RHSA-2008:0558

Executive Summary

Summary
Title	freetype security update

Informations
Name	RHSA-2008:0558	First vendor Publication	2008-06-20
Vendor	RedHat	Last vendor Modification	2008-06-20
Severity (Vendor)	Important	Revision	01

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentification	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated freetype packages that fix various security issues are now
available for Red Hat Enterprise Linux 2.1.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386

3. Description:

FreeType is a free, high-quality, portable font engine that can open and
manage font files, as well as efficiently load, hint and render individual
glyphs.

Multiple flaws were discovered in FreeType's Printer Font Binary (PFB) and
TrueType Font (TTF) font-file format parsers. If a user loaded a carefully
crafted font-file with a program linked against FreeType, it could cause
the application to crash, or possibly execute arbitrary code.
(CVE-2008-1806, CVE-2008-1807, CVE-2008-1808)

Note: the flaw in FreeType's TrueType Font (TTF) font-file format parser,
covered by CVE-2008-1808, only affected the FreeType 1 library (libttf),
shipped in the freetype packages in Red Hat Enterprise Linux 2.1. The
FreeType 2 library (libfreetype) is not affected, as it is not compiled
with TTF Byte Code Interpreter (BCI) support.

Users of freetype should upgrade to these updated packages, which contain
backported patches to resolve these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bugs fixed (http://bugzilla.redhat.com/):

450768 - CVE-2008-1806 FreeType PFB integer overflow
450773 - CVE-2008-1807 FreeType invalid free() flaw
450774 - CVE-2008-1808 FreeType off-by-one flaws

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2008-0558.html

CWE : Common Weakness Enumeration

id	Name
CWE-189	Numeric Errors

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:9321

Oval ID:	oval:org.mitre.oval:def:9321
Title:	Integer overflow in FreeType2 before 2.3.6 allows context-dependent attackers to execute arbitrary code via a crafted set of 16-bit length values within the Private dictionary table in a Printer Font Binary (PFB) file, which triggers a heap-based buffer overflow.
Description:	Integer overflow in FreeType2 before 2.3.6 allows context-dependent attackers to execute arbitrary code via a crafted set of 16-bit length values within the Private dictionary table in a Printer Font Binary (PFB) file, which triggers a heap-based buffer overflow.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2008-1806	Version:	5
Platform(s):	Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
OS Section: RHEL3, CentOS3 RHEL3 or CentOS3 The operating system installed on the system is Red Hat Enterprise Linux 3 AND CentOS Linux 3.x AND Configuration section freetype is earlier than 0:2.1.4-10.el3 AND freetype-devel is earlier than 0:2.1.4-10.el3 OR OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section freetype is earlier than 0:2.1.9-8.el4.6 AND freetype-demos is earlier than 0:2.1.9-8.el4.6 AND freetype-utils is earlier than 0:2.1.9-8.el4.6 AND freetype-devel is earlier than 0:2.1.9-8.el4.6 OR OS Section: RHEL5, CentOS5, Oracle Linux 5 RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section freetype is earlier than 0:2.2.1-20.el5_2 AND freetype-demos is earlier than 0:2.2.1-20.el5_2 AND freetype-devel is earlier than 0:2.2.1-20.el5_2

Definition Id: oval:org.mitre.oval:def:9767

Oval ID:	oval:org.mitre.oval:def:9767
Title:	FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid "number of axes" field in a Printer Font Binary (PFB) file, which triggers a free of arbitrary memory locations, leading to memory corruption.
Description:	FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid "number of axes" field in a Printer Font Binary (PFB) file, which triggers a free of arbitrary memory locations, leading to memory corruption.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2008-1807	Version:	5
Platform(s):	Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
OS Section: RHEL3, CentOS3 RHEL3 or CentOS3 The operating system installed on the system is Red Hat Enterprise Linux 3 AND CentOS Linux 3.x AND Configuration section freetype is earlier than 0:2.1.4-10.el3 AND freetype-devel is earlier than 0:2.1.4-10.el3 OR OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section freetype is earlier than 0:2.1.9-8.el4.6 AND freetype-demos is earlier than 0:2.1.9-8.el4.6 AND freetype-utils is earlier than 0:2.1.9-8.el4.6 AND freetype-devel is earlier than 0:2.1.9-8.el4.6 OR OS Section: RHEL5, CentOS5, Oracle Linux 5 RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section freetype is earlier than 0:2.2.1-20.el5_2 AND freetype-demos is earlier than 0:2.2.1-20.el5_2 AND freetype-devel is earlier than 0:2.2.1-20.el5_2

Definition Id: oval:org.mitre.oval:def:11188

Oval ID:	oval:org.mitre.oval:def:11188
Title:	Multiple off-by-one errors in FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via (1) a crafted table in a Printer Font Binary (PFB) file or (2) a crafted SHC instruction in a TrueType Font (TTF) file, which triggers a heap-based buffer overflow.
Description:	Multiple off-by-one errors in FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via (1) a crafted table in a Printer Font Binary (PFB) file or (2) a crafted SHC instruction in a TrueType Font (TTF) file, which triggers a heap-based buffer overflow.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2008-1808	Version:	5
Platform(s):	Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
OS Section: RHEL3, CentOS3 RHEL3 or CentOS3 The operating system installed on the system is Red Hat Enterprise Linux 3 AND CentOS Linux 3.x AND Configuration section freetype is earlier than 0:2.1.4-12.el3 AND freetype-demos is earlier than 0:2.1.4-12.el3 AND freetype-utils is earlier than 0:2.1.4-12.el3 AND freetype-devel is earlier than 0:2.1.4-12.el3 OR OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section freetype is earlier than 0:2.1.9-10.el4.7 AND freetype-demos is earlier than 0:2.1.9-10.el4.7 AND freetype-devel is earlier than 0:2.1.9-10.el4.7 AND freetype-utils is earlier than 0:2.1.9-10.el4.7 OR OS Section: RHEL5, CentOS5, Oracle Linux 5 RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section freetype is earlier than 0:2.2.1-20.el5_2 AND freetype-demos is earlier than 0:2.2.1-20.el5_2 AND freetype-devel is earlier than 0:2.2.1-20.el5_2

CPE : Common Platform Enumeration

Type	Description	Count
Application	Freetype Freetype cpe:/a:freetype:freetype:2.3.5 cpe:/a:freetype:freetype:2.3.4 cpe:/a:freetype:freetype:2.3.3 cpe:/a:freetype:freetype:2.2.10 cpe:/a:freetype:freetype:2.2.1 cpe:/a:freetype:freetype:2.2 cpe:/a:freetype:freetype:2.1.9 cpe:/a:freetype:freetype:2.1.7 cpe:/a:freetype:freetype:2.1.10 cpe:/a:freetype:freetype:2.0.9 cpe:/a:freetype:freetype:2.0.6 cpe:/a:freetype:freetype:1.3.1	12

Open Source Vulnerability Database (OSVDB)

id	Description
46178	FreeType2 Library TrueType Font (TTF) Font Handling Off-by-one Overflow
46177	FreeType2 Library Printer Font Binary (PFB) Font Handling Off-by-one Overflow
46176	FreeType2 Library Printer Font Binary (PFB) Font Handling Memory Corruption
46175	FreeType2 Library Printer Font Binary (PFB) Font Handling Overflow