CVE-2012-1144: Buffer Overflow
First published: Tue Mar 06 2012(Updated: )
An out-of heap-based buffer write flaw was found in the way TrueType bytecode / opcode interpreter of the FreeType font rendering engine performed moving of zone2 pointer point by execution of 'SHift Contour' (SHC) instruction. A remote attacker could provide a specially-crafted font file, which once opened in an application linked against FreeType would lead to that application crash, or, potentially arbitrary code execution with the privileges of the user running the application. Upstream bug report: [1] <a href="https://savannah.nongnu.org/bugs/?35689">https://savannah.nongnu.org/bugs/?35689</a> Upstream patch: [2] <a href="http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0fc8debeb6c2f6a8a9a2b97332a7c8a0a1bd9e85">http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0fc8debeb6c2f6a8a9a2b97332a7c8a0a1bd9e85</a> Acknowledgements: Red Hat would like to thank Mateusz Jurczyk of the Google Security Team for reporting this issue.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| FreeType | <=2.4.8 | |
| FreeType | =1.3.1 | |
| FreeType | =2.0.0 | |
| FreeType | =2.0.1 | |
| FreeType | =2.0.2 | |
| FreeType | =2.0.3 | |
| FreeType | =2.0.4 | |
| FreeType | =2.0.5 | |
| FreeType | =2.0.6 | |
| FreeType | =2.0.7 | |
| FreeType | =2.0.8 | |
| FreeType | =2.0.9 | |
| FreeType | =2.1 | |
| FreeType | =2.1.3 | |
| FreeType | =2.1.4 | |
| FreeType | =2.1.5 | |
| FreeType | =2.1.6 | |
| FreeType | =2.1.7 | |
| FreeType | =2.1.8 | |
| FreeType | =2.1.8-rc1 | |
| FreeType | =2.1.9 | |
| FreeType | =2.1.10 | |
| FreeType | =2.2.0 | |
| FreeType | =2.2.1 | |
| FreeType | =2.3.0 | |
| FreeType | =2.3.1 | |
| FreeType | =2.3.2 | |
| FreeType | =2.3.3 | |
| FreeType | =2.3.4 | |
| FreeType | =2.3.5 | |
| FreeType | =2.3.6 | |
| FreeType | =2.3.7 | |
| FreeType | =2.3.8 | |
| FreeType | =2.3.9 | |
| FreeType | =2.3.10 | |
| FreeType | =2.3.11 | |
| FreeType | =2.3.12 | |
| FreeType | =2.4.0 | |
| FreeType | =2.4.1 | |
| FreeType | =2.4.2 | |
| FreeType | =2.4.3 | |
| FreeType | =2.4.4 | |
| FreeType | =2.4.5 | |
| FreeType | =2.4.6 | |
| FreeType | =2.4.7 | |
| Mozilla Firefox | <=10.0.3 | |
| Mozilla Firefox | =1.0 | |
| Mozilla Firefox | =4.0 | |
| Mozilla Firefox | =4.0-beta1 | |
| Mozilla Firefox | =4.0-beta2 | |
| Mozilla Firefox | =4.0-beta3 | |
| Mozilla Firefox | =4.0-beta4 | |
| Mozilla Firefox | =5.0 | |
| Mozilla Firefox | =6.0 | |
| Mozilla Firefox | =6.0.1 | |
| Mozilla Firefox | =6.0.2 | |
| Mozilla Firefox | =7.0 | |
| Mozilla Firefox | =8.0 | |
| Mozilla Firefox | =9.0 | |
| Mozilla Firefox | =10.0 | |
| Mozilla Firefox | =10.0.1 | |
| Mozilla Firefox | =10.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://savannah.nongnu.org/bugs/?35689
- http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0fc8debeb6c2f6a8a9a2b97332a7c8a0a1bd9e85
- http://www.openwall.com/lists/oss-security/2012/03/06/16
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=800607#c0
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=806271
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=806270
- https://rhn.redhat.com/errata/RHSA-2012-0467.html
- https://bugzilla.redhat.com/show_bug.cgi?id=800607
- http://lists.apple.com/archives/security-announce/2012/Sep/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00004.html
- http://rhn.redhat.com/errata/RHSA-2012-0467.html
- http://secunia.com/advisories/48300
- http://secunia.com/advisories/48508
- http://secunia.com/advisories/48758
- http://secunia.com/advisories/48822
- http://secunia.com/advisories/48973
- http://security.gentoo.org/glsa/glsa-201204-04.xml
- http://support.apple.com/kb/HT5503
- http://www.debian.org/security/2012/dsa-2428
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:057
- http://www.mozilla.org/security/announce/2012/mfsa2012-21.html
- http://www.securityfocus.com/bid/52318
- http://www.securitytracker.com/id?1026765
- http://www.ubuntu.com/usn/USN-1403-1
- https://bugzilla.mozilla.org/show_bug.cgi?id=733512
Frequently Asked Questions
What is the severity of CVE-2012-1144?
