|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=717, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=716 and http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=715
|
| |
Vulnerable Systems:
* FreeType2 version 2.3.5
Immune Systems:
* FreeType2 version 2.3.6
Multiple Vendor FreeType2 Multiple Heap Overflow Vulnerabilities
Remote exploitation of multiple heap overflow vulnerabilities in the FreeType2 library, as included in various vendors' operating systems, could allow an attacker to execute arbitrary code with the privileges of the affected application.
Two vulnerabilities exist within the code responsible for parsing font files.
The first vulnerability occurs when parsing Printer Font Binary (PFB) format font files. PFB files contain various data structures, some of which are stored in a tabular format. When parsing tables, the code doesn't correctly validate a value used as an array index into a heap buffer. The calculation contains an off-by-one error, which can result in a heap overflow.
The second vulnerability occurs when parsing TrueType Font (TTF) font files. TrueType font files contain "font programs" that are executed in a TrueType virtual machine. One of the instructions in the instruction set is 'SHC', which is used to shift a contour in the font by a specified value. When parsing this instruction, the code doesn't correctly validate an array index, which leads to an off-by-one heap overflow.
Analysis:
Exploitation of these vulnerabilities results in the execution of arbitrary code with the privileges of the application using the library. Since FreeType2 is a library and not a standalone application, the exploitation vector will vary. iDefense Labs verified that local
privilege escalation was possible via the X.Org Xserver.
Vendor response:
The FreeType maintainers addressed these vulnerabilities with the release of version 2.3.6. For more information, refer to the release notes at the following URL. http://sourceforge.net/project/shownotes.php?group_id=3157&release_id=605780
CVE Information:
CVE-2008-1808
Multiple Vendor FreeType2 PFB Memory Corruption Vulnerability
Remote exploitation of a memory corruption vulnerability in the FreeType2 library, as included in various vendors' operating systems, could allow an attacker to execute arbitrary code with the privileges of the affected application. The vulnerability exists within the code responsible for parsing Printer Font Binary (PFB) format font files. By providing an invalid 'number of axes' in the file, it is possible to cause the code to call the free() function on areas of memory that were not dynamically allocated. This can lead to memory corruption, which can allow for the execution of arbitrary code.
Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the application using the library. Since FreeType2 is a library and not a standalone application, the exploitation vector will vary. iDefense Labs verified that local
privilege escalation was possible via the X.Org Xserver.
Vendor response:
The FreeType maintainers addressed this vulnerability with the release of version 2.3.6. For more information, refer to the release notes at the following URL. http://sourceforge.net/project/shownotes.php?group_id=3157&release_id=605780
CVE Information:
CVE-2008-1807
Multiple Vendor FreeType2 PFB Integer Overflow Vulnerability
Remote exploitation of an integer overflow vulnerability in the FreeType2 library, as included in various vendors' operating systems, could allow an attacker to execute arbitrary code with the privileges of the affected application.
The vulnerability exists within the code responsible for parsing Printer Font Binary (PFB) format font files. PFB files contain a section known as the "Private" dictionary table which is used to describe how characters are constructed. When parsing this data structure, a series of 16-bit length values are read in from the file. These values are added together and used to allocate a dynamic buffer. The addition can result in an integer overflow, which subsequently leads to a heap overflow.
Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the application using the library. Since FreeType2 is a library and not a standalone application, the exploitation vector will vary. iDefense Labs verified that local privilege escalation was possible via the X.Org Xserver.
Vendor response:
The FreeType maintainers addressed this vulnerability with the release of version 2.3.6. For more information, refer to the release notes at the following URL. http://sourceforge.net/project/shownotes.php?group_id=3157&release_id=605780
CVE Information:
CVE-2008-1806
|
|
|
|
|
