-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-2105-1                  security@debian.org
http://www.debian.org/security/                        Giuseppe Iuculano
September 07, 2010                    http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : freetype
Vulnerability  : several
Problem type   : local(remote)
Debian-specific: no
CVE Id(s)      : CVE-2010-1797 CVE-2010-2541 CVE-2010-2805 CVE-2010-2806
                 CVE-2010-2807 CVE-2010-2808 CVE-2010-3053


Several vulnerabilities have been discovered in the FreeType font 
library. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2010-1797

  Multiple stack-based buffer overflows in the 
  cff_decoder_parse_charstrings function in the CFF Type2 CharStrings
  interpreter in cff/cffgload.c in FreeType allow remote attackers to
  execute arbitrary code or cause a denial of service (memory
  corruption) via crafted CFF opcodes in embedded fonts in a PDF
  document, as demonstrated by JailbreakMe.

CVE-2010-2541

  Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType
  allows remote attackers to cause a denial of service (application
  crash) or possibly execute arbitrary code via a crafted font file.

CVE-2010-2805

  The FT_Stream_EnterFrame function in base/ftstream.c in FreeType does
  not properly validate certain position values, which allows remote
  attackers to cause a denial of service (application crash) or
  possibly execute arbitrary code via a crafted font file

CVE-2010-2806

  Array index error in the t42_parse_sfnts function in
  type42/t42parse.c in FreeType allows remote attackers to cause a
  denial of service (application crash) or possibly execute arbitrary
  code via negative size values for certain strings in FontType42 font
  files, leading to a heap-based buffer overflow.

CVE-2010-2807

  FreeType uses incorrect integer data types during bounds checking,
  which allows remote attackers to cause a denial of service
  (application crash) or possibly execute arbitrary code via a crafted
  font file.

CVE-2010-2808

  Buffer overflow in the Mac_Read_POST_Resource function in
  base/ftobjs.c in FreeType allows remote attackers to cause a denial
  of service (memory corruption and application crash) or possibly
  execute arbitrary code via a crafted Adobe Type 1 Mac Font File (aka
  LWFN) font.

CVE-2010-3053

  bdf/bdflib.c in FreeType allows remote attackers to cause a denial of
  service (application crash) via a crafted BDF font file, related to
  an attempted modification of a value in a static string.


For the stable distribution (lenny), these problems have been fixed in
version 2.3.7-2+lenny3

For the unstable distribution (sid) and the testing distribution
(squeeze), these problems have been fixed in version 2.4.2-1


We recommend that you upgrade your freetype package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

      Size/MD5 checksum:    39230 95a3841e7258573ca2d3e0075b8e7f73
      Size/MD5 checksum:  1567540 c1a9f44fde316470176fd6d66af3a0e8
      Size/MD5 checksum:     1219 2a2bf3d4568d92e2a48ebcda38140e73

alpha architecture (DEC Alpha)

      Size/MD5 checksum:   775278 2f2ca060588fc33b6d7baae02201dbd2
      Size/MD5 checksum:   412188 ad9537e93ed3fb61f9348470940f3ce5
      Size/MD5 checksum:   296592 e689b1c4b6bd7779e44d1cd641be9622
      Size/MD5 checksum:   253786 287a98ca57139d4dee8041eba2881e3b

amd64 architecture (AMD x86_64 (AMD64))

      Size/MD5 checksum:   713260 f1d4002e7b6d185ff9f46bc25d67c4c9
      Size/MD5 checksum:   223170 cb00f76d826be115243faa9dfd0b8a91
      Size/MD5 checksum:   269796 40762e686138c27ac92b20174e67012e
      Size/MD5 checksum:   385848 0294d7e3e1d6b37532f98344a9849cde

arm architecture (ARM)

      Size/MD5 checksum:   686154 fbe32c7124ba2ce093b31f46736e002b
      Size/MD5 checksum:   357158 0d793d543a33cfa192098234c925d639
      Size/MD5 checksum:   242196 1cfc9f7dc6a7cd0843aa234bab35b69e
      Size/MD5 checksum:   205120 39ab4dfbc19c8a63affc493e0b5aaf2d

armel architecture (ARM EABI)

      Size/MD5 checksum:   684568 325686fbc2fba7687da424ada57b9419
      Size/MD5 checksum:   209992 69f6a68fb90658ec74dfd7cc7cc0b766
      Size/MD5 checksum:   236564 a48afca5c6798d16b140b3362dfac0ca
      Size/MD5 checksum:   353814 76960109910d6de2f74ec0e345f00854

i386 architecture (Intel ia32)

      Size/MD5 checksum:   254452 a34af74eda0feb2b763cfc6f5b8330c1
      Size/MD5 checksum:   371586 ec294ffffeb9ddec389e3e988d880534
      Size/MD5 checksum:   198558 3283ad058d37eed8bca46df743c6a915
      Size/MD5 checksum:   684624 014d335b35ed41022adb628796a0c122

ia64 architecture (Intel ia64)

