Vulnerabilities > CVE-2008-1807 - Numeric Errors vulnerability in Freetype

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid "number of axes" field in a Printer Font Binary (PFB) file, which triggers a free of arbitrary memory locations, leading to memory corruption.

Vulnerable Configurations

Part Description Count
Application
Freetype
4

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0558.NASL
    descriptionUpdated freetype packages that fix various security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 25th June 2008] The original packages distributed with this errata had a bug which prevented freetype library from loading certain font files correctly. We have updated the packages to correct this bug. FreeType is a free, high-quality, portable font engine that can open and manage font files, as well as efficiently load, hint and render individual glyphs. Multiple flaws were discovered in FreeType
    last seen2020-06-01
    modified2020-06-02
    plugin id33250
    published2008-06-24
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33250
    titleRHEL 2.1 : freetype (RHSA-2008:0558)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2008:0558. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(33250);
      script_version ("1.23");
      script_cvs_date("Date: 2019/10/25 13:36:13");
    
      script_cve_id("CVE-2008-1806", "CVE-2008-1807", "CVE-2008-1808");
      script_bugtraq_id(29637, 29639, 29640, 29641);
      script_xref(name:"RHSA", value:"2008:0558");
    
      script_name(english:"RHEL 2.1 : freetype (RHSA-2008:0558)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated freetype packages that fix various security issues are now
    available for Red Hat Enterprise Linux 2.1.
    
    This update has been rated as having important security impact by the
    Red Hat Security Response Team.
    
    [Updated 25th June 2008] The original packages distributed with this
    errata had a bug which prevented freetype library from loading certain
    font files correctly. We have updated the packages to correct this
    bug.
    
    FreeType is a free, high-quality, portable font engine that can open
    and manage font files, as well as efficiently load, hint and render
    individual glyphs.
    
    Multiple flaws were discovered in FreeType's Printer Font Binary (PFB)
    and TrueType Font (TTF) font-file format parsers. If a user loaded a
    carefully crafted font-file with a program linked against FreeType, it
    could cause the application to crash, or possibly execute arbitrary
    code. (CVE-2008-1806, CVE-2008-1807, CVE-2008-1808)
    
    Note: the flaw in FreeType's TrueType Font (TTF) font-file format
    parser, covered by CVE-2008-1808, only affected the FreeType 1 library
    (libttf), which shipped in the freetype packages in Red Hat Enterprise
    Linux 2.1. The FreeType 2 library (libfreetype) is not affected, as it
    is not compiled with TTF Byte Code Interpreter (BCI) support.
    
    Users of freetype should upgrade to these updated packages, which
    contain backported patches to resolve these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2008-1806"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2008-1807"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2008-1808"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2008:0558"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected freetype, freetype-devel and / or freetype-utils
    packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:freetype");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:freetype-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:freetype-utils");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/06/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/06/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/06/24");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2008:0558";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"freetype-2.0.3-15.el21")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"freetype-devel-2.0.3-15.el21")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"freetype-utils-2.0.3-15.el21")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freetype / freetype-devel / freetype-utils");
      }
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-0556.NASL
    descriptionUpdated freetype packages that fix various security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 25th June 2008] The original packages for Red Hat Enterprise Linux 3 and 4 distributed with this errata had a bug which prevented freetype library from loading certain font files correctly. We have updated the packages to correct this bug. FreeType is a free, high-quality, portable font engine that can open and manage font files, as well as efficiently load, hint and render individual glyphs. Multiple flaws were discovered in FreeType
    last seen2020-06-01
    modified2020-06-02
    plugin id33229
    published2008-06-24
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33229
    titleCentOS 3 / 4 / 5 : freetype (CESA-2008:0556)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2008:0556 and 
    # CentOS Errata and Security Advisory 2008:0556 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(33229);
      script_version("1.15");
      script_cvs_date("Date: 2019/10/25 13:36:04");
    
      script_cve_id("CVE-2008-1806", "CVE-2008-1807", "CVE-2008-1808");
      script_bugtraq_id(29637, 29639, 29640, 29641);
      script_xref(name:"RHSA", value:"2008:0556");
    
      script_name(english:"CentOS 3 / 4 / 5 : freetype (CESA-2008:0556)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated freetype packages that fix various security issues are now
    available for Red Hat Enterprise Linux 3, 4, and 5.
    
