Note: This is an archival copy of Security Sun Alert 200033 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000028.1.
Article ID : 1000028.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2008-01-05
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in FreeType 2 Font Engine May Allow Privilege Escalation Due to Heap Overflow

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6589553

Date of Resolved Release
06-JAN-2008

Impact

An integer overflow leading to a heap overflow vulnerability in the FreeType 2 Font Engine, which is shipped with Solaris, may affect applications that make use of this library. Depending on the application, this may allow a local or remote unprivileged user to crash the application using FreeType (which is a type of Denial of Service), or to execute arbitrary code with the privileges of the application.

This issue is described in the following document:


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 124420-03
  • Solaris 9 without patch 116105-08
  • Solaris 10 without patch 119812-05

x86 Platform

  • Solaris 8 without patch 124421-03
  • Solaris 9 without patch 116106-07
  • Solaris 10 without patch 119813-07

To determine if an application is linked with the libfreetype library, the ldd(1) utility can be utilized as in the following example:

    $ ldd /usr/bin/gedit | grep libfreetype
    libfreetype.so.6 =>      /usr/sfw/lib/libfreetype.so.6

Note: Applications which don't list the FreeType library as a dynamic dependency in the ldd(1) output may open the library during process execution using functions such as dlopen(3C) and therefore may still be impacted.


Symptoms

If the described issue is exploited to cause a Denial of Service (DoS) to an application which links to the libfreetype library, the application will exit and may generate an error message about a Segmentation Fault, potentially writing a core(4) file. There are no predictable symptoms that would indicate the issue has been exploited to execute arbitrary code with elevated privileges.


Workaround

There is no workaround for this issue. Please see the "Resolution" section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 124420-03 or later
  • Solaris 9 with patch 116105-08 or later
  • Solaris 10 with patch 119812-05 or later

x86 Platform

  • Solaris 8 with patch 124421-03 or later
  • Solaris 9 with patch 116106-07 or later
  • Solaris 10 with patch 119813-07 or later


References

124420-03
119812-05
124421-03
116106-07
119813-07




Attachments
This solution has no attachment