Bug 450768 - (CVE-2008-1806) CVE-2008-1806 FreeType PFB integer overflow
CVE-2008-1806 FreeType PFB integer overflow
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
Depends On: 450905 450906 450908 450909 450910 450911 451212 451213 806288
  Show dependency treegraph
Reported: 2008-06-10 16:55 EDT by Josh Bressers
Modified: 2016-03-04 06:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-21 05:32:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch extracted from upstream (5.67 KB, patch)
2008-06-11 13:21 EDT, Josh Bressers
no flags Details | Diff

  None (edit)
Description Josh Bressers 2008-06-10 16:55:46 EDT
An integer overflow flaw was found in FreeType's PFB processor.

According to the advisory:
    The vulnerability exists within the code responsible for parsing Printer Font
    Binary (PFB) format font files. PFB files contain a section known as the 
    "Private" dictionary table which is used to describe how characters are 
    constructed. When parsing this data structure, a series of 16-bit length 
    values are read in from the file. These values are added together and used to 
    allocate a dynamic buffer. The addition can result in an integer overflow, 
    which subsequently leads to a heap overflow.
Comment 1 Josh Bressers 2008-06-11 13:21:06 EDT
Created attachment 308965 [details]
Patch extracted from upstream

This patch contains the fixes for CVE-2008-1806, CVE-2008-1807, and
Comment 5 Tomas Hoger 2008-06-13 09:57:22 EDT
Parts of the patch (seems to be TTF part of the CVE-2008-1808) also seem to
apply to freetype1 shipped in Fedora.  freetype1 only seems to be used by
MagicPoint, which probably does not load arbitrary font files.
Comment 8 Fedora Update System 2008-06-17 05:43:47 EDT
freetype-2.3.5-4.fc8 has been submitted as an update for Fedora 8
Comment 9 Fedora Update System 2008-06-17 05:44:14 EDT
freetype-2.3.5-6.fc9 has been submitted as an update for Fedora 9
Comment 10 Fedora Update System 2008-06-17 23:15:09 EDT
freetype-2.3.5-6.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-06-17 23:15:39 EDT
freetype-2.3.5-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.