Note: This is an archival copy of Security Sun Alert 270268 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1021068.1.
Article ID : 1021068.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-10-21
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Multiple Integer Overflow Vulnerabilities in the FreeType 2 Font Engine May Lead to a Denial of Service (DoS) or Allow Execution of Arbitrary Code

Category
Security

Release Phase
Resolved

Bug Id
6877323

Date of Preliminary Release:
26-Oct-2009

Date of Resolved Release:
11-Oct-2010

1. Impact

Multiple integer overflow vulnerabilities in the FreeType 2 Font Library (libfreetype) may affect applications that make use of this library. Depending on the application, this vulnerability may allow a local or remote unprivileged user to crash the application through a specially crafted font file, resulting in a Denial of service(DOS) or to execute arbitrary code with the privileges of the user running that application.

These issues are also described in the following document CVE-2009-0946 at :


2. Contributing Factors

These issues can occur in the following releases:

SPARC Platform

  • X11 6.4.1 (for Solaris 8) without patch 124420-05
  • Solaris 9 without patch 116105-10
  • Solaris 10 without patch 119812-07
  • OpenSolaris based upon builds snv_01 through snv_123

x86 Platform

  • X11 6.4.1 (for Solaris 8) without patch 124421-05
  • Solaris 9 without patch 116106-09
  • Solaris 10 without patch 119813-09
  • OpenSolaris based upon builds snv_01 through snv_123

Note 1: To determine if FreeType 2 is installed on a system, the following command can be run:

    $ pkginfo SUNWfreetype2
    system SUNWfreetype2 FreeType2 Font library

Note 2: To determine if an application is linked with the libfreetype library, the ldd(1) utility can be utilized as in the following example:

    $ ldd /usr/bin/gedit | grep libfreetype
    libfreetype.so.6 => /usr/sfw/lib/libfreetype.so.6

A comprehensive test to check if an application links with a library such as libfreetype requires the use of pldd(1) against the running application since ldd(1) does not list any shared objects explicitly attached using dlopen(3C). For example:

    $ pldd <procces ID of application> | grep libfreetype
    /usr/sfw/lib/libfreetype.so.6

Note 3: OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. To determine the base build of OpenSolaris, the following command can be used:

    $ uname -v
    snv_120

3. Symptoms

If the described issues are exploited to cause a Denial of Service (DoS) to an application which links to the libfreetype library, the application will exit and may generate an error message about a Segmentation Fault, potentially writing a core(4) file. There are no predictable symptoms that would indicate the issue has been exploited to execute arbitrary code with elevated privileges.

4. Workaround

There is no workaround for these issues. Please see the "Resolution" section below.

5. Resolution

These issues are addressed in the following releases:

SPARC Platform

  • X11 6.4.1 (for Solaris 8) with patch 124420-05 or later
  • Solaris 9 with patch 116105-10 or later
  • Solaris 10 with patch 119812-07 or later
  • OpenSolaris based upon builds snv_124 or later

x86 Platform

  • X11 6.4.1 (for Solaris 8) with patch 124421-05 or later
  • Solaris 9 with patch 116106-09 or later
  • Solaris 10 with patch 119813-09 or later
  • OpenSolaris based upon builds snv_124 or later
For more information on Security Sun Alerts, please see Technical Instruction ID 1009886.1

Modification History
25-Feb-2010: Updated Contributing Factors and Resolution sections with Solaris 10 patches
21-Oct-2010: Updated Contributing Factors and Resolution sections with final patches, now Resolved

References

119812-07
119813-09
124420-05
124421-05
116105-10
116106-09





Attachments
This solution has no attachment