      Size/MD5 checksum:   332160 2dbb364f09414e4b0e0f59d9e91d1edc
      Size/MD5 checksum:   876692 2f6d3421d6c8424523388347c5640666
      Size/MD5 checksum:   531496 5dd7755f63271f597b64c3f513e8e7f1
      Size/MD5 checksum:   415934 ea2ba16157b3504d8b9c8f251b69b16f

mips architecture (MIPS (Big Endian))

      Size/MD5 checksum:   717022 9ee8c246af10f4bf7cdf5cdc54010dd6
      Size/MD5 checksum:   213212 3641ad81738e8935c5df2b648383c8e0
      Size/MD5 checksum:   369018 18559e273ffcea5614e71ab32b95ef47
      Size/MD5 checksum:   253924 1be1e224f27a780beb6799d55fa74663

mipsel architecture (MIPS (Little Endian))

      Size/MD5 checksum:   369772 6181d98166fe1f004fb033f2665ce4af
      Size/MD5 checksum:   214802 6edbec67ff79e96921d1fe4bf57b0fce
      Size/MD5 checksum:   712502 4a99ccc68b1913f88901c5e0686fea4f
      Size/MD5 checksum:   254212 e30825a94175fd78a561b8365392cbad

powerpc architecture (PowerPC)

      Size/MD5 checksum:   262804 d35ced8ba625f39dc7a04e3e61e0d49d
      Size/MD5 checksum:   233882 6e294c19dd0109ee80fe6cd401b6a185
      Size/MD5 checksum:   378612 c96a180e7132c543396486b14107cdad
      Size/MD5 checksum:   708212 9602a7786b2ebffd1d75d443901574c5

s390 architecture (IBM S/390)

      Size/MD5 checksum:   225190 393c9515f7cd89bcd8b0c38d6d6dd7ac
      Size/MD5 checksum:   384160 4e20bc56e5fc65fb08529d8765d28850
      Size/MD5 checksum:   698798 f589b6b8882d998bb7b89fa1dfa40b3a
      Size/MD5 checksum:   268272 7b6511b9ad657aa165e906a4fcbfee11

sparc architecture (Sun SPARC/UltraSPARC)

      Size/MD5 checksum:   200078 29c1833cbde5b4da5c2e35aaf856ab58
      Size/MD5 checksum:   235424 e64a8fc3b744253b22161e31fbb6e92a
      Size/MD5 checksum:   352544 a7f480889460b104bbab16fd8d8da2d5
      Size/MD5 checksum:   676520 6d0f57a5bd6457a9b9b85271c7001531


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp:  dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

Debian: DSA-2105-1: New freetype packages fix several vulnerabilities

September 7, 2010

Several vulnerabilities have been discovered in the FreeType font library

Summary

Several vulnerabilities have been discovered in the FreeType font
library. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2010-1797

Multiple stack-based buffer overflows in the
cff_decoder_parse_charstrings function in the CFF Type2 CharStrings
interpreter in cff/cffgload.c in FreeType allow remote attackers to
execute arbitrary code or cause a denial of service (memory
corruption) via crafted CFF opcodes in embedded fonts in a PDF
document, as demonstrated by JailbreakMe.

CVE-2010-2541

Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType
allows remote attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via a crafted font file.

CVE-2010-2805

The FT_Stream_EnterFrame function in base/ftstream.c in FreeType does
not properly validate certain position values, which allows remote
attackers to cause a denial of service (application crash) or
possibly execute arbitrary code via a crafted font file

CVE-2010-2806

Array index error in the t42_parse_sfnts function in
type42/t42parse.c in FreeType allows remote attackers to cause a
denial of service (application crash) or possibly execute arbitrary
code via negative size values for certain strings in FontType42 font
files, leading to a heap-based buffer overflow.

CVE-2010-2807

FreeType uses incorrect integer data types during bounds checking,
which allows remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via a crafted
font file.

CVE-2010-2808

Buffer overflow in the Mac_Read_POST_Resource function in
base/ftobjs.c in FreeType allows remote attackers to cause a denial
of service (memory corruption and application crash) or possibly
execute arbitrary code via a crafted Adobe Type 1 Mac Font File (aka
LWFN) font.

CVE-2010-3053

bdf/bdflib.c in FreeType allows remote attackers to cause a denial of
service (application crash) via a crafted BDF font file, related to
an attempted modification of a value in a static string.

