• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: FreeType TrueType Font 'SHC' Heap Buffer Overflow Vulnerability

Severity: HIGH

Description:

FreeType is an open-source library for parsing fonts.

FreeType is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. The vulnerability occurs when parsing TrueType Font (TTF) font files. Specifically, the vulnerability occurs in the 'SHC' instruction set included in the TrueType virtual machine. When parsing the 'SHC' instruction, the library fails to validate an array index, triggering an off-by-one error.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application using the affected library. Failed exploit attempts will result in a denial-of-service vulnerability.

NOTE: This issue may allow a local attacker using X.Org X server to gain elevated privileges on the affected computer.

FreeType 2.3.5 is vulnerable; other versions may also be affected.

Affected Products:

• Apple iPhone
• Apple iPhone 1
• Apple iPhone 1.0.1
• Apple iPhone 1.0.2
• Apple iPhone 1.1
• Apple iPhone 1.1.1
• Apple iPhone 1.1.2
• Apple iPhone 1.1.3
• Apple iPhone 1.1.4
• Apple iPhone 2.0
• Apple iPhone 2.0.1
• Apple iPhone 2.0.2
• Apple iPod Touch 1.1
• Apple iPod Touch 1.1.1
• Apple iPod Touch 1.1.2
• Apple iPod Touch 1.1.3
• Apple iPod Touch 1.1.4
• Apple iPod Touch 2.0
• Apple iPod Touch 2.0.1
• Apple iPod Touch 2.0.2
• Avaya Communication Manager 3.0
• Avaya Communication Manager Server DEFINITY Server SI/CS
• Avaya Communication Manager Server S8100
• Avaya Communication Manager Server S8300
• Avaya Communication Manager Server S8500
• Avaya Communication Manager Server S8700
• Avaya EMMC
• Avaya EMMC 1.017
• Avaya Intuity AUDIX
• Avaya Intuity AUDIX LX 2.0
• Debian Linux 4.0
• Debian Linux 4.0 alpha
• Debian Linux 4.0 amd64
• Debian Linux 4.0 arm
• Debian Linux 4.0 hppa
• Debian Linux 4.0 ia-32
• Debian Linux 4.0 ia-64
• Debian Linux 4.0 m68k
• Debian Linux 4.0 mips
• Debian Linux 4.0 mipsel
• Debian Linux 4.0 powerpc
• Debian Linux 4.0 s/390
• Debian Linux 4.0 sparc
• FreeType FreeType 2.0.6
• FreeType FreeType 2.0.9
• FreeType FreeType 2.1.10
• FreeType FreeType 2.1.7
• FreeType FreeType 2.1.9
• FreeType FreeType 2.2
• FreeType FreeType 2.2.1
• FreeType FreeType 2.2.10
• FreeType FreeType 2.3.3
• FreeType FreeType 2.3.4
• FreeType FreeType 2.3.5
• Gentoo Linux
• Linux kernel 2.4.19
• Linux kernel 2.4.21
• Linux kernel 2.6.5
• MandrakeSoft Corporate Server 3.0.0
• MandrakeSoft Corporate Server 3.0.0 x86_64
• MandrakeSoft Corporate Server 4.0
• MandrakeSoft Corporate Server 4.0.0 x86_64
• MandrakeSoft Linux Mandrake 2007.1
• MandrakeSoft Linux Mandrake 2007.1 x86_64
• MandrakeSoft Linux Mandrake 2008.0
• MandrakeSoft Linux Mandrake 2008.0 x86_64
• MandrakeSoft Linux Mandrake 2008.1
• MandrakeSoft Linux Mandrake 2008.1 x86_64
• MandrakeSoft Multi Network Firewall 2.0.0
• OpenPKG OpenPKG E1.0-Solid
• RedHat Advanced Workstation for the Itanium Processor 2.1.0
• RedHat Advanced Workstation for the Itanium Processor 2.1.0 IA64
• RedHat Advanced Workstation for the Itanium Processor 2.1.0 IA64
• RedHat Desktop 3.0.0
• RedHat Desktop 4.0.0
• RedHat Enterprise Linux 5 server
• RedHat Enterprise Linux AS 2.1
• RedHat Enterprise Linux AS 2.1 IA64
• RedHat Enterprise Linux AS 3
• RedHat Enterprise Linux AS 4
• RedHat Enterprise Linux Desktop 5 client
