Bug 450768 (CVE-2008-1806) - CVE-2008-1806 FreeType PFB integer overflow
Summary: CVE-2008-1806 FreeType PFB integer overflow
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-1806
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://labs.idefense.com/intelligence...
Whiteboard:
Depends On: 450905 450906 450908 450909 450910 450911 451212 451213 806288
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-10 20:55 UTC by Josh Bressers
Modified: 2019-09-29 12:24 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-21 09:32:11 UTC
Embargoed:

Attachments (Terms of Use)
Patch extracted from upstream (5.67 KB, patch)
2008-06-11 17:21 UTC, Josh Bressers 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0556 0 normal SHIPPED_LIVE Important: freetype security update 2008-06-25 11:39:47 UTC
Red Hat Product Errata RHSA-2008:0558 0 normal SHIPPED_LIVE Important: freetype security update 2008-06-25 11:24:52 UTC

Description Josh Bressers 2008-06-10 20:55:46 UTC 
An integer overflow flaw was found in FreeType's PFB processor.

According to the advisory:
    The vulnerability exists within the code responsible for parsing Printer Font
    Binary (PFB) format font files. PFB files contain a section known as the 
    "Private" dictionary table which is used to describe how characters are 
    constructed. When parsing this data structure, a series of 16-bit length 
    values are read in from the file. These values are added together and used to 
    allocate a dynamic buffer. The addition can result in an integer overflow, 
    which subsequently leads to a heap overflow.
Comment 1 Josh Bressers 2008-06-11 17:21:06 UTC 
Created attachment 308965 [details]
Patch extracted from upstream

This patch contains the fixes for CVE-2008-1806, CVE-2008-1807, and
CVE-2008-1808
Comment 5 Tomas Hoger 2008-06-13 13:57:22 UTC 
Parts of the patch (seems to be TTF part of the CVE-2008-1808) also seem to
apply to freetype1 shipped in Fedora.  freetype1 only seems to be used by
MagicPoint, which probably does not load arbitrary font files.
Comment 8 Fedora Update System 2008-06-17 09:43:47 UTC 
freetype-2.3.5-4.fc8 has been submitted as an update for Fedora 8
Comment 9 Fedora Update System 2008-06-17 09:44:14 UTC 
freetype-2.3.5-6.fc9 has been submitted as an update for Fedora 9
Comment 10 Fedora Update System 2008-06-18 03:15:09 UTC 
freetype-2.3.5-6.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-06-18 03:15:39 UTC 
freetype-2.3.5-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Red Hat Product Security 2008-07-21 09:32:11 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0558.html
  http://rhn.redhat.com/errata/RHSA-2008-0556.html

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-5430
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-5425
Note You need to log in before you can comment on or make changes to this bug.