    This update has been rated as having important security impact by the
    Red Hat Security Response Team.
    
    [Updated 25th June 2008] The original packages for Red Hat Enterprise
    Linux 3 and 4 distributed with this errata had a bug which prevented
    freetype library from loading certain font files correctly. We have
    updated the packages to correct this bug.
    
    FreeType is a free, high-quality, portable font engine that can open
    and manage font files, as well as efficiently load, hint and render
    individual glyphs.
    
    Multiple flaws were discovered in FreeType's Printer Font Binary (PFB)
    font-file format parser. If a user loaded a carefully crafted
    font-file with a program linked against FreeType, it could cause the
    application to crash, or possibly execute arbitrary code.
    (CVE-2008-1806, CVE-2008-1807, CVE-2008-1808)
    
    Note: the flaw in FreeType's TrueType Font (TTF) font-file format
    parser, covered by CVE-2008-1808, did not affect the freetype packages
    as shipped in Red Hat Enterprise Linux 3, 4, and 5, as they are not
    compiled with TTF Byte Code Interpreter (BCI) support.
    
    Users of freetype should upgrade to these updated packages, which
    contain backported patches to resolve these issues."
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-June/015000.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?53005098"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-June/015001.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?ab870e3f"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-June/015006.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?d8b7d6f8"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-June/015007.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?ad2394fc"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-June/015024.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?c091bea5"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-June/015025.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?974e3d4f"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-June/015052.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?38cf3dcd"
      );
      # https://lists.centos.org/pipermail/centos-announce/2008-June/015054.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?1e40e752"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected freetype packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:freetype");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:freetype-demos");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:freetype-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:freetype-utils");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/06/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/06/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/06/24");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(3|4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x / 5.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-3", reference:"freetype-2.1.4-10.el3")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"freetype-demos-2.1.4-10.el3")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"freetype-devel-2.1.4-10.el3")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"freetype-utils-2.1.4-10.el3")) flag++;
    
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"freetype-2.1.9-7.el4.6")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"freetype-2.1.9-8.el4.6")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"freetype-2.1.9-7.el4.6")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"freetype-demos-2.1.9-7.el4.6")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"freetype-demos-2.1.9-8.el4.6")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"freetype-demos-2.1.9-7.el4.6")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"freetype-devel-2.1.9-7.el4.6")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"freetype-devel-2.1.9-8.el4.6")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"freetype-devel-2.1.9-7.el4.6")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"freetype-utils-2.1.9-7.el4.6")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"freetype-utils-2.1.9-8.el4.6")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"freetype-utils-2.1.9-7.el4.6")) flag++;
    
    if (rpm_check(release:"CentOS-5", reference:"freetype-2.2.1-20.el5_2")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"freetype-demos-2.2.1-20.el5_2")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"freetype-devel-2.2.1-20.el5_2")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freetype / freetype-demos / freetype-devel / freetype-utils");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-643-1.NASL
    descriptionMultiple flaws were discovered in the PFB and TTF font handling code in freetype. If a user were tricked into using a specially crafted font file, a remote attacker could execute arbitrary code with user privileges or cause the application linked against freetype to crash, leading to a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id37738
    published2009-04-23
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/37738
    titleUbuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : freetype vulnerabilities (USN-643-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-643-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(37738);
      script_version("1.12");
      script_cvs_date("Date: 2019/08/02 13:33:02");
    
      script_cve_id("CVE-2008-1806", "CVE-2008-1807", "CVE-2008-1808");
      script_xref(name:"USN", value:"643-1");
    
