Bug 625626 (CVE-2010-2805) - CVE-2010-2805 freetype: FT_Stream_EnterFrame() does not properly validate certain position values
Summary: CVE-2010-2805 freetype: FT_Stream_EnterFrame() does not properly validate cer...
Alias: CVE-2010-2805
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 638522 638838 638839
TreeView+ depends on / blocked
Reported: 2010-08-20 00:29 UTC by Vincent Danen
Modified: 2019-09-29 12:38 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-06-02 18:46:58 UTC

Attachments (Terms of Use)
Public PoC (29.70 KB, application/x-troff-man)
2010-09-27 06:31 UTC, Huzaifa S. Sidhpurwala
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0864 normal SHIPPED_LIVE Important: freetype security update 2010-11-09 18:50:14 UTC

Description Vincent Danen 2010-08-20 00:29:44 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2805 to
the following vulnerability:

Name: CVE-2010-2805
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2805
Assigned: 20100722
Reference: MLIST:[oss-security] 20100806 Re: CVE Request -- FreeType -- Memory corruption flaw by processing certain LWFN fonts + three more
Reference: URL: http://marc.info/?l=oss-security&m=128111955616772&w=2
Reference: CONFIRM: http://freetype.sourceforge.net/index2.html#release-freetype-2.4.2
Reference: CONFIRM: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=45a3c76b547511fa9d97aca34b150a0663257375
Reference: CONFIRM: http://sourceforge.net/projects/freetype/files/freetype2/2.4.2/NEWS/view
Reference: CONFIRM: https://bugs.launchpad.net/ubuntu/maverick/+source/freetype/+bug/617019
Reference: CONFIRM: https://savannah.nongnu.org/bugs/?30644
Reference: UBUNTU:USN-972-1
Reference: URL: http://www.ubuntu.com/usn/USN-972-1
Reference: BID:42285
Reference: URL: http://www.securityfocus.com/bid/42285
Reference: SECUNIA:40816
Reference: URL: http://secunia.com/advisories/40816
Reference: SECUNIA:40982
Reference: URL: http://secunia.com/advisories/40982
Reference: VUPEN:ADV-2010-2018
Reference: URL: http://www.vupen.com/english/advisories/2010/2018
Reference: VUPEN:ADV-2010-2106
Reference: URL: http://www.vupen.com/english/advisories/2010/2106

The FT_Stream_EnterFrame function in base/ftstream.c in FreeType
before 2.4.2 does not properly validate certain position values, which
allows remote attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via a crafted font file.

Comment 3 Huzaifa S. Sidhpurwala 2010-09-27 06:31:23 UTC
Created attachment 449832 [details]
Public PoC

Comment 7 Jan Lieskovsky 2010-09-27 13:16:14 UTC
This issue did NOT affect the versions of the freetype package, as shipped
with Red Hat Enterprise Linux 3, 4, or 5.


This issue affects the versions of the freetype package, as shipped
with Fedora release of 12 and 13.

This issue did NOT affect the versions of the mingw32-freetype package,
as shipped with Fedora release of 12 and 13 and as present within EPEL-5

Comment 9 Jan Lieskovsky 2010-09-27 17:16:33 UTC

Not vulnerable. This issue did not affect the versions of freetype as
shipped with Red Hat Enterprise Linux 3, 4, or 5.

Comment 10 Huzaifa S. Sidhpurwala 2010-09-29 09:06:29 UTC
Created freetype tracking bugs for this issue

Affects: fedora-all [bug 638522]

Comment 12 errata-xmlrpc 2010-11-10 18:58:13 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0864 https://rhn.redhat.com/errata/RHSA-2010-0864.html

Note You need to log in before you can comment on or make changes to this bug.