Privacy and Legal Notice

CIAC INFORMATION BULLETIN

S-328: FreeType Security Update

[Red Hat RHSA-2008:0556-8]

June 26, 2008 18:00 GMT
PROBLEM: Multiple flaws were discovered in FreeType's Printer Font Binary (PFB) font-file format parser.
PLATFORM: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 3, v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS, ES, WS (v. 3, v. 4)
Red Hat Enterprise Linux Desktop (v. 5 client)
DAMAGE: Execute arbitrary code.
SOLUTION: Upgrade to the appropriate version.
VULNERABILITY
ASSESSMENT:		 The risk is MEDIUM. If a user loaded a carefully crafted font-file with a program linked against FreeType, it could cause the application to crash, or possible execute arbitrary code.
CVSS 2 BASE SCORE:
   TEMPORAL SCORE:
   VECTOR:		 7.5
5.9
(AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
LINKS:  
  CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-328.shtml
  ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2008-0556.html
  CVE: CVE-2008-1806 CVE-2008-1807 CVE-2008-1808 
[***** Start Red Hat  RHSA-2008:0556-8 *****]

Important: freetype security update

Advisory: RHSA-2008:0556-8
Type: Security Advisory
Severity: Important
Issued on: 2008-06-20
Last updated on: 2008-06-25
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 3)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20080556.xml
CVEs (cve.mitre.org): CVE-2008-1806
CVE-2008-1807
CVE-2008-1808

Details

Updated freetype packages that fix various security issues are now
available for Red Hat Enterprise Linux 3, 4, and 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

[Updated 25th June 2008]
The original packages for Red Hat Enterprise Linux 3 and 4 distributed with
this errata had a bug which prevented freetype library from loading certain
font files correctly. We have updated the packages to correct this bug.

FreeType is a free, high-quality, portable font engine that can open and
manage font files, as well as efficiently load, hint and render individual
glyphs.

Multiple flaws were discovered in FreeType's Printer Font Binary (PFB)
font-file format parser. If a user loaded a carefully crafted font-file
with a program linked against FreeType, it could cause the application to
crash, or possibly execute arbitrary code. (CVE-2008-1806, CVE-2008-1807,
CVE-2008-1808)

Note: the flaw in FreeType's TrueType Font (TTF) font-file format parser,
covered by CVE-2008-1808, did not affect the freetype packages as shipped
in Red Hat Enterprise Linux 3, 4, and 5, as they are not compiled with TTF
Byte Code Interpreter (BCI) support.

Users of freetype should upgrade to these updated packages, which contain
backported patches to resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)
IA-32:
freetype-demos-2.2.1-20.el5_2.i386.rpm     1ff049ac919508a610f7001aa9410124
freetype-devel-2.2.1-20.el5_2.i386.rpm     dedcc8b159786905df009ce639d5549f
 
x86_64:
freetype-demos-2.2.1-20.el5_2.x86_64.rpm     f662570498aa8411d804ffdeeda00ce2
freetype-devel-2.2.1-20.el5_2.i386.rpm     dedcc8b159786905df009ce639d5549f
freetype-devel-2.2.1-20.el5_2.x86_64.rpm     e32458b2c2370d20a883c00f195428d1
 
Red Hat Desktop (v. 3)
SRPMS:
freetype-2.1.4-10.el3.src.rpm     c3b6f755ec5cf914843c62e15c7bea57
 
IA-32:
freetype-2.1.4-10.el3.i386.rpm     2c1d38c59b39d6b75be609f319c40901
freetype-devel-2.1.4-10.el3.i386.rpm     d6b3a913cd157ef3bbe004c74a1eefc9
 
x86_64:
freetype-2.1.4-10.el3.i386.rpm     2c1d38c59b39d6b75be609f319c40901
freetype-2.1.4-10.el3.x86_64.rpm     bbe9baf267f83dbd0c4c1d19126a12b9
freetype-devel-2.1.4-10.el3.x86_64.rpm     55138006a55cc381eb984a78eda8f367
 
Red Hat Desktop (v. 4)
SRPMS:
freetype-2.1.9-8.el4.6.src.rpm     71b80fdb2b1ff0bc62b6eff311929793
 
