Vulnerabilities > CVE-2006-2661 - Null Pointer Dereference vulnerability in multiple products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
freetype
debian
canonical
CWE-476
nessus
exploit available

Summary

ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference.

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionFreeType TTF File Remote Denial of Service Vulnerability. CVE-2006-2661. Dos exploits for multiple platform
idEDB-ID:27993
last seen2016-02-03
modified2006-06-08
published2006-06-08
reporterJosh Bressers
sourcehttps://www.exploit-db.com/download/27993/
titleFreeType TTF File Remote Denial of Service Vulnerability

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1095.NASL
    descriptionSeveral problems have been discovered in the FreeType 2 font engine. The Common vulnerabilities and Exposures project identifies the following problems : - CVE-2006-0747 Several integer underflows have been discovered which could allow remote attackers to cause a denial of service. - CVE-2006-1861 Chris Evans discovered several integer overflows that lead to a denial of service or could possibly even lead to the execution of arbitrary code. - CVE-2006-2493 Several more integer overflows have been discovered which could possibly lead to the execution of arbitrary code. - CVE-2006-2661 A NULL pointer dereference could cause a denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id22637
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22637
    titleDebian DSA-1095-1 : freetype - integer overflows
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1095. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22637);
      script_version("1.22");
      script_cvs_date("Date: 2019/08/02 13:32:19");
    
      script_cve_id("CVE-2006-0747", "CVE-2006-1861", "CVE-2006-2661");
      script_bugtraq_id(18034);
      script_xref(name:"DSA", value:"1095");
    
      script_name(english:"Debian DSA-1095-1 : freetype - integer overflows");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several problems have been discovered in the FreeType 2 font engine.
    The Common vulnerabilities and Exposures project identifies the
    following problems :
    
      - CVE-2006-0747
        Several integer underflows have been discovered which
        could allow remote attackers to cause a denial of
        service.
    
      - CVE-2006-1861
        Chris Evans discovered several integer overflows that
        lead to a denial of service or could possibly even lead
        to the execution of arbitrary code.
    
      - CVE-2006-2493
        Several more integer overflows have been discovered
        which could possibly lead to the execution of arbitrary
        code.
    
      - CVE-2006-2661
        A NULL pointer dereference could cause a denial of
        service."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-0747"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-1861"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-2493"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-2661"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-1095"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the libfreetype packages.
    
    For the old stable distribution (woody) these problems have been fixed
    in version 2.0.9-1woody1.
    
    For the stable distribution (sarge) these problems have been fixed in
    version 2.1.7-2.5."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:freetype");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/06/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"freetype2-demos", reference:"2.0.9-1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"libfreetype6", reference:"2.0.9-1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"libfreetype6-dev", reference:"2.0.9-1woody1")) flag++;
    if (deb_check(release:"3.1", prefix:"freetype2-demos", reference:"2.1.7-2.5")) flag++;
    if (deb_check(release:"3.1", prefix:"libfreetype6", reference:"2.1.7-2.5")) flag++;
    if (deb_check(release:"3.1", prefix:"libfreetype6-dev", reference:"2.1.7-2.5")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-099.NASL
    descriptionInteger underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values. (CVE-2006-0747) Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. (CVE-2006-1861) Ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference. (CVE-2006-2661) In addition, a patch is applied to 2.1.10 in Mandriva 2006 to fix a serious bug in ttkern.c that caused some programs to go into an infinite loop when dealing with fonts that don
    last seen2020-06-01
    modified2020-06-02
    plugin id21715
    published2006-06-16
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21715
    titleMandrake Linux Security Advisory : freetype2 (MDKSA-2006:099-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2006:099. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(21715);
      script_version ("1.20");
      script_cvs_date("Date: 2019/08/02 13:32:48");
    
      script_cve_id(
        "CVE-2006-0747",
        "CVE-2006-1861",
        "CVE-2006-2661"
      );
      script_bugtraq_id(
        18034,
        18326,
        18329
      );
      script_xref(name:"MDKSA", value:"2006:099-1");
    
      script_name(english:"Mandrake Linux Security Advisory : freetype2 (MDKSA-2006:099-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Integer underflow in Freetype before 2.2 allows remote attackers to
    cause a denial of service (crash) via a font file with an odd number
    of blue values, which causes the underflow when decrementing by 2 in a
    context that assumes an even number of values. (CVE-2006-0747)
    
    Multiple integer overflows in FreeType before 2.2 allow remote
    attackers to cause a denial of service (crash) and possibly execute
    arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2)
    sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and
    a crafted LWFN file in base/ftmac.c. (CVE-2006-1861)
    
    Ftutil.c in Freetype before 2.2 allows remote attackers to cause a
    denial of service (crash) via a crafted font file that triggers a null
    dereference. (CVE-2006-2661)
    
    In addition, a patch is applied to 2.1.10 in Mandriva 2006 to fix a
    serious bug in ttkern.c that caused some programs to go into an
    infinite loop when dealing with fonts that don't have a properly
    sorted kerning sub-table. This patch is not applicable to the earlier
    Mandriva releases.
    
