Ubuntu 11.10: USN-1403-1 Critical FreeType Remote Code Execution
Mar 23, 2012
•
LinuxSecurity Advisories
3 - 6 min read
Topics Covered
FreeType could be made to crash or run programs as your login if it opened aspecially crafted font file.
=========================================================================Ubuntu Security Notice USN-1403-1 March 23, 2012 freetype vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: FreeType could be made to crash or run programs as your login if it opened a specially crafted font file. Software Description: - freetype: FreeType 2 is a font engine library Details: Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed BDF font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash. (CVE-2012-1126) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed BDF font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash. (CVE-2012-1127) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed TrueType font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash. (CVE-2012-1128) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed Type42 font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash. (CVE-2012-1129) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed PCF font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash. (CVE-2012-1130) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed TrueType font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash. (CVE-2012-1131) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed Type1 font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash. (CVE-2012-1132) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed BDF font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or possibly execute arbitrary code with user privileges. (CVE-2012-1133) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed Type1 font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or possibly execute arbitrary code with user privileges. (CVE-2012-1134) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed TrueType font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash. (CVE-2012-1135) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed BDF font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or possibly execute arbitrary code with user privileges. (CVE-2012-1136) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed BDF font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash. (CVE-2012-1137) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed TrueType font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash. (CVE-2012-1138) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed BDF font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash. (CVE-2012-1139) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed PostScript font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash. (CVE-2012-1140) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed BDF font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash. (CVE-2012-1141) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed Windows FNT/FON font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash. (CVE-2012-1142) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash. (CVE-2012-1143) Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed TrueType font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or possibly execute arbitrary code with user privileges. (CVE-2012-1144) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: libfreetype6 2.4.4-2ubuntu1.2 Ubuntu 11.04: libfreetype6 2.4.4-1ubuntu2.3 Ubuntu 10.10: libfreetype6 2.4.2-2ubuntu0.4 Ubuntu 10.04 LTS: libfreetype6 2.3.11-1ubuntu2.6 Ubuntu 8.04 LTS: libfreetype6 2.3.5-1ubuntu4.8.04.9 After a standard system update you need to restart your session to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-1403-1 CVE-2012-1126, CVE-2012-1127, CVE-2012-1128, CVE-2012-1129, CVE-2012-1130, CVE-2012-1131, CVE-2012-1132, CVE-2012-1133, CVE-2012-1134, CVE-2012-1135, CVE-2012-1136, CVE-2012-1137, CVE-2012-1138, CVE-2012-1139, CVE-2012-1140, CVE-2012-1141, CVE-2012-1142, CVE-2012-1143, CVE-2012-1144 Package Information: https://launchpad.net/ubuntu/+source/freetype/2.4.4-2ubuntu1.2 https://launchpad.net/ubuntu/+source/freetype/2.4.4-1ubuntu2.3 https://launchpad.net/ubuntu/+source/freetype/2.4.2-2ubuntu0.4 https://launchpad.net/ubuntu/+source/freetype/2.3.11-1ubuntu2.6 https://launchpad.net/ubuntu/+source/freetype/2.3.5-1ubuntu4.8.04.9
PREVIOUS
NEXT
Ubuntu 11.10: USN-1403-1 Critical FreeType Remote Code Execution
ubuntu
March 23, 2012
FreeType could be made to crash or run programs as your login if it opened aspecially crafted font file.
Summary
Topics Covered
Update Instructions
The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: libfreetype6 2.4.4-2ubuntu1.2 Ubuntu 11.04: libfreetype6 2.4.4-1ubuntu2.3 Ubuntu 10.10: libfreetype6 2.4.2-2ubuntu0.4 Ubuntu 10.04 LTS: libfreetype6 2.3.11-1ubuntu2.6 Ubuntu 8.04 LTS: libfreetype6 2.3.5-1ubuntu4.8.04.9 After a standard system update you need to restart your session to make all the necessary changes.
References
https://ubuntu.com/security/notices/USN-1403-1
CVE-2012-1126, CVE-2012-1127, CVE-2012-1128, CVE-2012-1129,
CVE-2012-1130, CVE-2012-1131, CVE-2012-1132, CVE-2012-1133,
CVE-2012-1134, CVE-2012-1135, CVE-2012-1136, CVE-2012-1137,
CVE-2012-1138, CVE-2012-1139, CVE-2012-1140, CVE-2012-1141,
CVE-2012-1142, CVE-2012-1143, CVE-2012-1144
Severity
critical
Lowest
Low
Medium
High
Critical
March 23, 2012
Topics Covered
Package Information
https://launchpad.net/ubuntu/+source/freetype/2.4.4-2ubuntu1.2 https://launchpad.net/ubuntu/+source/freetype/2.4.4-1ubuntu2.3 https://launchpad.net/ubuntu/+source/freetype/2.4.2-2ubuntu0.4 https://launchpad.net/ubuntu/+source/freetype/2.3.11-1ubuntu2.6 https://launchpad.net/ubuntu/+source/freetype/2.3.5-1ubuntu4.8.04.9
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!