Multiple Integer Overflow Vulnerabilities in the FreeType 2 Font Engine May Lead to a Denial of Service (DoS) or Allow Execution of Arbitrary Code

---

Multiple Integer Overflow Vulnerabilities in the FreeType 2 Font Engine   ...

1. Impact

Multiple integer overflow vulnerabilities in the FreeType 2 Font Library
(libfreetype) may affect applications that make use of this library. Depending
on the application, this vulnerability may allow a local or remote unprivileged
user to crash the application through a specially crafted font file, resulting in
a Denial of service(DOS) or to execute arbitrary code with the privileges of
the user running that application.

These issues are also described in the following document CVE-2009-0946 at :

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0946

2. Contributing Factors

These issues can occur in the following releases:

SPARC Platform

• X11 6.4.1 (for Solaris 8)
• Solaris 9
• Solaris 10
• OpenSolaris based upon builds snv_01 through snv_123
  

x86 Platform

• X11 6.4.1 (for Solaris 8)
• Solaris 9
• Solaris 10
• OpenSolaris based upon builds snv_01 through snv_123
  

Note 1: To determine if FreeType 2 is installed on a system, the
following command can be run:

    $ pkginfo SUNWfreetype2
    system SUNWfreetype2 FreeType2 Font library

Note 2: To determine if an application is linked with the libfreetype
library, the ldd(1) utility can be utilized as in the following example:

    $ ldd /usr/bin/gedit | grep libfreetype
    libfreetype.so.6 => /usr/sfw/lib/libfreetype.so.6

A comprehensive test to check if an application links with a library
such as libfreetype requires the use of pldd(1) against the running
application since ldd(1) does not list any shared objects explicitly
attached using dlopen(3C). For example:

    $ pldd <procces ID of application> | grep libfreetype
    /usr/sfw/lib/libfreetype.so.6

Note 3: OpenSolaris distributions may include additional bug fixes
above and beyond the build from which it was derived. To determine the
base build of OpenSolaris, the following command can be used:

    $ uname -v
    snv_120

3. Symptoms

If the described issues are exploited to cause a Denial of Service (DoS) to an application
which links to the libfreetype library, the application will exit and may generate an error
message about a Segmentation Fault, potentially writing a core(4) file. There are no
predictable symptoms that would indicate the issue has been exploited to execute arbitrary
code with elevated privileges.

4. Workaround

There is no workaround for these issues. Please see the "Resolution" section below.

5. Resolution

These issues are addressed in the following releases:

SPARC Platform

• OpenSolaris based upon builds snv_124 or later
  

x86 Platform

• OpenSolaris based upon builds snv_124 or later
  

A final resolution is pending completion for Solaris 8, 9 and 10.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

Attachments

This solution has no attachment