    Update :
    
    The previous update introduced some issues with other applications and
    libraries linked to libfreetype, that were missed in testing for the
    vulnerability issues. The new packages correct these issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64freetype6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64freetype6-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64freetype6-static-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libfreetype6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libfreetype6-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libfreetype6-static-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:mandrakesoft:mandrake_linux:le2005");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/06/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"lib64freetype6-2.1.9-6.2.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"lib64freetype6-devel-2.1.9-6.2.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"lib64freetype6-static-devel-2.1.9-6.2.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", cpu:"i386", reference:"libfreetype6-2.1.9-6.2.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", cpu:"i386", reference:"libfreetype6-devel-2.1.9-6.2.102mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.2", cpu:"i386", reference:"libfreetype6-static-devel-2.1.9-6.2.102mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64freetype6-2.1.10-9.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64freetype6-devel-2.1.10-9.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64freetype6-static-devel-2.1.10-9.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libfreetype6-2.1.10-9.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libfreetype6-devel-2.1.10-9.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libfreetype6-static-devel-2.1.10-9.3.20060mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0500.NASL
    descriptionUpdated freetype packages that fix several security flaws are now available for Red Hat Enterprise Linux. This update has been rated as having moderate security impact by the Red Hat Security Response Team. FreeType is a free, high-quality, and portable font engine. Chris Evans discovered several integer underflow and overflow flaws in the FreeType font engine. If a user loads a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code as the user. While it is uncommon for a user to explicitly load a font file, there are several application file formats which contain embedded fonts that are parsed by FreeType. (CVE-2006-0747, CVE-2006-1861, CVE-2006-3467) A NULL pointer dereference flaw was found in the FreeType font engine. An application linked against FreeType can crash upon loading a malformed font file. (CVE-2006-2661) Users of FreeType should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id22064
    published2006-07-19
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22064
    titleCentOS 3 / 4 : freetype (CESA-2006:0500)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_FREETYPE2-1608.NASL
    descriptionFixes for: CVE-2006-0747, CVE-2006-1054, CVE-2006-1861, CVE-2006-2493, CVE-2006-2661. This patch fixes a few integer overflows in freetype 2. Without this patch it is possible to create font files which make freetype 2 crash.
    last seen2020-06-01
    modified2020-06-02
    plugin id27224
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27224
    titleopenSUSE 10 Security Update : freetype2 (freetype2-1608)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-291-1.NASL
    descriptionSeveral integer overflows have been discovered in the FreeType library. By tricking a user into installing and/or opening a specially crafted font file, these could be exploited to execute arbitrary code with the privileges of that user. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id27863
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27863
    titleUbuntu 5.04 / 5.10 / 6.06 LTS : freetype vulnerabilities (USN-291-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0500.NASL
    descriptionUpdated freetype packages that fix several security flaws are now available for Red Hat Enterprise Linux. This update has been rated as having moderate security impact by the Red Hat Security Response Team. FreeType is a free, high-quality, and portable font engine. Chris Evans discovered several integer underflow and overflow flaws in the FreeType font engine. If a user loads a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code as the user. While it is uncommon for a user to explicitly load a font file, there are several application file formats which contain embedded fonts that are parsed by FreeType. (CVE-2006-0747, CVE-2006-1861, CVE-2006-3467) A NULL pointer dereference flaw was found in the FreeType font engine. An application linked against FreeType can crash upon loading a malformed font file. (CVE-2006-2661) Users of FreeType should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id22068
    published2006-07-19
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22068
    titleRHEL 2.1 / 3 / 4 : freetype (RHSA-2006:0500)

Oval

accepted2013-04-29T04:15:22.215-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference.
familyunix
idoval:org.mitre.oval:def:11692
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference.
version26

Redhat

advisories
rhsa
idRHSA-2006:0500
rpms
  • freetype-0:2.1.4-4.0.rhel3.2
  • freetype-0:2.1.9-1.rhel4.4
  • freetype-debuginfo-0:2.1.4-4.0.rhel3.2
  • freetype-debuginfo-0:2.1.9-1.rhel4.4
  • freetype-demos-0:2.1.9-1.rhel4.4
  • freetype-devel-0:2.1.4-4.0.rhel3.2
  • freetype-devel-0:2.1.9-1.rhel4.4
  • freetype-utils-0:2.1.9-1.rhel4.4