MDKSA-2006:099

Package name

freetype2

Date

2006-06-12

Advisory ID

MDKSA-2006:099

Affected versions

MNF2.0 i586 , 2006.0 i586 , 10.2 i586 , CS3.0 x86_64 , CS3.0 i586 , 10.2 x86_64 , 2006.0 x86_64

Problem description

Integer underflow in Freetype before 2.2 allows remote attackers to cause
a denial of service (crash) via a font file with an odd number of blue
values, which causes the underflow when decrementing by 2 in a context
that assumes an even number of values. (CVE-2006-0747)

Multiple integer overflows in FreeType before 2.2 allow remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code via
attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c,
(3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file
in base/ftmac.c. (CVE-2006-1861)

Ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial
of service (crash) via a crafted font file that triggers a null dereference.
(CVE-2006-2661)

In addition, a patch is applied to 2.1.10 in Mandriva 2006 to fix a serious
bug in ttkern.c that caused some programs to go into an infinite loop when
dealing with fonts that don't have a properly sorted kerning sub-table.
This patch is not applicable to the earlier Mandriva releases.

Packages have been patched to correct this issue.

Updated packages

MNF2.0 i586

 cd2ba6684b905ded5e1c41ea052d78d7  mnf/2.0/RPMS/libfreetype6-2.1.7-4.1.M20mdkmdk.i586.rpm
 0b4bbd4fa79099031c2186f51a5defaa  mnf/2.0/SRPMS/freetype2-2.1.7-4.1.M20mdkmdk.src.rpm

2006.0 i586

 6068722811b9404d5aa08ee477987fb2  2006.0/RPMS/libfreetype6-2.1.10-9.2.20060mdk.i586.rpm
 817917e69abb5674f646544308536419  2006.0/RPMS/libfreetype6-devel-2.1.10-9.2.20060mdk.i586.rpm
 dc4748e47335cc44243e39711c04def5  2006.0/RPMS/libfreetype6-static-devel-2.1.10-9.2.20060mdk.i586.rpm
 6fbbc5e83a43e7c0b4c09593892ca554  2006.0/SRPMS/freetype2-2.1.10-9.2.20060mdk.src.rpm

10.2 i586

 500d6a0363b912d3708164333618ea9a  10.2/RPMS/libfreetype6-2.1.9-6.1.102mdkmdk.i586.rpm
 8dc7ea21f0c7485fb2e89722b61662e6  10.2/RPMS/libfreetype6-devel-2.1.9-6.1.102mdkmdk.i586.rpm
 822d356b7df358d6fd33fdcba1ecce48  10.2/RPMS/libfreetype6-static-devel-2.1.9-6.1.102mdkmdk.i586.rpm
 01fc46490cdad24a0ac7145ad1400fbe  10.2/SRPMS/freetype2-2.1.9-6.1.102mdkmdk.src.rpm

CS3.0 x86_64

 86b12f1232fd54bcd76c59f9598a190d  x86_64/corporate/3.0/RPMS/lib64freetype6-2.1.7-4.1.C30mdkmdk.x86_64.rpm
 db3ab38c85b3a39b848a499e4f2688c3  x86_64/corporate/3.0/RPMS/lib64freetype6-devel-2.1.7-4.1.C30mdkmdk.x86_64.rpm
 e689dbcd16c9541b6704c50a4c6e39c1  x86_64/corporate/3.0/RPMS/lib64freetype6-static-devel-2.1.7-4.1.C30mdkmdk.x86_64.rpm
 ffb8fe54281b48ae7c8c0df2cdff4226  x86_64/corporate/3.0/RPMS/libfreetype6-2.1.7-4.1.C30mdkmdk.i586.rpm
 f3435422496277db7390cfc62ca58b3a  x86_64/corporate/3.0/SRPMS/freetype2-2.1.7-4.1.C30mdkmdk.src.rpm

CS3.0 i586

 ffb8fe54281b48ae7c8c0df2cdff4226  corporate/3.0/RPMS/libfreetype6-2.1.7-4.1.C30mdkmdk.i586.rpm
 8160069b2aedc139d573d06786362b38  corporate/3.0/RPMS/libfreetype6-devel-2.1.7-4.1.C30mdkmdk.i586.rpm
 3dc8f49900b644bdbed9c1ff87eab2e8  corporate/3.0/RPMS/libfreetype6-static-devel-2.1.7-4.1.C30mdkmdk.i586.rpm
 f3435422496277db7390cfc62ca58b3a  corporate/3.0/SRPMS/freetype2-2.1.7-4.1.C30mdkmdk.src.rpm

10.2 x86_64

 8bafa7103832649910ff29e46d3414da  x86_64/10.2/RPMS/lib64freetype6-2.1.9-6.1.102mdkmdk.x86_64.rpm
 116215379bbfe0cdf14cccce370fd74c  x86_64/10.2/RPMS/lib64freetype6-devel-2.1.9-6.1.102mdkmdk.x86_64.rpm
 01ce8b9853b9e509a7d8f034ff21cfb6  x86_64/10.2/RPMS/lib64freetype6-static-devel-2.1.9-6.1.102mdkmdk.x86_64.rpm
 500d6a0363b912d3708164333618ea9a  x86_64/10.2/RPMS/libfreetype6-2.1.9-6.1.102mdkmdk.i586.rpm
 8dc7ea21f0c7485fb2e89722b61662e6  x86_64/10.2/RPMS/libfreetype6-devel-2.1.9-6.1.102mdkmdk.i586.rpm
 822d356b7df358d6fd33fdcba1ecce48  x86_64/10.2/RPMS/libfreetype6-static-devel-2.1.9-6.1.102mdkmdk.i586.rpm
 01fc46490cdad24a0ac7145ad1400fbe  x86_64/10.2/SRPMS/freetype2-2.1.9-6.1.102mdkmdk.src.rpm

2006.0 x86_64

 985900ddba982582ecb7d7eb51c20200  x86_64/2006.0/RPMS/lib64freetype6-2.1.10-9.2.20060mdk.x86_64.rpm
 afe093ac0ef65d5f5505f0c907d9c8dc  x86_64/2006.0/RPMS/lib64freetype6-devel-2.1.10-9.2.20060mdk.x86_64.rpm
 6f924308e4c1fe2da976a8d7905b9c45  x86_64/2006.0/RPMS/lib64freetype6-static-devel-2.1.10-9.2.20060mdk.x86_64.rpm
 6068722811b9404d5aa08ee477987fb2  x86_64/2006.0/RPMS/libfreetype6-2.1.10-9.2.20060mdk.i586.rpm
 817917e69abb5674f646544308536419  x86_64/2006.0/RPMS/libfreetype6-devel-2.1.10-9.2.20060mdk.i586.rpm
 dc4748e47335cc44243e39711c04def5  x86_64/2006.0/RPMS/libfreetype6-static-devel-2.1.10-9.2.20060mdk.i586.rpm
 6fbbc5e83a43e7c0b4c09593892ca554  x86_64/2006.0/SRPMS/freetype2-2.1.10-9.2.20060mdk.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2661
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1861
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0747