CVE-2010-2806: Out-of-bounds Read
First published: Fri Aug 06 2010(Updated: )
An array index error, leading to heap-based buffer overflow was found in the way the FreeType font rendering engine processed FontType42 font files with negative length of certain special font name table strings. An attacker could use this flaw to create a specially-crafted font file (which bypasses a size check and triggers a heap-based buffer overflow). Such file, when opened, would cause an application linked against libfreetype to crash, or, possibly execute arbitrary code. Upstream bug report: [1] <a href="https://savannah.nongnu.org/bugs/?30656">https://savannah.nongnu.org/bugs/?30656</a> Public reproducer: [2] <a href="http://alt.swiecki.net/j/f/sigsegv29.ttf">http://alt.swiecki.net/j/f/sigsegv29.ttf</a> Upstream changeset: [3] <a href="http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c06da1ad34663da7b6fc39b030dc3ae185b96557">http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c06da1ad34663da7b6fc39b030dc3ae185b96557</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| FreeType | <2.4.2 | |
| Canonical Ubuntu Linux | =6.06 | |
| Canonical Ubuntu Linux | =8.04 | |
| Canonical Ubuntu Linux | =9.04 | |
| Canonical Ubuntu Linux | =9.10 | |
| Canonical Ubuntu Linux | =10.04 | |
| Apple iPhone OS | <4.2 | |
| Apple Mac OS X | <10.6.5 | |
| Apple tvOS | <4.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c06da1ad34663da7b6fc39b030dc3ae185b96557
- https://bugzilla.redhat.com/show_bug.cgi?id=621980
- https://savannah.nongnu.org/bugs/?30656
- http://marc.info/?l=oss-security&m=128111955616772&w=2
- https://bugs.launchpad.net/ubuntu/maverick/+source/freetype/+bug/617019
- http://sourceforge.net/projects/freetype/files/freetype2/2.4.2/NEWS/view
- http://secunia.com/advisories/40982
- http://www.vupen.com/english/advisories/2010/2018
- http://www.vupen.com/english/advisories/2010/2106
- http://freetype.sourceforge.net/index2.html#release-freetype-2.4.2
- http://www.securityfocus.com/bid/42285
- http://secunia.com/advisories/40816
- http://www.ubuntu.com/usn/USN-972-1
- http://support.apple.com/kb/HT4435
- http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html
- http://lists.apple.com/archives/security-announce/2010//Nov/msg00003.html
- http://support.apple.com/kb/HT4456
- http://www.vupen.com/english/advisories/2010/3045
- http://support.apple.com/kb/HT4457
- http://www.vupen.com/english/advisories/2010/3046
- http://secunia.com/advisories/42314
- http://secunia.com/advisories/42317
- https://rhn.redhat.com/errata/RHSA-2010-0736.html
- https://rhn.redhat.com/errata/RHSA-2010-0737.html
- http://www.redhat.com/support/errata/RHSA-2010-0864.html
- http://alt.swiecki.net/j/f/sigsegv29.ttf
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=437208
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=437208&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=437209&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=437209&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=30656
- https://access.redhat.com/security/cve/CVE-2010-2806
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=638522
- https://rhn.redhat.com/errata/RHSA-2010-0864.html
- collector/redhat-bugzilla
- alias/CVE-2010-2806
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/weakness
- agent/references
- agent/severity
- agent/remedy
- agent/author
- agent/tags
- agent/description
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/freetype
- canonical/freetype
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/6.06
- version/canonical ubuntu linux/8.04
- version/canonical ubuntu linux/9.04
- version/canonical ubuntu linux/9.10
- version/canonical ubuntu linux/10.04
- vendor/apple
- canonical/apple iphone os
- canonical/apple mac os x
- canonical/apple tvos