'Re: [oss-security] Multiple bugs in freetype'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Multiple bugs in freetype
From:       Josh Bressers <bressers () redhat ! com>
Date:       2010-07-14 17:45:31
Message-ID: 2060260017.430061279129531508.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

I'm also adding a CVE id for the buffer overflows in the freetype demo programs:

CVE-2010-2527
http://savannah.nongnu.org/bugs/index.php?30054

The fix is here:
http://git.savannah.gnu.org/cgit/freetype/freetype2-demos.git/commit/?id=b995299b73ba4cd259f221f500d4e63095508bec

Thanks.

-- 
    JB



----- "Robert Święcki" <robert@swiecki.net> wrote:

> FYI
> 
> I've reported recently multiple problems in freetype (around ~20),
> most of them are NULL-ptr derefs, stack exhaustion and div by zero
> issues, but the rest might be interesting. RedHat was kind enough to
> assign CVE numbers to some of them. vendor-sec members tend to treat
> it as public issues, so reposting here:
> 
> > CVE-2010-2497 freetype integer underflow #30082 #30083
> > CVE-2010-2498 freetype invalid free #30106
> > CVE-2010-2499 freetype buffer overflow #30248 #30249
> > CVE-2010-2500 freetype integer overflow #30263
> > CVE-2010-2519 freetype heap buffer overflow #30306
> > CVE-2010-2520 freetype buffer overflow on heap #30361
> 
> I wasn't trying to make weaponized exploits, although some of those
> issues are clearly exploitable.
> 
> The full list
> 
> http://savannah.nongnu.org/bugs/index.php?group=freetype&func=browse&set=custom&report_id=101&submitted_by=78858
> 
> -- 
> Robert Swiecki - http://www.swiecki.net

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic