Note: This is an archival copy of Security Sun Alert 200033 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000028.1.
Article ID : 1000028.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2008-01-05
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in FreeType 2 Font Engine May Allow Privilege Escalation Due to Heap Overflow


Release Phase

Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id

Date of Resolved Release


An integer overflow leading to a heap overflow vulnerability in the FreeType 2 Font Engine, which is shipped with Solaris, may affect applications that make use of this library. Depending on the application, this may allow a local or remote unprivileged user to crash the application using FreeType (which is a type of Denial of Service), or to execute arbitrary code with the privileges of the application.

This issue is described in the following document:

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 124420-03
  • Solaris 9 without patch 116105-08
  • Solaris 10 without patch 119812-05

x86 Platform

  • Solaris 8 without patch 124421-03
  • Solaris 9 without patch 116106-07
  • Solaris 10 without patch 119813-07

To determine if an application is linked with the libfreetype library, the ldd(1) utility can be utilized as in the following example:

    $ ldd /usr/bin/gedit | grep libfreetype =>      /usr/sfw/lib/

Note: Applications which don't list the FreeType library as a dynamic dependency in the ldd(1) output may open the library during process execution using functions such as dlopen(3C) and therefore may still be impacted.


If the described issue is exploited to cause a Denial of Service (DoS) to an application which links to the libfreetype library, the application will exit and may generate an error message about a Segmentation Fault, potentially writing a core(4) file. There are no predictable symptoms that would indicate the issue has been exploited to execute arbitrary code with elevated privileges.


There is no workaround for this issue. Please see the "Resolution" section below.


This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 124420-03 or later
  • Solaris 9 with patch 116105-08 or later
  • Solaris 10 with patch 119812-05 or later

x86 Platform

  • Solaris 8 with patch 124421-03 or later
  • Solaris 9 with patch 116106-07 or later
  • Solaris 10 with patch 119813-07 or later



This solution has no attachment