IA-32:
freetype-2.1.9-8.el4.6.i386.rpm     ae896bd110f9810471441e409c664fef
freetype-demos-2.1.9-8.el4.6.i386.rpm     021e04cdb9638e1bc75c1f1dd78c52f5
freetype-devel-2.1.9-8.el4.6.i386.rpm     1b36d6458bc09083a91b3d988b073517
freetype-utils-2.1.9-8.el4.6.i386.rpm     47f11dd2f2908bada891f4e1d29611e5
 
x86_64:
freetype-2.1.9-8.el4.6.i386.rpm     ae896bd110f9810471441e409c664fef
freetype-2.1.9-8.el4.6.x86_64.rpm     23bfc2541f99d761fc99d6603ebf5fb8
freetype-demos-2.1.9-8.el4.6.x86_64.rpm     d479ab65afb581bc50c385824a9d1a31
freetype-devel-2.1.9-8.el4.6.x86_64.rpm     6b19895270f14d9a4988049c4ff55b59
freetype-utils-2.1.9-8.el4.6.x86_64.rpm     d2ed83d105b3e5f7ee815fb5bf522083
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
freetype-2.2.1-20.el5_2.src.rpm     9c6f1ff3c00d26352631394a86584bb5
 
IA-32:
freetype-2.2.1-20.el5_2.i386.rpm     82b6219e8b36a78b6ab4c0d8e8b4efff
freetype-demos-2.2.1-20.el5_2.i386.rpm     1ff049ac919508a610f7001aa9410124
freetype-devel-2.2.1-20.el5_2.i386.rpm     dedcc8b159786905df009ce639d5549f
 
IA-64:
freetype-2.2.1-20.el5_2.i386.rpm     82b6219e8b36a78b6ab4c0d8e8b4efff
freetype-2.2.1-20.el5_2.ia64.rpm     ae2972fee64d61ec5155e89a637ac5cb
freetype-demos-2.2.1-20.el5_2.ia64.rpm     e2d2e6e5c5420b679af753cad1103d89
freetype-devel-2.2.1-20.el5_2.ia64.rpm     4ea50f03789bcdb0bdcb67f18a9c1a43
 
PPC:
freetype-2.2.1-20.el5_2.ppc.rpm     94ed22ef089fc26f3416141bb63d2577
freetype-2.2.1-20.el5_2.ppc64.rpm     9ef2752a0caf6eabf0610d6793b03070
freetype-demos-2.2.1-20.el5_2.ppc.rpm     39a449ec2ca67f49d25531a4965802a2
freetype-devel-2.2.1-20.el5_2.ppc.rpm     c232d40c3528dff2cf96cefe2fbb2a23
freetype-devel-2.2.1-20.el5_2.ppc64.rpm     84c28885b9a7db9c04afdf938e0a0e33
 
s390x:
freetype-2.2.1-20.el5_2.s390.rpm     abc0ca90c2d95f68b50c3bc23a4fc320
freetype-2.2.1-20.el5_2.s390x.rpm     19a3a07e0f49c2ba37e5e2fa92e53a84
freetype-demos-2.2.1-20.el5_2.s390x.rpm     b10f9eeb77024e0898b72be4214fff1a
freetype-devel-2.2.1-20.el5_2.s390.rpm     6ce0af6959104d823f256d7fc8be5892
freetype-devel-2.2.1-20.el5_2.s390x.rpm     13f51768572c42a9bec83fbfb3587f21
 
x86_64:
freetype-2.2.1-20.el5_2.i386.rpm     82b6219e8b36a78b6ab4c0d8e8b4efff
freetype-2.2.1-20.el5_2.x86_64.rpm     6e9be25935a6e52d36ae70653e624df2
freetype-demos-2.2.1-20.el5_2.x86_64.rpm     f662570498aa8411d804ffdeeda00ce2
freetype-devel-2.2.1-20.el5_2.i386.rpm     dedcc8b159786905df009ce639d5549f
freetype-devel-2.2.1-20.el5_2.x86_64.rpm     e32458b2c2370d20a883c00f195428d1
 
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
freetype-2.1.4-10.el3.src.rpm     c3b6f755ec5cf914843c62e15c7bea57
 
