated packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id23880
    published2006-12-16
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23880
    titleMandrake Linux Security Advisory : freetype2 (MDKSA-2006:129)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_B975763F521011DB8F1A000A48049292.NASL
    descriptionSecurityTracker reports : A vulnerability was reported in FreeType. A remote user can cause arbitrary code to be executed on the target user
    last seen2020-06-01
    modified2020-06-02
    plugin id22503
    published2006-10-05
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22503
    titleFreeBSD : freetype -- LWFN Files Buffer Overflow Vulnerability (b975763f-5210-11db-8f1a-000a48049292)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-1062.NASL
    descriptionUpdated freetype packages that fix various security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide both the FreeType 1 and FreeType 2 font engines. Tavis Ormandy of the Google Security Team discovered several integer overflow flaws in the FreeType 2 font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType 2, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0946) Chris Evans discovered multiple integer overflow flaws in the FreeType font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2006-1861) An integer overflow flaw was found in the way the FreeType font engine processed TrueType(r) Font (TTF) files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2007-2754) Note: For the FreeType 2 font engine, the CVE-2006-1861 and CVE-2007-2754 flaws were addressed via RHSA-2006:0500 and RHSA-2007:0403 respectively. This update provides corresponding updates for the FreeType 1 font engine, included in the freetype packages distributed in Red Hat Enterprise Linux 2.1. Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id38874
    published2009-05-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38874
    titleRHEL 2.1 : freetype (RHSA-2009:1062)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-291-1.NASL
    descriptionSeveral integer overflows have been discovered in the FreeType library. By tricking a user into installing and/or opening a specially crafted font file, these could be exploited to execute arbitrary code with the privileges of that user. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id27863
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27863
    titleUbuntu 5.04 / 5.10 / 6.06 LTS : freetype vulnerabilities (USN-291-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-5644.NASL
    descriptionPort of freetype2 security fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id38943
    published2009-05-28
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38943
    titleFedora 11 : freetype1-1.4-0.8.pre.fc11 (2009-5644)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0500.NASL
    descriptionUpdated freetype packages that fix several security flaws are now available for Red Hat Enterprise Linux. This update has been rated as having moderate security impact by the Red Hat Security Response Team. FreeType is a free, high-quality, and portable font engine. Chris Evans discovered several integer underflow and overflow flaws in the FreeType font engine. If a user loads a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code as the user. While it is uncommon for a user to explicitly load a font file, there are several application file formats which contain embedded fonts that are parsed by FreeType. (CVE-2006-0747, CVE-2006-1861, CVE-2006-3467) A NULL pointer dereference flaw was found in the FreeType font engine. An application linked against FreeType can crash upon loading a malformed font file. (CVE-2006-2661) Users of FreeType should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id22068
    published2006-07-19
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22068
    titleRHEL 2.1 / 3 / 4 : freetype (RHSA-2006:0500)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2009-0329.NASL
    descriptionFrom Red Hat Security Advisory 2009:0329 : Updated freetype packages that fix various security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide both the FreeType 1 and FreeType 2 font engines. Tavis Ormandy of the Google Security Team discovered several integer overflow flaws in the FreeType 2 font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType 2, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0946) Chris Evans discovered multiple integer overflow flaws in the FreeType font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2006-1861) An integer overflow flaw was found in the way the FreeType font engine processed TrueType(r) Font (TTF) files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2007-2754) A flaw was discovered in the FreeType TTF font-file format parser when the TrueType virtual machine Byte Code Interpreter (BCI) is enabled. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2008-1808) The CVE-2008-1808 flaw did not affect the freetype packages as distributed in Red Hat Enterprise Linux 3 and 4, as they are not compiled with TrueType BCI support. A fix for this flaw has been included in this update as users may choose to recompile the freetype packages in order to enable TrueType BCI support. Red Hat does not, however, provide support for modified and recompiled packages. Note: For the FreeType 2 font engine, the CVE-2006-1861, CVE-2007-2754, and CVE-2008-1808 flaws were addressed via RHSA-2006:0500, RHSA-2007:0403, and RHSA-2008:0556 respectively. This update provides corresponding updates for the FreeType 1 font engine, included in the freetype packages distributed in Red Hat Enterprise Linux 3 and 4. Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id67813
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67813
    titleOracle Linux 3 / 4 : freetype (ELSA-2009-0329)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20090522_FREETYPE_ON_SL3_X.NASL
    descriptionTavis Ormandy of the Google Security Team discovered several integer overflow flaws in the FreeType 2 font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType 2, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0946) Chris Evans discovered multiple integer overflow flaws in the FreeType font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2006-1861) An integer overflow flaw was found in the way the FreeType font engine processed TrueType&reg; Font (TTF) files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2007-2754) A flaw was discovered in the FreeType TTF font-file format parser when the TrueType virtual machine Byte Code Interpreter (BCI) is enabled. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2008-1808) The X server must be restarted (log out, then log back in) for this update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id60588
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60588
    titleScientific Linux Security Update : freetype on SL3.x, SL4.x, SL5.x i386/x86_64
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200710-09.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200710-09 (NX 2.1: User-assisted execution of arbitrary code) Chris Evans reported an integer overflow within the FreeType PCF font file parser (CVE-2006-1861). NX and NX Node are vulnerable to this due to shipping XFree86 4.3.0, which includes the vulnerable FreeType code. Impact : A remote attacker could exploit these integer overflows by enticing a user to load a specially crafted PCF font file which might lead to the execution of arbitrary code with the privileges of the user on the machine running the NX server. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id26980
    published2007-10-12
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/26980
    titleGLSA-200710-09 : NX 2.1: User-assisted execution of arbitrary code
  • NASL familySuSE Local Security Checks
    NASL idSUSE_NX-4555.NASL
    descriptionThe XFree code contained in NX was prone to integer overflows (CVE-2006-1861) and insufficiently protected against specially crafted PCF files (CVE-2006-3467).
    last seen2020-06-01
    modified2020-06-02
    plugin id27510
    published2007-10-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27510
    titleopenSUSE 10 Security Update : NX (NX-4555)

Oval

accepted2013-04-29T04:18:18.121-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionMultiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. NOTE: item 4 was originally identified by CVE-2006-2493.
familyunix
idoval:org.mitre.oval:def:9124
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleMultiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. NOTE: item 4 was originally identified by CVE-2006-2493.
version26

Redhat

advisories
  • rhsa
    idRHSA-2006:0500
  • rhsa
    idRHSA-2009:0329
  • rhsa
    idRHSA-2009:1062
rpms
  • freetype-0:2.1.4-4.0.rhel3.2
  • freetype-0:2.1.9-1.rhel4.4
  • freetype-debuginfo-0:2.1.4-4.0.rhel3.2
  • freetype-debuginfo-0:2.1.9-1.rhel4.4
  • freetype-demos-0:2.1.9-1.rhel4.4
  • freetype-devel-0:2.1.4-4.0.rhel3.2
  • freetype-devel-0:2.1.9-1.rhel4.4
  • freetype-utils-0:2.1.9-1.rhel4.4
  • freetype-0:2.1.4-12.el3
  • freetype-0:2.1.9-10.el4.7
  • freetype-debuginfo-0:2.1.4-12.el3
  • freetype-debuginfo-0:2.1.9-10.el4.7
  • freetype-demos-0:2.1.9-10.el4.7
  • freetype-devel-0:2.1.4-12.el3
  • freetype-devel-0:2.1.9-10.el4.7
  • freetype-utils-0:2.1.9-10.el4.7
  • freetype-0:2.0.3-17.el21
  • freetype-devel-0:2.0.3-17.el21
  • freetype-utils-0:2.0.3-17.el21

References