• RedHat Enterprise Linux Desktop Workstation 5 client
• RedHat Enterprise Linux ES 2.1
• RedHat Enterprise Linux ES 2.1 IA64
• RedHat Enterprise Linux ES 3
• RedHat Enterprise Linux ES 4
• RedHat Enterprise Linux WS 2.1
• RedHat Enterprise Linux WS 2.1 IA64
• RedHat Enterprise Linux WS 3
• RedHat Enterprise Linux WS 4
• RedHat Fedora 8
• RedHat Fedora 9
• S.u.S.E. Linux 10.0 ppc
• S.u.S.E. Linux 10.0 x86
• S.u.S.E. Linux 10.0 x86-64
• S.u.S.E. Linux 10.1 ppc
• S.u.S.E. Linux 10.1 x86
• S.u.S.E. Linux 10.1 x86-64
• S.u.S.E. Linux Desktop 1.0.0
• S.u.S.E. Linux Enterprise SDK 10 SP1
• S.u.S.E. Linux Enterprise Server 8
• S.u.S.E. Linux Enterprise Server 9
• S.u.S.E. Novell Linux Desktop 9
• S.u.S.E. SUSE Linux Enterprise Desktop 10 SP1
• S.u.S.E. SUSE Linux Enterprise Server 10 SP1
• S.u.S.E. SuSE Linux Openexchange Server 4.0.0
• S.u.S.E. SuSE Linux Standard Server 8.0.0
• S.u.S.E. UnitedLinux 1.0.0
• S.u.S.E. openSUSE 10.2
• S.u.S.E. openSUSE 10.3
• Sun OpenSolaris
• Sun OpenSolaris build snv_01
• Sun OpenSolaris build snv_02
• Sun OpenSolaris build snv_13
• Sun OpenSolaris build snv_19
• Sun OpenSolaris build snv_22
• Sun OpenSolaris build snv_64
• Sun OpenSolaris build snv_88
• Sun OpenSolaris build snv_89
• Sun OpenSolaris build snv_91
• Sun OpenSolaris build snv_92
• Sun Solaris 10
• Sun Solaris 10_x86
• Sun Solaris 8
• Sun Solaris 8_x86
• Sun Solaris 9
• Sun Solaris 9_x86
• Trustix Secure Linux 2.2.0
• Trustix Secure Linux 3.0.0
• Trustix Secure Linux 3.0.5
• Ubuntu Ubuntu Linux 6.06 LTS amd64
• Ubuntu Ubuntu Linux 6.06 LTS i386
• Ubuntu Ubuntu Linux 6.06 LTS powerpc
• Ubuntu Ubuntu Linux 6.06 LTS sparc
• Ubuntu Ubuntu Linux 7.04 amd64
• Ubuntu Ubuntu Linux 7.04 i386
• Ubuntu Ubuntu Linux 7.04 powerpc
• Ubuntu Ubuntu Linux 7.04 sparc
• Ubuntu Ubuntu Linux 7.10 amd64
• Ubuntu Ubuntu Linux 7.10 i386
• Ubuntu Ubuntu Linux 7.10 lpia
• Ubuntu Ubuntu Linux 7.10 powerpc
• Ubuntu Ubuntu Linux 7.10 sparc
• Ubuntu Ubuntu Linux 8.04 LTS amd64
• Ubuntu Ubuntu Linux 8.04 LTS i386
• Ubuntu Ubuntu Linux 8.04 LTS lpia
• Ubuntu Ubuntu Linux 8.04 LTS powerpc
• Ubuntu Ubuntu Linux 8.04 LTS sparc
• VMWare ESX Server 2.5.4
• VMWare ESX Server 2.5.5
• VMWare Fusion 1.0
• VMWare Fusion 1.1.0
• VMWare Fusion 1.1.1
• VMWare Fusion 1.1.2
• VMWare Fusion 1.1.2 build 87978
• VMWare Player 1.0.8
• VMWare Player 1.0.8 build 108000
• VMWare Player 2.0.5
• VMWare Player 2.0.5 build 109488
• VMWare Server 1.0.7
• VMWare Server 1.0.7 build 108231
• VMWare Workstation 5.5.8
• VMWare Workstation 5.5.8 build 108000
• VMWare Workstation 6.0.5
• VMWare Workstation 6.0.5 build 109488
• rPath Appliance Platform Linux Service 1
• rPath Appliance Platform Linux Service 2
• rPath rPath Linux 1
• rPath rPath Linux 2

References:

• Avaya: ASA-2008-318 - freetype security update (RHSA-2008-0556)
• FreeType: FreeType 2.3.6 Release Notes
• FreeType: FreeType Home Page
• Red Hat: RHSA-2008:0556-7 freetype security update
• Red Hat: RHSA-2008:0556-8 freetype security update
• Red Hat: RHSA-2008:0558-4 freetype security update
• Red Hat: RHSA-2008:0558-6 freetype security update
• Sun: Solution 239006: Multiple Security Vulnerabilities in the FreeType2 library
• iDefense Labs: Multiple Vendor FreeType2 Multiple Heap Overflow Vulnerabilities
• rPath: rPath Security Advisory 2008-0255-1

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.