ID CVE-2011-0226
Summary Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011.
References
Vulnerable Configurations
  • FreeType 2.4.4
    cpe:2.3:a:freetype:freetype:2.4.4
  • FreeType 2.4.3
    cpe:2.3:a:freetype:freetype:2.4.3
  • FreeType 2.4.2
    cpe:2.3:a:freetype:freetype:2.4.2
  • FreeType 2.4.1
    cpe:2.3:a:freetype:freetype:2.4.1
  • FreeType 2.4.0
    cpe:2.3:a:freetype:freetype:2.4.0
  • FreeType 2.3.9
    cpe:2.3:a:freetype:freetype:2.3.9
  • FreeType 2.3.10
    cpe:2.3:a:freetype:freetype:2.3.10
  • FreeType 2.3.11
    cpe:2.3:a:freetype:freetype:2.3.11
  • FreeType 2.3.12
    cpe:2.3:a:freetype:freetype:2.3.12
  • FreeType 2.3.8
    cpe:2.3:a:freetype:freetype:2.3.8
  • FreeType 2.3.7
    cpe:2.3:a:freetype:freetype:2.3.7
  • FreeType 2.3.6
    cpe:2.3:a:freetype:freetype:2.3.6
  • FreeType 2.3.5
    cpe:2.3:a:freetype:freetype:2.3.5
  • FreeType 2.3.4
    cpe:2.3:a:freetype:freetype:2.3.4
  • FreeType 2.3.3
    cpe:2.3:a:freetype:freetype:2.3.3
  • FreeType 2.3.2
    cpe:2.3:a:freetype:freetype:2.3.2
  • FreeType 2.3.1
    cpe:2.3:a:freetype:freetype:2.3.1
  • FreeType 2.3.0
    cpe:2.3:a:freetype:freetype:2.3.0
  • FreeType 2.2.1
    cpe:2.3:a:freetype:freetype:2.2.1
  • cpe:2.3:a:freetype:freetype:2.2.10
    cpe:2.3:a:freetype:freetype:2.2.10
  • FreeType 2.4.5
    cpe:2.3:a:freetype:freetype:2.4.5
  • Apple iPhone OS 4.2.1
    cpe:2.3:o:apple:iphone_os:4.2.1
  • Apple iPhone OS 4.2.5
    cpe:2.3:o:apple:iphone_os:4.2.5
  • Apple iPhone OS 4.2.8
    cpe:2.3:o:apple:iphone_os:4.2.8
  • Apple iPhone OS 4.1
    cpe:2.3:o:apple:iphone_os:4.1
  • Apple iPhone OS 4.0
    cpe:2.3:o:apple:iphone_os:4.0
  • Apple iPhone OS 4.0.1
    cpe:2.3:o:apple:iphone_os:4.0.1
  • Apple iPhone OS 4.0.2
    cpe:2.3:o:apple:iphone_os:4.0.2
  • cpe:2.3:o:apple:iphone_os:4.2
    cpe:2.3:o:apple:iphone_os:4.2
  • Apple iPhone OS 4.3.0
    cpe:2.3:o:apple:iphone_os:4.3.0
  • Apple iPhone OS 4.3.1
    cpe:2.3:o:apple:iphone_os:4.3.1
  • Apple iPhone OS 4.3.2
    cpe:2.3:o:apple:iphone_os:4.3.2
  • Apple iPhone OS 4.3.3
    cpe:2.3:o:apple:iphone_os:4.3.3
  • Apple iPhone OS 3.2.2
    cpe:2.3:o:apple:iphone_os:3.2.2
  • Apple iPhone OS 3.2.1
    cpe:2.3:o:apple:iphone_os:3.2.1
  • Apple iPhone OS 3.2
    cpe:2.3:o:apple:iphone_os:3.2
  • Apple iPhone OS 3.1.3
    cpe:2.3:o:apple:iphone_os:3.1.3
  • Apple iPhone OS 3.1.2
    cpe:2.3:o:apple:iphone_os:3.1.2
  • Apple iPhone OS 3.1
    cpe:2.3:o:apple:iphone_os:3.1
  • Apple iPhone OS 3.0.1
    cpe:2.3:o:apple:iphone_os:3.0.1
  • Apple iPhone OS 3.0
    cpe:2.3:o:apple:iphone_os:3.0
  • Apple iPhone OS 2.2.1
    cpe:2.3:o:apple:iphone_os:2.2.1
  • Apple iPhone OS 2.2
    cpe:2.3:o:apple:iphone_os:2.2
  • Apple iPhone OS 2.1.1
    cpe:2.3:o:apple:iphone_os:2.1.1
  • Apple iPhone OS 2.1
    cpe:2.3:o:apple:iphone_os:2.1
  • Apple iPhone OS 2.0.2
    cpe:2.3:o:apple:iphone_os:2.0.2
  • Apple iPhone OS 2.0.1
    cpe:2.3:o:apple:iphone_os:2.0.1
  • Apple iPhone OS 2.0.0
    cpe:2.3:o:apple:iphone_os:2.0.0
  • Apple iPhone OS 2.0
    cpe:2.3:o:apple:iphone_os:2.0
  • Apple iPhone OS 1.1.5
    cpe:2.3:o:apple:iphone_os:1.1.5
  • Apple iPhone OS 1.1.4
    cpe:2.3:o:apple:iphone_os:1.1.4
  • Apple iPhone OS 1.1.3
    cpe:2.3:o:apple:iphone_os:1.1.3
  • Apple iPhone OS 1.1.2
    cpe:2.3:o:apple:iphone_os:1.1.2
  • Apple iPhone OS 1.1.1
    cpe:2.3:o:apple:iphone_os:1.1.1
  • Apple iPhone OS 1.1.0
    cpe:2.3:o:apple:iphone_os:1.1.0
  • Apple iPhone OS 1.0.2
    cpe:2.3:o:apple:iphone_os:1.0.2
  • Apple iPhone OS 1.0.1
    cpe:2.3:o:apple:iphone_os:1.0.1
  • Apple iPhone OS 1.0.0
    cpe:2.3:o:apple:iphone_os:1.0.0
CVSS
Base: 9.3 (as of 20-07-2011 - 10:49)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201201-09.NASL
    description The remote host is affected by the vulnerability described in GLSA-201201-09 (FreeType: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in FreeType. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to open a specially crafted font, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 57651
    published 2012-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57651
    title GLSA-201201-09 : FreeType: Multiple vulnerabilities
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_7_2.NASL