      script_name(english:"Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : freetype vulnerabilities (USN-643-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple flaws were discovered in the PFB and TTF font handling code
    in freetype. If a user were tricked into using a specially crafted
    font file, a remote attacker could execute arbitrary code with user
    privileges or cause the application linked against freetype to crash,
    leading to a denial of service.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/643-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected freetype2-demos, libfreetype6 and / or
    libfreetype6-dev packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:freetype2-demos");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreetype6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreetype6-dev");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/09/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(6\.06|7\.04|7\.10|8\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 7.04 / 7.10 / 8.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"6.06", pkgname:"freetype2-demos", pkgver:"2.1.10-1ubuntu2.5")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"libfreetype6", pkgver:"2.1.10-1ubuntu2.5")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"libfreetype6-dev", pkgver:"2.1.10-1ubuntu2.5")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"freetype2-demos", pkgver:"2.2.1-5ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"libfreetype6", pkgver:"2.2.1-5ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"libfreetype6-dev", pkgver:"2.2.1-5ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"freetype2-demos", pkgver:"2.3.5-1ubuntu4.7.10.1")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"libfreetype6", pkgver:"2.3.5-1ubuntu4.7.10.1")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"libfreetype6-dev", pkgver:"2.3.5-1ubuntu4.7.10.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"freetype2-demos", pkgver:"2.3.5-1ubuntu4.8.04.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"libfreetype6", pkgver:"2.3.5-1ubuntu4.8.04.1")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"libfreetype6-dev", pkgver:"2.3.5-1ubuntu4.8.04.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freetype2-demos / libfreetype6 / libfreetype6-dev");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200806-10.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200806-10 (FreeType: User-assisted execution of arbitrary code) Regenrecht reported multiple vulnerabilities in FreeType via iDefense: An integer overflow when parsing values in the Private dictionary table in a PFB file, leading to a heap-based buffer overflow (CVE-2008-1806). An invalid free() call related to parsing an invalid
    last seen2020-06-01
    modified2020-06-02
    plugin id33246
    published2008-06-24
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33246
    titleGLSA-200806-10 : FreeType: User-assisted execution of arbitrary code
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2009-001.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2009-001 applied. This security update contains fixes for the following products : - AFP Server - Apple Pixlet Video - CarbonCore - CFNetwork - Certificate Assistant - ClamAV - CoreText - CUPS - DS Tools - fetchmail - Folder Manager - FSEvents - Network Time - perl - Printing - python - Remote Apple Events - Safari RSS - servermgrd - SMB - SquirrelMail - X11 - XTerm
    last seen2020-06-01
    modified2020-06-02
    plugin id35684
    published2009-02-13
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35684
    titleMac OS X Multiple Vulnerabilities (Security Update 2009-001)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-5430.NASL
    descriptionThis update backports security fixes from upstream version 2.3.6 - CVE-2008-1806, CVE-2008-1807 and CVE-2008-1808. For further details, see: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=7 15 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=7 16 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=7 17 Note: TTF bytecode interpreter is not enabled by default in the Fedora freetype packages, therefore Fedora packages were not affected by the TTF part of the CVE-2008-1808. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33222
    published2008-06-19
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33222
    titleFedora 8 : freetype-2.3.5-4.fc8 (2008-5430)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0556.NASL
    descriptionUpdated freetype packages that fix various security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 25th June 2008] The original packages for Red Hat Enterprise Linux 3 and 4 distributed with this errata had a bug which prevented freetype library from loading certain font files correctly. We have updated the packages to correct this bug. FreeType is a free, high-quality, portable font engine that can open and manage font files, as well as efficiently load, hint and render individual glyphs. Multiple flaws were discovered in FreeType
    last seen2020-06-01
    modified2020-06-02
    plugin id33249
    published2008-06-24
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33249
    titleRHEL 3 / 4 / 5 : freetype (RHSA-2008:0556)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2009-0012.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : CVE-2009-0946 Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c. CVE-2008-1806 Integer overflow in FreeType2 before 2.3.6 allows context-dependent attackers to execute arbitrary code via a crafted set of 16-bit length values within the Private dictionary table in a Printer Font Binary (PFB) file, which triggers a heap-based buffer overflow. CVE-2008-1807 FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid
    last seen2020-06-01
    modified2020-06-02
    plugin id79459
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79459
    titleOracleVM 2.1 : freetype (OVMSA-2009-0012)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-121.NASL
    descriptionMultiple vulnerabilities were discovered in FreeType
    last seen2020-06-01
    modified2020-06-02
    plugin id37537
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/37537
    titleMandriva Linux Security Advisory : freetype2 (MDVSA-2008:121)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-5425.NASL
    descriptionThis update backports security fixes from upstream version 2.3.6 - CVE-2008-1806, CVE-2008-1807 and CVE-2008-1808. For further details, see: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=7 15 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=7 16 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=7 17 Note: TTF bytecode interpreter is not enabled by default in the Fedora freetype packages, therefore Fedora packages were not affected by the TTF part of the CVE-2008-1808. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33221
    published2008-06-19
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33221
    titleFedora 9 : freetype-2.3.5-6.fc9 (2008-5425)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1635.NASL
    descriptionSeveral local vulnerabilities have been discovered in freetype, a FreeType 2 font engine, which could allow the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-1806 An integer overflow allows context-dependent attackers to execute arbitrary code via a crafted set of values within the Private dictionary table in a Printer Font Binary (PFB) file. - CVE-2008-1807 The handling of an invalid
    last seen2020-06-01
    modified2020-06-02
    plugin id34163
    published2008-09-11
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/34163
    titleDebian DSA-1635-1 : freetype - multiple vulnerabilities
