Bug 450768 (CVE-2008-1806) - CVE-2008-1806 FreeType PFB integer overflow
Summary: CVE-2008-1806 FreeType PFB integer overflow
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-1806
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://labs.idefense.com/intelligence...
Whiteboard:
Depends On: 450905 450906 450908 450909 450910 450911 451212 451213 806288
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-10 20:55 UTC by Josh Bressers
Modified: 2019-09-29 12:24 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-21 09:32:11 UTC


Attachments (Terms of Use)
Patch extracted from upstream (5.67 KB, patch)
2008-06-11 17:21 UTC, Josh Bressers
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0556 normal SHIPPED_LIVE Important: freetype security update 2008-06-25 11:39:47 UTC
Red Hat Product Errata RHSA-2008:0558 normal SHIPPED_LIVE Important: freetype security update 2008-06-25 11:24:52 UTC

Description Josh Bressers 2008-06-10 20:55:46 UTC
An integer overflow flaw was found in FreeType's PFB processor.

According to the advisory:
    The vulnerability exists within the code responsible for parsing Printer Font
    Binary (PFB) format font files. PFB files contain a section known as the 
    "Private" dictionary table which is used to describe how characters are 
    constructed. When parsing this data structure, a series of 16-bit length 
    values are read in from the file. These values are added together and used to 
    allocate a dynamic buffer. The addition can result in an integer overflow, 
    which subsequently leads to a heap overflow.

Comment 1 Josh Bressers 2008-06-11 17:21:06 UTC
Created attachment 308965 [details]
Patch extracted from upstream

This patch contains the fixes for CVE-2008-1806, CVE-2008-1807, and
CVE-2008-1808

Comment 5 Tomas Hoger 2008-06-13 13:57:22 UTC
Parts of the patch (seems to be TTF part of the CVE-2008-1808) also seem to
apply to freetype1 shipped in Fedora.  freetype1 only seems to be used by
MagicPoint, which probably does not load arbitrary font files.

Comment 8 Fedora Update System 2008-06-17 09:43:47 UTC
freetype-2.3.5-4.fc8 has been submitted as an update for Fedora 8

Comment 9 Fedora Update System 2008-06-17 09:44:14 UTC
freetype-2.3.5-6.fc9 has been submitted as an update for Fedora 9

Comment 10 Fedora Update System 2008-06-18 03:15:09 UTC
freetype-2.3.5-6.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2008-06-18 03:15:39 UTC
freetype-2.3.5-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.