CVE-2007-2754 - Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote atta

CVE-2007-2754

Summary

Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow.

References

Vulnerable Configurations

cpe:2.3:a:freetype:freetype:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.0:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.0:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.5:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.5:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.7:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.7:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.9:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.0.9:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.1:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.1:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.1:rc1:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.1:rc1:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.2:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.2:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.2:rc1:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.2:rc1:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.3:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.3:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.3:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.3:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.3:rc1:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.3:rc1:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.3:rc2:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.3:rc2:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.3:rc3:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.3:rc3:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.4:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.4:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.4:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.4:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.4:rc1:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.4:rc1:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.4:rc2:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.4:rc2:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.5:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.5:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.5:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.5:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.5:rc1:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.5:rc1:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.5:rc2:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.5:rc2:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.6:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.6:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.7:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.7:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.8:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.8:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.8:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.8:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.8:rc1:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.8:rc1:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.8_rc1:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.8_rc1:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.9:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.9:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.10:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.1.10:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.2:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.2:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.2.0:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.2.0:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.2.0:rc1:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.2.0:rc1:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.2.0:rc2:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.2.0:rc2:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.2.0:rc3:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.2.0:rc3:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.2.0:rc4:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.2.0:rc4:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.3.0:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.3.0:-:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.3.0:rc1:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.3.0:rc1:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.3.0:rc2:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.3.0:rc2:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.3.2:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.3.2:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.3.4:*:*:*:*:*:*:*
cpe:2.3:a:freetype:freetype:2.3.4:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 13-02-2023 - 02:17)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

oval via4

accepted

2013-04-29T04:13:15.770-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651
comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990
comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:11325

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

accepted

2008-02-25T04:00:11.261-05:00

class

vulnerability

contributors

name	Nicholas Hansen
organization	Hewlett-Packard

definition_extensions

comment Solaris 8 (SPARC) is installed
oval oval:org.mitre.oval:def:1539
comment Solaris 9 (SPARC) is installed
oval oval:org.mitre.oval:def:1457
comment Solaris 10 (SPARC) is installed
oval oval:org.mitre.oval:def:1440
comment Solaris 8 (x86) is installed
oval oval:org.mitre.oval:def:2059
comment Solaris 9 (x86) is installed
oval oval:org.mitre.oval:def:1683
comment Solaris 10 (x86) is installed
oval oval:org.mitre.oval:def:1926

description

family

unix

oval:org.mitre.oval:def:5532

status

accepted

submitted

2008-01-09T07:41:41.000-05:00

title

Security Vulnerability in FreeType 2 Font Engine May Allow Privilege Escalation Due to Heap Overflow

version

redhat via4

advisories

bugzilla

id	240200
title	CVE-2007-2754 freetype integer overflow

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025

AND
comment freetype is earlier than 0:2.1.9-6.el4
oval oval:com.redhat.rhsa:tst:20070403001
comment freetype is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060500002
AND
comment freetype-demos is earlier than 0:2.1.9-6.el4
oval oval:com.redhat.rhsa:tst:20070403003
comment freetype-demos is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060500004
AND
comment freetype-devel is earlier than 0:2.1.9-6.el4
oval oval:com.redhat.rhsa:tst:20070403005
comment freetype-devel is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060500006
AND
comment freetype-utils is earlier than 0:2.1.9-6.el4
oval oval:com.redhat.rhsa:tst:20070403007
comment freetype-utils is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060500008

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005

AND
comment freetype is earlier than 0:2.2.1-19.el5
oval oval:com.redhat.rhsa:tst:20070403010
comment freetype is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070150011

AND

comment freetype-demos is earlier than 0:2.2.1-19.el5
oval oval:com.redhat.rhsa:tst:20070403012
comment freetype-demos is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070150013

AND

comment freetype-devel is earlier than 0:2.2.1-19.el5
oval oval:com.redhat.rhsa:tst:20070403014
comment freetype-devel is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070150015

rhsa

id	RHSA-2007:0403
released	2007-06-11
severity	Moderate
title	RHSA-2007:0403: freetype security update (Moderate)

rhsa
id RHSA-2009:0329
rhsa
id RHSA-2009:1062

rpms

freetype-0:2.0.3-10.el21
freetype-0:2.1.4-7.el3
freetype-0:2.1.9-6.el4
freetype-0:2.2.1-19.el5
freetype-debuginfo-0:2.1.4-7.el3
freetype-debuginfo-0:2.1.9-6.el4
freetype-debuginfo-0:2.2.1-19.el5
freetype-demos-0:2.1.9-6.el4
freetype-demos-0:2.2.1-19.el5
freetype-devel-0:2.0.3-10.el21
freetype-devel-0:2.1.4-7.el3
freetype-devel-0:2.1.9-6.el4
freetype-devel-0:2.2.1-19.el5
freetype-utils-0:2.0.3-10.el21
freetype-utils-0:2.1.9-6.el4
freetype-0:2.1.4-12.el3
freetype-0:2.1.9-10.el4.7
freetype-debuginfo-0:2.1.4-12.el3
freetype-debuginfo-0:2.1.9-10.el4.7
freetype-demos-0:2.1.9-10.el4.7
freetype-devel-0:2.1.4-12.el3
freetype-devel-0:2.1.9-10.el4.7
freetype-utils-0:2.1.9-10.el4.7
freetype-0:2.0.3-17.el21
freetype-devel-0:2.0.3-17.el21
freetype-utils-0:2.0.3-17.el21

refmap via4

apple	APPLE-SA-2007-11-14 APPLE-SA-2009-05-12
bid	24074
bugtraq	20070524 FLEA-2007-0020-1: freetype 20070613 FLEA-2007-0025-1: openoffice.org
cert	TA09-133A
confirm	http://cvs.savannah.nongnu.org/viewvc/freetype2/src/truetype/ttgload.c?root=freetype&r1=1.177&r2=1.178 http://support.apple.com/kb/HT3549 http://support.avaya.com/elmodocs2/security/ASA-2007-330.htm https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240200 https://bugzilla.redhat.com/show_bug.cgi?id=502565 https://issues.rpath.com/browse/RPL-1390
debian	DSA-1302 DSA-1334
fedora	FEDORA-2009-5558 FEDORA-2009-5644
gentoo	GLSA-200705-22 GLSA-200707-02 GLSA-200805-07
mandriva	MDKSA-2007:121
mlist	[ft-devel] 20070427 Bug in fuzzed TTF file
openpkg	OpenPKG-SA-2007.018
osvdb	36509
sectrack	1018088
secunia	25350 25353 25386 25463 25483 25609 25612 25654 25705 25808 25894 25905 26129 26305 28298 30161 35074 35200 35204 35233
sgi	20070602-01-P
sunalert	102967 103171 200033
suse	SUSE-SA:2007:041
trustix	2007-0019
ubuntu	USN-466-1
vupen	ADV-2007-1894 ADV-2007-2229 ADV-2008-0049 ADV-2009-1297

Last major update

13-02-2023 - 02:17

Published

17-05-2007 - 22:30

Last modified

13-02-2023 - 02:17