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201209-25.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201209-25 (VMware Player, Server, Workstation: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in VMware Player, Server, and Workstation. Please review the CVE identifiers referenced below for details. Impact : Local users may be able to gain escalated privileges, cause a Denial of Service, or gain sensitive information. A remote attacker could entice a user to open a specially crafted file, possibly resulting in the remote execution of arbitrary code, or a Denial of Service. Remote attackers also may be able to spoof DNS traffic, read arbitrary files, or inject arbitrary web script to the VMware Server Console. Furthermore, guest OS users may be able to execute arbitrary code on the host OS, gain escalated privileges on the guest OS, or cause a Denial of Service (crash the host OS). Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id62383
    published2012-10-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/62383
    titleGLSA-201209-25 : VMware Player, Server, Workstation: Multiple vulnerabilities
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_4FB43B2F46A911DD9D3800163E000016.NASL
    descriptionSecunia reports : - An integer overflow error exists in the processing of PFB font files. This can be exploited to cause a heap-based buffer overflow via a PFB file containing a specially crafted
    last seen2020-06-01
    modified2020-06-02
    plugin id33419
    published2008-07-08
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33419
    titleFreeBSD : FreeType 2 -- Multiple Vulnerabilities (4fb43b2f-46a9-11dd-9d38-00163e000016)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2008-0014.NASL
    descriptionI Security Issues a. Setting ActiveX kill bit Starting from this release, VMware has set the kill bit on its ActiveX controls. Setting the kill bit ensures that ActiveX controls cannot run in Internet Explorer (IE), and avoids security issues involving ActiveX controls in IE. See the Microsoft KB article 240797 and the related references on this topic. Security vulnerabilities have been reported for ActiveX controls provided by VMware when run in IE. Under specific circumstances, exploitation of these ActiveX controls might result in denial-of- service or can allow running of arbitrary code when the user browses a malicious Web site or opens a malicious file in IE browser. An attempt to run unsafe ActiveX controls in IE might result in pop-up windows warning the user. Note: IE can be configured to run unsafe ActiveX controls without prompting. VMware recommends that you retain the default settings in IE, which prompts when unsafe actions are requested. Earlier, VMware had issued knowledge base articles, KB 5965318 and KB 9078920 on security issues with ActiveX controls. To avoid malicious scripts that exploit ActiveX controls, do not enable unsafe ActiveX objects in your browser settings. As a best practice, do not browse untrusted Web sites as an administrator and do not click OK or Yes if prompted by IE to allow certain actions. VMware would like to thank Julien Bachmann, Shennan Wang, Shinnai, and Michal Bucko for reporting these issues to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2008-3691, CVE-2008-3692, CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and CVE-2008-3696 to the security issues with VMware ActiveX controls. b. VMware ISAPI Extension Denial of Service The Internet Server Application Programming Interface (ISAPI) is an API that extends the functionality of Internet Information Server (IIS). VMware uses ISAPI extensions in its Server product. One of the ISAPI extensions provided by VMware is vulnerable to a remote denial of service. By sending a malformed request, IIS might shut down. IIS 6.0 restarts automatically. However, IIS 5.0 does not restart automatically when its Startup Type is set to Manual. VMware would like to thank the Juniper Networks J-Security Security Research Team for reporting this issue to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-3697 to this issue. c. OpenProcess Local Privilege Escalation on Host System This release fixes a privilege escalation vulnerability in host systems. Exploitation of this vulnerability allows users to run arbitrary code on the host system with elevated privileges. VMware would like to thank Sun Bing from McAfee, Inc. for reporting this issue to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-3698 to this issue. d. Update to Freetype FreeType 2.3.6 resolves an integer overflow vulnerability and other vulnerabilities that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted file. This release updates FreeType to 2.3.7. The Common Vulnerabilities and Exposures Project (cve.mitre.com) has assigned the names CVE-2008-1806, CVE-2008-1807, and CVE-2008-1808 to the issues resolved in Freetype 2.3.6. e. Update to Cairo Cairo 1.4.12 resolves an integer overflow vulnerability that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted PNG file. This release updates Cairo to 1.4.14. The Common Vulnerabilities and Exposures (cve.mitre.com) has assigned the name CVE-2007-5503 to this issue. f. VMware Consolidated Backup (VCB) command-line utilities may expose sensitive information VMware Consolidated Backup command-line utilities accept the user password through the -p command-line option. Users logged into the ESX service console or into the system that runs VCB could gain access to the username and password used by VCB command-line utilities when such commands are running. The ESX patch and the new version of VCB resolve this issue by providing an alternative way of passing the password used by VCB command-line utilities. VCB in ESX ---------- The following options are recommended for passing the password : 1. The password is specified in /etc/backuptools.conf (PASSWORD=xxxxx), and -p is not used in the command line. /etc/backuptools.conf file permissions are read/write only for root. 2. No password is specified in /etc/backuptools.conf and the -p option is not used in the command line. The user will be prompted to enter a password. ESX is not affected unless you use VCB. Stand-alone VCB --------------- The following options are recommended for passing the password : 1. The password is specified in config.js (PASSWORD=xxxxx), and -p is not used in the command line. The file permissions on config.js are read/write only for the administrator. The config.js file is located in folder
    last seen2020-06-01
    modified2020-06-02
    plugin id40382
    published2009-07-27
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/40382
    titleVMSA-2008-0014 : Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX, VMware VCB address information disclosure, privilege escalation and other security issues.
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20080620_FREETYPE_ON_SL3_X.NASL
    descriptionMultiple flaws were discovered in FreeType
    last seen2020-06-01
    modified2020-06-02
    plugin id60427
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60427
    titleScientific Linux Security Update : freetype on SL3.x, SL4.x, SL5.x i386/x86_64
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0556.NASL
    descriptionFrom Red Hat Security Advisory 2008:0556 : Updated freetype packages that fix various security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 25th June 2008] The original packages for Red Hat Enterprise Linux 3 and 4 distributed with this errata had a bug which prevented freetype library from loading certain font files correctly. We have updated the packages to correct this bug. FreeType is a free, high-quality, portable font engine that can open and manage font files, as well as efficiently load, hint and render individual glyphs. Multiple flaws were discovered in FreeType
    last seen2020-06-01
    modified2020-06-02
    plugin id67715
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67715
    titleOracle Linux 3 / 4 / 5 : freetype (ELSA-2008-0556)

