Package name
freetype2
Date
2010-08-22
Advisory ID
MDVSA-2010:157
Affected versions
2010.1 x86_64 , 2010.1 i586 , 2010.0 x86_64 , 2010.0 i586

Problem description

Multiple vulnerabilities has been found and corrected in freetype2:

The FT_Stream_EnterFrame function in base/ftstream.c in FreeType
before 2.4.2 does not properly validate certain position values, which
allows remote attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via a crafted font file
(CVE-2010-2805).

Array index error in the t42_parse_sfnts function in type42/t42parse.c
in FreeType before 2.4.2 allows remote attackers to cause a denial of
service (application crash) or possibly execute arbitrary code via
negative size values for certain strings in FontType42 font files,
leading to a heap-based buffer overflow (CVE-2010-2806).

FreeType before 2.4.2 uses incorrect integer data types during bounds
checking, which allows remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via a crafted
font file (CVE-2010-2807).

Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c
in FreeType before 2.4.2 allows remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN)
font (CVE-2010-2808).

bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause
a denial of service (application crash) via a crafted BDF font file,
related to an attempted modification of a value in a static string
(CVE-2010-3053).

The updated packages have been patched to correct these issues.

Updated packages

2010.1 x86_64

 e2ebda52f9c6e2354b2184c038e3b1f6  2010.1/x86_64/lib64freetype6-2.3.12-1.3mdv2010.1.x86_64.rpm
 227ce37797e79135d41f12771377112d  2010.1/x86_64/lib64freetype6-devel-2.3.12-1.3mdv2010.1.x86_64.rpm
 0915a373ebf7e210997e9ba3614b4c5f  2010.1/x86_64/lib64freetype6-static-devel-2.3.12-1.3mdv2010.1.x86_64.rpm 
 9a75ac1b698c9d4145fdcd1448ef30eb  2010.1/SRPMS/freetype2-2.3.12-1.3mdv2010.1.src.rpm

2010.1 i586

 8b28c1a459c20045a8e735554fe4407d  2010.1/i586/libfreetype6-2.3.12-1.3mdv2010.1.i586.rpm
 32fd702b42acfd0a7011770b36fdcc74  2010.1/i586/libfreetype6-devel-2.3.12-1.3mdv2010.1.i586.rpm
 7b3575d46c7c607387fe317fb78c5a6f  2010.1/i586/libfreetype6-static-devel-2.3.12-1.3mdv2010.1.i586.rpm 
 9a75ac1b698c9d4145fdcd1448ef30eb  2010.1/SRPMS/freetype2-2.3.12-1.3mdv2010.1.src.rpm

2010.0 x86_64

 da064231c9ed02c49b2341c86bc5460d  2010.0/x86_64/lib64freetype6-2.3.11-1.3mdv2010.0.x86_64.rpm
 5509100ccdc3a9db75893d2c70cfec70  2010.0/x86_64/lib64freetype6-devel-2.3.11-1.3mdv2010.0.x86_64.rpm
 e2a55e6fb6a35fa6d331bd9543df7290  2010.0/x86_64/lib64freetype6-static-devel-2.3.11-1.3mdv2010.0.x86_64.rpm 
 9f60d2840d038d2d007a77f297173200  2010.0/SRPMS/freetype2-2.3.11-1.3mdv2010.0.src.rpm

2010.0 i586

 d959258ea6f44aab3c0befc77a4ff7ab  2010.0/i586/libfreetype6-2.3.11-1.3mdv2010.0.i586.rpm
 74e1516ba39f185df9aed7f75782c2fa  2010.0/i586/libfreetype6-devel-2.3.11-1.3mdv2010.0.i586.rpm
 30fb284e1517aac5d07860753cebdedd  2010.0/i586/libfreetype6-static-devel-2.3.11-1.3mdv2010.0.i586.rpm 
 9f60d2840d038d2d007a77f297173200  2010.0/SRPMS/freetype2-2.3.11-1.3mdv2010.0.src.rpm

References