The severity of CVE-2012-1144 is classified as moderate.
How do I fix CVE-2012-1144?
To fix CVE-2012-1144, update FreeType to versions 2.4.9 or later.
What is the impact of CVE-2012-1144?
CVE-2012-1144 allows remote attackers to execute arbitrary code via a specially crafted font file.
Which versions of FreeType are affected by CVE-2012-1144?
CVE-2012-1144 affects FreeType versions up to and including 2.4.8, as well as various earlier versions.
Is CVE-2012-1144 exploitable?
Yes, CVE-2012-1144 is exploitable if a user is tricked into opening a malicious font file.
- collector/redhat-bugzilla
- alias/CVE-2012-1144
- agent/references
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/severity
- agent/weakness
- agent/author
- agent/description
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/freetype
- canonical/freetype
- version/freetype/2.4.8
- version/freetype/1.3.1
- version/freetype/2.0.0
- version/freetype/2.0.1
- version/freetype/2.0.2
- version/freetype/2.0.3
- version/freetype/2.0.4
- version/freetype/2.0.5
- version/freetype/2.0.6
- version/freetype/2.0.7
- version/freetype/2.0.8
- version/freetype/2.0.9
- version/freetype/2.1
- version/freetype/2.1.3
- version/freetype/2.1.4
- version/freetype/2.1.5
- version/freetype/2.1.6
- version/freetype/2.1.7
- version/freetype/2.1.8
- version/freetype/2.1.8-rc1
- version/freetype/2.1.9
- version/freetype/2.1.10
- version/freetype/2.2.0
- version/freetype/2.2.1
- version/freetype/2.3.0
- version/freetype/2.3.1
- version/freetype/2.3.2
- version/freetype/2.3.3
- version/freetype/2.3.4
- version/freetype/2.3.5
- version/freetype/2.3.6
- version/freetype/2.3.7
- version/freetype/2.3.8
- version/freetype/2.3.9
- version/freetype/2.3.10
- version/freetype/2.3.11
- version/freetype/2.3.12
- version/freetype/2.4.0
- version/freetype/2.4.1
- version/freetype/2.4.2
- version/freetype/2.4.3
- version/freetype/2.4.4
- version/freetype/2.4.5
- version/freetype/2.4.6
- version/freetype/2.4.7
- vendor/mozilla
- canonical/mozilla firefox
- version/mozilla firefox/10.0.3
- version/mozilla firefox/1.0
- version/mozilla firefox/4.0
- version/mozilla firefox/4.0-beta1
- version/mozilla firefox/4.0-beta2
- version/mozilla firefox/4.0-beta3
- version/mozilla firefox/4.0-beta4
- version/mozilla firefox/5.0
- version/mozilla firefox/6.0
- version/mozilla firefox/6.0.1
- version/mozilla firefox/6.0.2
- version/mozilla firefox/7.0
- version/mozilla firefox/8.0
- version/mozilla firefox/9.0
- version/mozilla firefox/10.0
- version/mozilla firefox/10.0.1
- version/mozilla firefox/10.0.2