Bug 621144 (CVE-2010-1797) - CVE-2010-1797 FreeType: Multiple stack overflows by processing CFF opcodes
Summary: CVE-2010-1797 FreeType: Multiple stack overflows by processing CFF opcodes
Status: CLOSED ERRATA
Alias: CVE-2010-1797
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20100805,reported=20100803,sou...
Keywords: Security
Depends On: 621189 621190 621191 621192 621193 621624 621627 806285
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-04 11:38 UTC by Jan Lieskovsky
Modified: 2018-02-12 18:51 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-29 12:47:24 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed FreeType CVE-2010-1797 patch from Apple (943 bytes, patch)
2010-08-04 11:42 UTC, Jan Lieskovsky
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0607 normal SHIPPED_LIVE Important: freetype security update 2010-08-05 17:59:50 UTC

Description Jan Lieskovsky 2010-08-04 11:38:35 UTC
Multiple stack overflow flaws have been reported in the way
FreeType font rendering engine processed certain CFF opcodes.
An attacker could use these flaws to create a specially-crafted
font file that, when opened, would cause an application linked
against libfreetype to crash, or, possibly execute arbitrary code.

References:
  [1] http://www.f-secure.com/weblog/archives/00002002.html

Acknowledgements:

Red Hat would like to thank Braden Thomas of the Apple Product Security team
for reporting these issues.

Comment 2 Jan Lieskovsky 2010-08-04 11:42:58 UTC
Created attachment 436501 [details]
Proposed FreeType CVE-2010-1797 patch from Apple

Comment 10 Jan Lieskovsky 2010-08-05 13:34:36 UTC
This deficiency affects the version of the vnc-server package, as shipped
with Red Hat Enteprise Linux 3 (it contains and uses own embedded copy of
the freetype library). 

Red Hat Security Response Team does not consider the vnc-server bug to be
a security issue. The only way this is exploitable in the vnc-server package
is if a bad font would be included in the vncserver font path. But that means,
the attacker already has access to the user account in question.

This flaw does NOT affect the version of the vnc-server package, as shipped
with Red Hat Enterprise Linux 4 and 5.

Comment 11 Jan Lieskovsky 2010-08-05 13:38:00 UTC
This flaw does NOT affect the version of the XFree86 package, as shipped
with Red Hat Enterprise Linux 3, as it uses FreeType library, present on
the system.

This flaw does NOT affect the version of the xorg-x11 package, as shipped
with Red Hat Enterprise Linux 4, as it use FreeType library, present on
the system.

Comment 13 Vincent Danen 2010-08-05 17:19:41 UTC
Created freetype tracking bugs for this issue

Affects: fedora-all [bug 621627]

Comment 14 errata-xmlrpc 2010-08-05 17:59:55 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0607 https://rhn.redhat.com/errata/RHSA-2010-0607.html


Note You need to log in before you can comment on or make changes to this bug.