IA-32:
freetype-2.1.4-10.el3.i386.rpm     2c1d38c59b39d6b75be609f319c40901
freetype-devel-2.1.4-10.el3.i386.rpm     d6b3a913cd157ef3bbe004c74a1eefc9
 
IA-64:
freetype-2.1.4-10.el3.i386.rpm     2c1d38c59b39d6b75be609f319c40901
freetype-2.1.4-10.el3.ia64.rpm     d02a292ebc2a570fd16422ac65186004
freetype-devel-2.1.4-10.el3.ia64.rpm     208b8076024620aff9db9899a0983f3e
 
PPC:
freetype-2.1.4-10.el3.ppc.rpm     a4751ee0985e183594d9cc19e9ad9da1
freetype-2.1.4-10.el3.ppc64.rpm     193cf4ed1998f64d09207fe534da8874
freetype-devel-2.1.4-10.el3.ppc.rpm     b28af3b712f889a91cac28f0f7b9cd89
 
s390:
freetype-2.1.4-10.el3.s390.rpm     a2347bca84a7fbc86bcab72b7ee5eb5f
freetype-devel-2.1.4-10.el3.s390.rpm     5cd50fb44c27a782a4dcc21b6e522369
 
s390x:
freetype-2.1.4-10.el3.s390.rpm     a2347bca84a7fbc86bcab72b7ee5eb5f
freetype-2.1.4-10.el3.s390x.rpm     c7eb059688c57950de2b1de4aa2cac62
freetype-devel-2.1.4-10.el3.s390x.rpm     1378afc94e23e69602128c39ac7858c3
 
x86_64:
freetype-2.1.4-10.el3.i386.rpm     2c1d38c59b39d6b75be609f319c40901
freetype-2.1.4-10.el3.x86_64.rpm     bbe9baf267f83dbd0c4c1d19126a12b9
freetype-devel-2.1.4-10.el3.x86_64.rpm     55138006a55cc381eb984a78eda8f367
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
freetype-2.1.9-8.el4.6.src.rpm     71b80fdb2b1ff0bc62b6eff311929793
 
IA-32:
freetype-2.1.9-8.el4.6.i386.rpm     ae896bd110f9810471441e409c664fef
freetype-demos-2.1.9-8.el4.6.i386.rpm     021e04cdb9638e1bc75c1f1dd78c52f5
freetype-devel-2.1.9-8.el4.6.i386.rpm     1b36d6458bc09083a91b3d988b073517
freetype-utils-2.1.9-8.el4.6.i386.rpm     47f11dd2f2908bada891f4e1d29611e5
 
IA-64:
freetype-2.1.9-8.el4.6.i386.rpm     ae896bd110f9810471441e409c664fef
freetype-2.1.9-8.el4.6.ia64.rpm     3641a89df7aaa5ea51ef431464b34174
freetype-demos-2.1.9-8.el4.6.ia64.rpm     ed8626a57775966ecb5e3dfdf5d14ffb
freetype-devel-2.1.9-8.el4.6.ia64.rpm     1c58764a5f1d16f70977841f4f6babc6
freetype-utils-2.1.9-8.el4.6.ia64.rpm     f7c8b0c3063474d6f97a46f7a2b87bbd
 
PPC:
freetype-2.1.9-8.el4.6.ppc.rpm     e32da12bcbb3f7c6f7d535a7f86b98ea
freetype-2.1.9-8.el4.6.ppc64.rpm     4cc30877f185d858b0ec0861ecd798a2
freetype-demos-2.1.9-8.el4.6.ppc.rpm     fabe5b6df419cee7842cd20f6dae44ed
freetype-devel-2.1.9-8.el4.6.ppc.rpm     342054ec357aca34a3a563c48d90e2d7
freetype-utils-2.1.9-8.el4.6.ppc.rpm     86cc1460c28382c5c39d230430319cec
 
s390:
freetype-2.1.9-8.el4.6.s390.rpm     4c44cfbef3931c0cf18ae04ce179d6b6
freetype-demos-2.1.9-8.el4.6.s390.rpm     0321737c861650a00b85e0e7b97acb45
freetype-devel-2.1.9-8.el4.6.s390.rpm     f588d73d9276cc19c6bb34674a0afef5
freetype-utils-2.1.9-8.el4.6.s390.rpm     fa4fa06b48a4642e018984523ad61dd6
 
