CVE-2010-2806: Out-of-bounds Read
First published: Fri Aug 06 2010(Updated: )
An array index error, leading to heap-based buffer overflow was found in the way the FreeType font rendering engine processed FontType42 font files with negative length of certain special font name table strings. An attacker could use this flaw to create a specially-crafted font file (which bypasses a size check and triggers a heap-based buffer overflow). Such file, when opened, would cause an application linked against libfreetype to crash, or, possibly execute arbitrary code. Upstream bug report: [1] <a href="https://savannah.nongnu.org/bugs/?30656">https://savannah.nongnu.org/bugs/?30656</a> Public reproducer: [2] <a href="http://alt.swiecki.net/j/f/sigsegv29.ttf">http://alt.swiecki.net/j/f/sigsegv29.ttf</a> Upstream changeset: [3] <a href="http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c06da1ad34663da7b6fc39b030dc3ae185b96557">http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c06da1ad34663da7b6fc39b030dc3ae185b96557</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| FreeType | <2.4.2 | |
| Ubuntu Linux | =6.06 | |
| Ubuntu Linux | =8.04 | |
| Ubuntu Linux | =9.04 | |
| Ubuntu Linux | =9.10 | |
| Ubuntu Linux | =10.04 | |
| iStyle @cosme iPhone OS | <4.2 | |
| Apple iOS and macOS | <10.6.5 | |
| tvOS | <4.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c06da1ad34663da7b6fc39b030dc3ae185b96557
- https://bugzilla.redhat.com/show_bug.cgi?id=621980
- https://savannah.nongnu.org/bugs/?30656
- http://marc.info/?l=oss-security&m=128111955616772&w=2
- https://bugs.launchpad.net/ubuntu/maverick/+source/freetype/+bug/617019
- http://sourceforge.net/projects/freetype/files/freetype2/2.4.2/NEWS/view
- http://secunia.com/advisories/40982
- http://www.vupen.com/english/advisories/2010/2018
- http://www.vupen.com/english/advisories/2010/2106
- http://freetype.sourceforge.net/index2.html#release-freetype-2.4.2
- http://www.securityfocus.com/bid/42285
- http://secunia.com/advisories/40816
- http://www.ubuntu.com/usn/USN-972-1
- http://support.apple.com/kb/HT4435
- http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html
- http://lists.apple.com/archives/security-announce/2010//Nov/msg00003.html
- http://support.apple.com/kb/HT4456
- http://www.vupen.com/english/advisories/2010/3045
- http://support.apple.com/kb/HT4457
- http://www.vupen.com/english/advisories/2010/3046
- http://secunia.com/advisories/42314
- http://secunia.com/advisories/42317
- https://rhn.redhat.com/errata/RHSA-2010-0736.html
- https://rhn.redhat.com/errata/RHSA-2010-0737.html
- http://www.redhat.com/support/errata/RHSA-2010-0864.html
- http://alt.swiecki.net/j/f/sigsegv29.ttf
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=437208
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=437208&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=437209&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=437209&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=30656
- https://access.redhat.com/security/cve/CVE-2010-2806
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=638522
- https://rhn.redhat.com/errata/RHSA-2010-0864.html
Frequently Asked Questions
What is the severity of CVE-2010-2806?
CVE-2010-2806 has a high severity due to the potential for heap-based buffer overflow attacks.
How do I fix CVE-2010-2806?
To fix CVE-2010-2806, update the FreeType library to version 2.4.2 or later.
What types of systems are affected by CVE-2010-2806?
CVE-2010-2806 affects software using FreeType versions prior to 2.4.2 and various versions of Ubuntu and macOS.
Can an attacker exploit CVE-2010-2806 remotely?
Yes, an attacker can exploit CVE-2010-2806 remotely by supplying a specially-crafted font file.
What impact does CVE-2010-2806 have on affected systems?
CVE-2010-2806 can lead to arbitrary code execution and potentially compromise affected systems.
- collector/redhat-bugzilla
- alias/CVE-2010-2806
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/weakness
- agent/references
- agent/severity
- agent/remedy
- agent/author
- agent/event
- agent/description
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/freetype
- canonical/freetype
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/6.06
- version/ubuntu linux/8.04
- version/ubuntu linux/9.04
- version/ubuntu linux/9.10
- version/ubuntu linux/10.04
- vendor/apple
- canonical/istyle @cosme iphone os
- canonical/apple ios and macos
- canonical/tvos