For the stable distribution (lenny), these problems have been fixed in
version 2.3.7-2+lenny3

For the unstable distribution (sid) and the testing distribution
(squeeze), these problems have been fixed in version 2.4.2-1

We recommend that you upgrade your freetype package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

Size/MD5 checksum: 39230 95a3841e7258573ca2d3e0075b8e7f73
Size/MD5 checksum: 1567540 c1a9f44fde316470176fd6d66af3a0e8
Size/MD5 checksum: 1219 2a2bf3d4568d92e2a48ebcda38140e73

alpha architecture (DEC Alpha)

Size/MD5 checksum: 775278 2f2ca060588fc33b6d7baae02201dbd2
Size/MD5 checksum: 412188 ad9537e93ed3fb61f9348470940f3ce5
Size/MD5 checksum: 296592 e689b1c4b6bd7779e44d1cd641be9622
Size/MD5 checksum: 253786 287a98ca57139d4dee8041eba2881e3b

amd64 architecture (AMD x86_64 (AMD64))

Size/MD5 checksum: 713260 f1d4002e7b6d185ff9f46bc25d67c4c9
Size/MD5 checksum: 223170 cb00f76d826be115243faa9dfd0b8a91
Size/MD5 checksum: 269796 40762e686138c27ac92b20174e67012e
Size/MD5 checksum: 385848 0294d7e3e1d6b37532f98344a9849cde

arm architecture (ARM)

Size/MD5 checksum: 686154 fbe32c7124ba2ce093b31f46736e002b
Size/MD5 checksum: 357158 0d793d543a33cfa192098234c925d639
Size/MD5 checksum: 242196 1cfc9f7dc6a7cd0843aa234bab35b69e
Size/MD5 checksum: 205120 39ab4dfbc19c8a63affc493e0b5aaf2d

armel architecture (ARM EABI)

Size/MD5 checksum: 684568 325686fbc2fba7687da424ada57b9419
Size/MD5 checksum: 209992 69f6a68fb90658ec74dfd7cc7cc0b766
Size/MD5 checksum: 236564 a48afca5c6798d16b140b3362dfac0ca
Size/MD5 checksum: 353814 76960109910d6de2f74ec0e345f00854

i386 architecture (Intel ia32)

Size/MD5 checksum: 254452 a34af74eda0feb2b763cfc6f5b8330c1
Size/MD5 checksum: 371586 ec294ffffeb9ddec389e3e988d880534
Size/MD5 checksum: 198558 3283ad058d37eed8bca46df743c6a915
Size/MD5 checksum: 684624 014d335b35ed41022adb628796a0c122

ia64 architecture (Intel ia64)

Size/MD5 checksum: 332160 2dbb364f09414e4b0e0f59d9e91d1edc
Size/MD5 checksum: 876692 2f6d3421d6c8424523388347c5640666
Size/MD5 checksum: 531496 5dd7755f63271f597b64c3f513e8e7f1
Size/MD5 checksum: 415934 ea2ba16157b3504d8b9c8f251b69b16f

mips architecture (MIPS (Big Endian))

Size/MD5 checksum: 717022 9ee8c246af10f4bf7cdf5cdc54010dd6
Size/MD5 checksum: 213212 3641ad81738e8935c5df2b648383c8e0
Size/MD5 checksum: 369018 18559e273ffcea5614e71ab32b95ef47
Size/MD5 checksum: 253924 1be1e224f27a780beb6799d55fa74663

mipsel architecture (MIPS (Little Endian))

Size/MD5 checksum: 369772 6181d98166fe1f004fb033f2665ce4af
Size/MD5 checksum: 214802 6edbec67ff79e96921d1fe4bf57b0fce
Size/MD5 checksum: 712502 4a99ccc68b1913f88901c5e0686fea4f
Size/MD5 checksum: 254212 e30825a94175fd78a561b8365392cbad

powerpc architecture (PowerPC)

Size/MD5 checksum: 262804 d35ced8ba625f39dc7a04e3e61e0d49d
Size/MD5 checksum: 233882 6e294c19dd0109ee80fe6cd401b6a185
Size/MD5 checksum: 378612 c96a180e7132c543396486b14107cdad
Size/MD5 checksum: 708212 9602a7786b2ebffd1d75d443901574c5

s390 architecture (IBM S/390)

Size/MD5 checksum: 225190 393c9515f7cd89bcd8b0c38d6d6dd7ac
Size/MD5 checksum: 384160 4e20bc56e5fc65fb08529d8765d28850
Size/MD5 checksum: 698798 f589b6b8882d998bb7b89fa1dfa40b3a
Size/MD5 checksum: 268272 7b6511b9ad657aa165e906a4fcbfee11

sparc architecture (Sun SPARC/UltraSPARC)

Size/MD5 checksum: 200078 29c1833cbde5b4da5c2e35aaf856ab58
Size/MD5 checksum: 235424 e64a8fc3b744253b22161e31fbb6e92a
Size/MD5 checksum: 352544 a7f480889460b104bbab16fd8d8da2d5
Size/MD5 checksum: 676520 6d0f57a5bd6457a9b9b85271c7001531

These files will probably be moved into the stable distribution on
its next update.

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/