Vulnerability Note VU#275247

FreeType 2 CFF font stack corruption vulnerability

Original Release date: 05 Aug 2010 | Last revised: 14 Sep 2010

Overview

FreeType 2 contains a vulnerability in the processing of CFF fonts, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

FreeType is a font engine that can open and process font files. FreeType 2 includes the ability to handle a number of font types, including Compact Font Format (CFF). FreeType is used by a number of applications, including PDF readers, web browsers, and other applications. FreeType 2 contains a flaw in the handling of some CFF opcodes, which can result in stack corruption. This can allow arbitrary code execution.

This vulnerability is being used in the iPhone PDF JailBreak exploit.

Impact

By causing an application that uses FreeType to parse a specially-crafted CFF font, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. This can occur as the result of opening a PDF document or viewing a web page.

Solution

Apply an update
This vulnerability is fixed in the FreeType source tree. Please check with your vendor for an update.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Inc.Affected04 Aug 201011 Aug 2010
Debian GNU/LinuxAffected10 Aug 201011 Aug 2010
F5 Networks, Inc.Affected10 Aug 201011 Aug 2010
Foxit Software CompanyAffected06 Aug 201006 Aug 2010
Gentoo LinuxAffected10 Aug 201011 Aug 2010
Red Hat, Inc.Affected-05 Aug 2010
SUSE LinuxAffected10 Aug 201010 Sep 2010
Wind River Systems, Inc.Affected10 Aug 201011 Aug 2010
GoogleNot Affected10 Sep 201014 Sep 2010
Juniper Networks, Inc.Not Affected10 Aug 201023 Aug 2010
Openwall GNU/*/LinuxNot Affected10 Aug 201023 Aug 2010
Conectiva Inc.Unknown10 Aug 201010 Aug 2010
Cray Inc.Unknown10 Aug 201010 Aug 2010
DragonFly BSD ProjectUnknown10 Aug 201010 Aug 2010
EMC CorporationUnknown10 Aug 201010 Aug 2010
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was discovered being exploited in the wild. Additional analysis was performed by Braden Thomas of Apple Product Security.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2010-1797
  • Date Public: 02 Aug 2010
  • Date First Published: 05 Aug 2010
  • Date Last Updated: 14 Sep 2010
  • Severity Metric: 13.39
  • Document Revision: 29

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.