    description The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.2. This version contains numerous security-related fixes for the following components : - Apache - Application Firewall - ATS - BIND - Certificate Trust Policy - CFNetwork - CoreMedia - CoreProcesses - CoreStorage - File Systems - iChat Server - Kernel - libsecurity - Open Directory - PHP - python - QuickTime - SMB File Server - X11
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 56480
    published 2011-10-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56480
    title Mac OS X 10.7.x < 10.7.2 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_4_FREETYPE2-110722.NASL
    description This freetype2 update fixes sign extension problems and missing length checks. This issue was used in one of the last jailbreakme exploits for Apple iPhone/iPad products. (CVE-2011-0226)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75844
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75844
    title openSUSE Security Update : freetype2 (openSUSE-SU-2011:0852-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-9525.NASL
    description This update fixes CVE-2011-0226. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 56016
    published 2011-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56016
    title Fedora 14 : freetype-2.4.2-5.fc14 (2011-9525)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20110721_FREETYPE_ON_SL6_X.NASL
    description FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide the FreeType 2 font engine. A flaw was found in the way the FreeType font rendering engine processed certain PostScript Type 1 fonts. If a user loaded a specially crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0226) Users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The X server must be restarted (log out, then log back in) for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61089
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61089
    title Scientific Linux Security Update : freetype on SL6.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_FREETYPE2-110722.NASL
    description This freetype2 update fixes sign extension problems and missing length checks. This issue was used in one of the last jailbreakme exploits for Apple iPhone/iPad products. (CVE-2011-0226)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75506
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75506
    title openSUSE Security Update : freetype2 (openSUSE-SU-2011:0852-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1173-1.NASL
    description It was discovered that FreeType did not correctly handle certain malformed Type 1 font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or possibly execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 55688
    published 2011-07-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55688
    title Ubuntu 10.10 / 11.04 : freetype vulnerability (USN-1173-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2011-120.NASL
    description A vulnerability was discovered and corrected in freetype2 : Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011 (CVE-2011-0226). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149 products_id=490 The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 55695
    published 2011-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55695
    title Mandriva Linux Security Advisory : freetype2 (MDVSA-2011:120)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-9542.NASL
    description This update fixes CVE-2011-0226. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 55872
    published 2011-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55872
    title Fedora 15 : freetype-2.4.4-5.fc15 (2011-9542)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_5D374B01C3EE11E08AA5485D60CB5385.NASL
    description Vincent Danen reports : Due to an error within the t1_decoder_parse_charstrings() function (src/psaux/t1decode.c) and can be exploited to corrupt memory by tricking a user into processing a specially crafted postscript Type1 font in an application that uses the freetype library.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 55822
    published 2011-08-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55822
    title FreeBSD : freetype2 -- execute arbitrary code or cause denial of service (5d374b01-c3ee-11e0-8aa5-485d60cb5385)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_FREETYPE2-110726.NASL
    description This update fixes length checks in psaux/psobjs.c. This issue was used in one of the last jailbreakme exploits for Apple iPhone/iPad products. (CVE-2011-0226)
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 55712
    published 2011-07-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55712
    title SuSE 11.1 Security Update : freetype2 (SAT Patch Number 4921)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-1085.NASL
    description Updated freetype packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide the FreeType 2 font engine. A flaw was found in the way the FreeType font rendering engine processed certain PostScript Type 1 fonts. If a user loaded a specially crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0226) Users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The X server must be restarted (log out, then log back in) for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 55647
    published 2011-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55647
    title RHEL 6 : freetype (RHSA-2011:1085)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2011-1085.NASL
    description From Red Hat Security Advisory 2011:1085 : Updated freetype packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide the FreeType 2 font engine. A flaw was found in the way the FreeType font rendering engine processed certain PostScript Type 1 fonts. If a user loaded a specially crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0226) Users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The X server must be restarted (log out, then log back in) for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68311
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68311
    title Oracle Linux 6 : freetype (ELSA-2011-1085)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2294.NASL
    description It was discovered that insufficient input sanitising in Freetype's code to parse Type1 could lead to the execution of arbitrary code.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 55852
    published 2011-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55852
    title Debian DSA-2294-1 : freetype - missing input sanitising
redhat via4
advisories
bugzilla
id 722701
title CVE-2011-0226 freetype: postscript type1 font parsing vulnerability
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhsa:tst:20100842001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhsa:tst:20100842002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20100842003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20100842004
  • OR
    • AND
      • comment freetype is earlier than 0:2.3.11-6.el6_1.6
        oval oval:com.redhat.rhsa:tst:20111085005
      • comment freetype is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100864006
    • AND
      • comment freetype-demos is earlier than 0:2.3.11-6.el6_1.6
        oval oval:com.redhat.rhsa:tst:20111085007
      • comment freetype-demos is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100864008
    • AND
      • comment freetype-devel is earlier than 0:2.3.11-6.el6_1.6
        oval oval:com.redhat.rhsa:tst:20111085009
      • comment freetype-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100864010
rhsa
id RHSA-2011:1085
released 2011-07-21
severity Important
title RHSA-2011:1085: freetype security update (Important)
rpms
  • freetype-0:2.3.11-6.el6_1.6
  • freetype-demos-0:2.3.11-6.el6_1.6
  • freetype-devel-0:2.3.11-6.el6_1.6
refmap via4
apple
  • APPLE-SA-2011-07-15-1
  • APPLE-SA-2011-07-15-2
  • APPLE-SA-2011-10-12-3
bid 48619
confirm
debian DSA-2294
mandriva MDVSA-2011:120
misc http://www.appleinsider.com/articles/11/07/06/hackers_release_new_browser_based_ios_jailbreak_based_on_pdf_exploit.html
mlist
  • [freetype-devel] 20110708 Re: details on iPhone exploit caused by FreeType?
  • [freetype-devel] 20110708 details on iPhone exploit caused by FreeType?
  • [freetype-devel] 20110709 Re: details on iPhone exploit caused by FreeType?
  • [freetype-devel] 20110711 Re: details on iPhone exploit caused by FreeType?
secunia
  • 45167
  • 45224
suse
  • SUSE-SU-2011:0853
  • openSUSE-SU-2011:0852
Last major update 25-10-2011 - 22:56
Published 19-07-2011 - 18:55
Back to Top