s390x:
freetype-2.1.9-8.el4.6.s390.rpm     4c44cfbef3931c0cf18ae04ce179d6b6
freetype-2.1.9-8.el4.6.s390x.rpm     2013881a567a66d674c45761df919f9e
freetype-demos-2.1.9-8.el4.6.s390x.rpm     4763d69a800f3c9067f7a2f84b1972f1
freetype-devel-2.1.9-8.el4.6.s390x.rpm     067e7b6651335024a135a332b6dcee77
freetype-utils-2.1.9-8.el4.6.s390x.rpm     824dd7b007193e030a63b525fc6a4a3e
 
x86_64:
freetype-2.1.9-8.el4.6.i386.rpm     ae896bd110f9810471441e409c664fef
freetype-2.1.9-8.el4.6.x86_64.rpm     23bfc2541f99d761fc99d6603ebf5fb8
freetype-demos-2.1.9-8.el4.6.x86_64.rpm     d479ab65afb581bc50c385824a9d1a31
freetype-devel-2.1.9-8.el4.6.x86_64.rpm     6b19895270f14d9a4988049c4ff55b59
freetype-utils-2.1.9-8.el4.6.x86_64.rpm     d2ed83d105b3e5f7ee815fb5bf522083
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
freetype-2.2.1-20.el5_2.src.rpm     9c6f1ff3c00d26352631394a86584bb5
 
IA-32:
freetype-2.2.1-20.el5_2.i386.rpm     82b6219e8b36a78b6ab4c0d8e8b4efff
 
x86_64:
freetype-2.2.1-20.el5_2.i386.rpm     82b6219e8b36a78b6ab4c0d8e8b4efff
freetype-2.2.1-20.el5_2.x86_64.rpm     6e9be25935a6e52d36ae70653e624df2
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
freetype-2.1.4-10.el3.src.rpm     c3b6f755ec5cf914843c62e15c7bea57
 
IA-32:
freetype-2.1.4-10.el3.i386.rpm     2c1d38c59b39d6b75be609f319c40901
freetype-devel-2.1.4-10.el3.i386.rpm     d6b3a913cd157ef3bbe004c74a1eefc9
 
IA-64:
freetype-2.1.4-10.el3.i386.rpm     2c1d38c59b39d6b75be609f319c40901
freetype-2.1.4-10.el3.ia64.rpm     d02a292ebc2a570fd16422ac65186004
freetype-devel-2.1.4-10.el3.ia64.rpm     208b8076024620aff9db9899a0983f3e
 
x86_64:
freetype-2.1.4-10.el3.i386.rpm     2c1d38c59b39d6b75be609f319c40901
freetype-2.1.4-10.el3.x86_64.rpm     bbe9baf267f83dbd0c4c1d19126a12b9
freetype-devel-2.1.4-10.el3.x86_64.rpm     55138006a55cc381eb984a78eda8f367
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
freetype-2.1.9-8.el4.6.src.rpm     71b80fdb2b1ff0bc62b6eff311929793
 
IA-32:
freetype-2.1.9-8.el4.6.i386.rpm     ae896bd110f9810471441e409c664fef
freetype-demos-2.1.9-8.el4.6.i386.rpm     021e04cdb9638e1bc75c1f1dd78c52f5
freetype-devel-2.1.9-8.el4.6.i386.rpm     1b36d6458bc09083a91b3d988b073517
freetype-utils-2.1.9-8.el4.6.i386.rpm     47f11dd2f2908bada891f4e1d29611e5
 
