From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Jun 24 01:10:02 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 532CB1065675 for ; Tue, 24 Jun 2008 01:10:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 281648FC0C for ; Tue, 24 Jun 2008 01:10:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m5O1A2ru019537 for ; Tue, 24 Jun 2008 01:10:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m5O1A23L019536; Tue, 24 Jun 2008 01:10:02 GMT (envelope-from gnats) Resent-Date: Tue, 24 Jun 2008 01:10:02 GMT Resent-Message-Id: <200806240110.m5O1A23L019536@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Nick Barkas Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C86C7106568B for ; Tue, 24 Jun 2008 01:09:14 +0000 (UTC) (envelope-from snb@smtp.earth.threerings.net) Received: from smtp.earth.threerings.net (smtp1.earth.threerings.net [64.127.109.108]) by mx1.freebsd.org (Postfix) with ESMTP id AF3398FC1D for ; Tue, 24 Jun 2008 01:09:14 +0000 (UTC) (envelope-from snb@smtp.earth.threerings.net) Received: by smtp.earth.threerings.net (Postfix, from userid 10038) id 28A2961DF9; Mon, 23 Jun 2008 18:09:14 -0700 (PDT) Message-Id: <20080624010914.28A2961DF9@smtp.earth.threerings.net> Date: Mon, 23 Jun 2008 18:09:14 -0700 (PDT) From: Nick Barkas To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/124917: [patch] security/vuxml add vulnerabilities for freetype2 < 2.3.6 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Nick Barkas List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jun 2008 01:10:02 -0000 >Number: 124917 >Category: ports >Synopsis: [patch] security/vuxml add vulnerabilities for freetype2 < 2.3.6 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Tue Jun 24 01:10:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Nick Barkas >Release: FreeBSD 6.3-RELEASE-p2 i386 >Organization: Three Rings Design >Environment: System: FreeBSD mail1.earth.threerings.net 6.3-RELEASE-p2 FreeBSD 6.3-RELEASE-p2 #3: Sat May 31 19:44:03 PDT 2008 root@mail1.earth.threerings.net:/usr/obj/usr/src/sys/SMP i386 >Description: FreeType below 2.3.6 has multiple vulnerabilities. This patch adds a VuXML entry to document those. >How-To-Repeat: >Fix: --- vuxml.patch begins here --- --- vuln.xml.orig 2008-06-22 14:08:08.000000000 -0700 +++ vuln.xml 2008-06-23 18:02:59.000000000 -0700 @@ -34,6 +34,58 @@ --> + + FreeType 2 -- Multiple Vulnerabilities + + + freetype2 + 2.3.6 + + + + +
+
    +
  • An integer overflow error exists in the processing of PFB font + files. This can be exploited to cause a heap-based buffer overflow + via a PFB file containing a specially crafted "Private" dictionary + table.
    • +
  • An error in the processing of PFB font files can be exploited to + trigger the "free()" of memory areas that are not allocated on the + heap.
    • +
  • An off-by-one error exists in the processing of PFB font files. + This can be exploited to cause a one-byte heap-based buffer + overflow via a specially crafted PFB file.
    • +
  • An off-by-one error exists in the implementation of the "SHC" + instruction while processing TTF files. This can be exploited to + cause a one-byte heap-based buffer overflow via a specially + crafted TTF file.
    • +
+

Successful exploitation of the vulnerabilities may allow execution + of arbitrary code.

+
+ + + + 29637 + 29639 + 29640 + 29641 + CVE-2008-1806 + CVE-2008-1807 + CVE-2008-1808 + http://secunia.com/advisories/30600 + http://sourceforge.net/project/shownotes.php?release_id=605780 + http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=715 + http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=716 + http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=717 + + + 2008-06-10 + 2008-06-23 + + + php -- input validation error in posix_access function --- vuxml.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: