Executive Summary
| Summary | |
|---|---|
| Title | fontforge security update |
| Informations | |||
|---|---|---|---|
| Name | DSA-2253 | First vendor Publication | 2011-06-03 |
| Vendor | Debian | Last vendor Modification | 2011-06-03 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 6.8 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Ulrik Persson reported a stack-based buffer overflow flaw in FontForge, a font editor. When processed a crafted Bitmap Distribution Format (BDF) FontForge could crash or execute arbitrary code with the privileges of the user running FontForge. For the oldstable distribution (lenny), this problem has been fixed in version 0.0.20080429-1+lenny2. For the stable distribution (squeeze), testing distribution (wheezy), and unstable distribution (sid) are not affected by this problem. We recommend that you upgrade your fontforge packages. |
Original Source
| Url : http://www.debian.org/security/2011/dsa-2253 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:13065 | |||
| Oval ID: | oval:org.mitre.oval:def:13065 | ||
| Title: | DSA-2253-1 fontforge -- buffer overflow | ||
| Description: | Ulrik Persson reported a stack-based buffer overflow flaw in FontForge, a font editor. When processed a crafted Bitmap Distribution Format FontForge could crash or execute arbitrary code with the privileges of the user running FontForge. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-2253-1 CVE-2010-4259 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | fontforge |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2012-02-12 | Name : Gentoo Security Advisory GLSA 201201-08 (FontForge) File : nvt/glsa_201201_08.nasl |
| 2011-08-03 | Name : Debian Security Advisory DSA 2253-1 (fontforge) File : nvt/deb_2253_1.nasl |
| 2010-12-28 | Name : Fedora Update for fontforge FEDORA-2010-18573 File : nvt/gb_fedora_2010_18573_fontforge_fc14.nasl |
| 2010-12-28 | Name : Fedora Update for fontforge FEDORA-2010-18577 File : nvt/gb_fedora_2010_18577_fontforge_fc13.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 69652 | FontForge BDF Font File CHARSET_REGISTRY Header Overflow FontForge is prone to an overflow condition. The program fails to parse overly long 'CHARSET_REGISTRY' lines properly, resulting in a stack-based buffer overflow. With a specially crafted BDF font file, a remote attacker can potentially execute arbitrary code. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2012-01-24 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201201-08.nasl - Type : ACT_GATHER_INFO |
| 2011-06-10 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2253.nasl - Type : ACT_GATHER_INFO |
| 2010-12-14 | Name : The remote Fedora host is missing a security update. File : fedora_2010-18573.nasl - Type : ACT_GATHER_INFO |
| 2010-12-14 | Name : The remote Fedora host is missing a security update. File : fedora_2010-18577.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:30:13 |
|
