Note: This is an archival copy of Security Sun Alert 200033 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000028.1. |
Category Security Release Phase Resolved Solaris 9 Operating System Solaris 10 Operating System Solaris 8 Operating System Bug Id 6589553 Date of Resolved Release 06-JAN-2008 Impact An integer overflow leading to a heap overflow vulnerability in the FreeType 2 Font Engine, which is shipped with Solaris, may affect applications that make use of this library. Depending on the application, this may allow a local or remote unprivileged user to crash the application using FreeType (which is a type of Denial of Service), or to execute arbitrary code with the privileges of the application. This issue is described in the following document:
Contributing Factors This issue can occur in the following releases: SPARC Platform
x86 Platform
To determine if an application is linked with the libfreetype library, the ldd(1) utility can be utilized as in the following example: $ ldd /usr/bin/gedit | grep libfreetype libfreetype.so.6 => /usr/sfw/lib/libfreetype.so.6 Note: Applications which don't list the FreeType library as a dynamic dependency in the ldd(1) output may open the library during process execution using functions such as dlopen(3C) and therefore may still be impacted. Symptoms If the described issue is exploited to cause a Denial of Service (DoS) to an application which links to the libfreetype library, the application will exit and may generate an error message about a Segmentation Fault, potentially writing a core(4) file. There are no predictable symptoms that would indicate the issue has been exploited to execute arbitrary code with elevated privileges. Workaround There is no workaround for this issue. Please see the "Resolution" section below. Resolution This issue is addressed in the following releases: SPARC Platform
x86 Platform
References124420-03119812-05 124421-03 116106-07 119813-07 Attachments This solution has no attachment |
|