IA-64:
freetype-2.1.9-8.el4.6.i386.rpm     ae896bd110f9810471441e409c664fef
freetype-2.1.9-8.el4.6.ia64.rpm     3641a89df7aaa5ea51ef431464b34174
freetype-demos-2.1.9-8.el4.6.ia64.rpm     ed8626a57775966ecb5e3dfdf5d14ffb
freetype-devel-2.1.9-8.el4.6.ia64.rpm     1c58764a5f1d16f70977841f4f6babc6
freetype-utils-2.1.9-8.el4.6.ia64.rpm     f7c8b0c3063474d6f97a46f7a2b87bbd
 
x86_64:
freetype-2.1.9-8.el4.6.i386.rpm     ae896bd110f9810471441e409c664fef
freetype-2.1.9-8.el4.6.x86_64.rpm     23bfc2541f99d761fc99d6603ebf5fb8
freetype-demos-2.1.9-8.el4.6.x86_64.rpm     d479ab65afb581bc50c385824a9d1a31
freetype-devel-2.1.9-8.el4.6.x86_64.rpm     6b19895270f14d9a4988049c4ff55b59
freetype-utils-2.1.9-8.el4.6.x86_64.rpm     d2ed83d105b3e5f7ee815fb5bf522083
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
freetype-2.1.4-10.el3.src.rpm     c3b6f755ec5cf914843c62e15c7bea57
 
IA-32:
freetype-2.1.4-10.el3.i386.rpm     2c1d38c59b39d6b75be609f319c40901
freetype-devel-2.1.4-10.el3.i386.rpm     d6b3a913cd157ef3bbe004c74a1eefc9
 
IA-64:
freetype-2.1.4-10.el3.i386.rpm     2c1d38c59b39d6b75be609f319c40901
freetype-2.1.4-10.el3.ia64.rpm     d02a292ebc2a570fd16422ac65186004
freetype-devel-2.1.4-10.el3.ia64.rpm     208b8076024620aff9db9899a0983f3e
 
x86_64:
freetype-2.1.4-10.el3.i386.rpm     2c1d38c59b39d6b75be609f319c40901
freetype-2.1.4-10.el3.x86_64.rpm     bbe9baf267f83dbd0c4c1d19126a12b9
freetype-devel-2.1.4-10.el3.x86_64.rpm     55138006a55cc381eb984a78eda8f367
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
freetype-2.1.9-8.el4.6.src.rpm     71b80fdb2b1ff0bc62b6eff311929793
 
IA-32:
freetype-2.1.9-8.el4.6.i386.rpm     ae896bd110f9810471441e409c664fef
freetype-demos-2.1.9-8.el4.6.i386.rpm     021e04cdb9638e1bc75c1f1dd78c52f5
freetype-devel-2.1.9-8.el4.6.i386.rpm     1b36d6458bc09083a91b3d988b073517
freetype-utils-2.1.9-8.el4.6.i386.rpm     47f11dd2f2908bada891f4e1d29611e5
 
IA-64:
freetype-2.1.9-8.el4.6.i386.rpm     ae896bd110f9810471441e409c664fef
freetype-2.1.9-8.el4.6.ia64.rpm     3641a89df7aaa5ea51ef431464b34174
freetype-demos-2.1.9-8.el4.6.ia64.rpm     ed8626a57775966ecb5e3dfdf5d14ffb
freetype-devel-2.1.9-8.el4.6.ia64.rpm     1c58764a5f1d16f70977841f4f6babc6
freetype-utils-2.1.9-8.el4.6.ia64.rpm     f7c8b0c3063474d6f97a46f7a2b87bbd
 
x86_64:
freetype-2.1.9-8.el4.6.i386.rpm     ae896bd110f9810471441e409c664fef
freetype-2.1.9-8.el4.6.x86_64.rpm     23bfc2541f99d761fc99d6603ebf5fb8
freetype-demos-2.1.9-8.el4.6.x86_64.rpm     d479ab65afb581bc50c385824a9d1a31
freetype-devel-2.1.9-8.el4.6.x86_64.rpm     6b19895270f14d9a4988049c4ff55b59
freetype-utils-2.1.9-8.el4.6.x86_64.rpm     d2ed83d105b3e5f7ee815fb5bf522083
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

450768 - CVE-2008-1806 FreeType PFB integer overflow
450773 - CVE-2008-1807 FreeType invalid free() flaw
450774 - CVE-2008-1808 FreeType off-by-one flaws
452474 - Latest freetype erratum does not display all fonts


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1806
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1808
http://www.redhat.com/security/updates/classification/#important

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/


[***** End Red Hat  RHSA-2008:0556-8 *****]
CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at: 
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]