Oval

accepted2013-04-29T04:22:00.010-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionFreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid "number of axes" field in a Printer Font Binary (PFB) file, which triggers a free of arbitrary memory locations, leading to memory corruption.
familyunix
idoval:org.mitre.oval:def:9767
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleFreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid "number of axes" field in a Printer Font Binary (PFB) file, which triggers a free of arbitrary memory locations, leading to memory corruption.
version27

Redhat

advisories
  • rhsa
    idRHSA-2008:0556
  • rhsa
    idRHSA-2008:0558
rpms
  • freetype-0:2.1.4-10.el3
  • freetype-0:2.1.9-8.el4.6
  • freetype-0:2.2.1-20.el5_2
  • freetype-debuginfo-0:2.1.4-10.el3
  • freetype-debuginfo-0:2.1.9-8.el4.6
  • freetype-debuginfo-0:2.2.1-20.el5_2
  • freetype-demos-0:2.1.9-8.el4.6
  • freetype-demos-0:2.2.1-20.el5_2
  • freetype-devel-0:2.1.4-10.el3
  • freetype-devel-0:2.1.9-8.el4.6
  • freetype-devel-0:2.2.1-20.el5_2
  • freetype-utils-0:2.1.9-8.el4.6
  • freetype-0:2.0.3-15.el21
  • freetype-devel-0:2.0.3-15.el21
  • freetype-utils-0:2.0.3-15.el21

References