Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.1066.3
Remote execution vulnerability in freetype
26 October 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: freetype2
Publisher: Mandriva
Operating System: Mandriva Linux
Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2011-3256
Reference: ESB-2011.1032
Original Bulletin:
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:157
Comment: This advisory references vulnerabilities in products which run on
platforms other than Mandriva. It is recommended that administrators
running freetype2 check for an updated version of the software for
their operating system.
Revision History: October 26 2011: Modified impact to denial of service
October 25 2011: Added reference
October 24 2011: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:157
http://www.mandriva.com/security/
_______________________________________________________________________
Package : freetype2
Date : October 21, 2011
Affected: 2010.1, 2011., Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been discovered and corrected in freetype2:
FreeType allows remote attackers to execute arbitrary code or
cause a denial of service (memory corruption) via a crafted font
(CVE-2011-3256).
A regression was found in freetype2 in Mandriva Enterprise Server 5
that caused ugly font rendering with firefox (#63892).
Additionally, improvements conserning the LZW handling (as noted in
the freetype-2.4.7 version) was added.
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3256
https://qa.mandriva.com/63892
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.1:
5cb7a45af29372a1b91c23088a3be78f 2010.1/i586/libfreetype6-2.3.12-1.7mdv2010.2.i586.rpm
18b8a3231fab96584207b6e8a4a8e81d 2010.1/i586/libfreetype6-devel-2.3.12-1.7mdv2010.2.i586.rpm
7d6147c1638bcb6d16cee6e2a9939f27 2010.1/i586/libfreetype6-static-devel-2.3.12-1.7mdv2010.2.i586.rpm
77690084036cd92f1f19333d383897ad 2010.1/SRPMS/freetype2-2.3.12-1.7mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
7ae7f8215e3542d2fb8f6377c7cf4469 2010.1/x86_64/lib64freetype6-2.3.12-1.7mdv2010.2.x86_64.rpm
6b97bbef06367d203527cfb65bcd899f 2010.1/x86_64/lib64freetype6-devel-2.3.12-1.7mdv2010.2.x86_64.rpm
2864878ad4d4294790f4e5a00cbe4390 2010.1/x86_64/lib64freetype6-static-devel-2.3.12-1.7mdv2010.2.x86_64.rpm
77690084036cd92f1f19333d383897ad 2010.1/SRPMS/freetype2-2.3.12-1.7mdv2010.2.src.rpm
Mandriva Linux 2011:
e9fab15c8a7e45a3b59f81ce166cc85d 2011/i586/freetype2-demos-2.4.5-2.1-mdv2011.0.i586.rpm
3c9cb8ee3857996cc5dc5829dcf8e41e 2011/i586/libfreetype6-2.4.5-2.1-mdv2011.0.i586.rpm
592bdc4c63e31b7692da26a8ba001528 2011/i586/libfreetype6-devel-2.4.5-2.1-mdv2011.0.i586.rpm
edc8653f7609c869c0ec20a0fcd012fa 2011/i586/libfreetype6-static-devel-2.4.5-2.1-mdv2011.0.i586.rpm
86535a7b5e2ccef2e1ba0d037f18e000 2011/SRPMS/freetype2-2.4.5-2.1.src.rpm
Mandriva Linux 2011/X86_64:
35eaf601f67489ea952087e2f6339c1f 2011/x86_64/freetype2-demos-2.4.5-2.1-mdv2011.0.x86_64.rpm
7ccc207101ce7840e5e0abd0f4642067 2011/x86_64/lib64freetype6-2.4.5-2.1-mdv2011.0.x86_64.rpm
91aec2804157d8817fcab99ede4da4f0 2011/x86_64/lib64freetype6-devel-2.4.5-2.1-mdv2011.0.x86_64.rpm
92fb10c2f9a1847db4423f1c6c67c0fa 2011/x86_64/lib64freetype6-static-devel-2.4.5-2.1-mdv2011.0.x86_64.rpm
86535a7b5e2ccef2e1ba0d037f18e000 2011/SRPMS/freetype2-2.4.5-2.1.src.rpm
Mandriva Enterprise Server 5:
097b5a0bc581233000e5e4612101d500 mes5/i586/libfreetype6-2.3.7-1.8mdvmes5.2.i586.rpm
17c6796fb526c1c3e53074e0834db5c3 mes5/i586/libfreetype6-devel-2.3.7-1.8mdvmes5.2.i586.rpm
c3e708211d845e14ad63bfe14e108d6c mes5/i586/libfreetype6-static-devel-2.3.7-1.8mdvmes5.2.i586.rpm
13576b846900d36ed12b74f7ef612850 mes5/SRPMS/freetype2-2.3.7-1.8mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
aa08ec531c3b663dec9fe150316b69f8 mes5/x86_64/lib64freetype6-2.3.7-1.8mdvmes5.2.x86_64.rpm
c1a715c5816d9db37159000ce71fc4fb mes5/x86_64/lib64freetype6-devel-2.3.7-1.8mdvmes5.2.x86_64.rpm
6f59f92a9e60158c4cd53bc7fb34d54d mes5/x86_64/lib64freetype6-static-devel-2.3.7-1.8mdvmes5.2.x86_64.rpm
13576b846900d36ed12b74f7ef612850 mes5/SRPMS/freetype2-2.3.7-1.8mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFOoSQgmqjQ0CJFipgRAu7bAKCNJuDDSIC2BGla3ck+cJp/Kn88ZwCg1jD/
dxu3TlyhMXF4coBC+GcK+2g=
=QK6b
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTqdIeO4yVqjM2NGpAQJNnw//VQHvMd1+Cdg6XTJ8O4oSTrj22cr1jgVY
AsKJHAvMr/2AoBxDjDVP4hhYzJizlXxI/z6xnE+NspQM2ZEx27lx6UrbIAGcEGVK
UueBWHZGASzUt7vZf//nFjOvrgosaR6ifPEuuL/rlI28r/tNpcAwT0AUyqQo4FlI
bXyQwGSBc2sJ9gZJ8jOitlIyIDse7Q8W5FQMsC7xhnP7ZCnZGmMzZPtA7uMSOFsT
RzsdVJaPPL/oBJIaTVu7XMXHUj0+EGxedg29f8paCqHy/cx5PHpojjaL/sVMFmJC
6uHHoYzOtenWnejtEUL7uqQvVCVGJUtQE7XTLXCly0IIB5aOXPcG9jcMGTb1yzAh
tXFY4MTUwMrq53t3avoNFBIEaONEiVxKDNW3P5ZWObmfIW/a7wN4WbbsvQ0P2OUC
jXRetdFFN7+oGOKE40t9TK8RCbRUh0LZ51PF2TFG9ZNyTgLURfB8p6EVkqsTa4Yo
4KN0TMKwv6btdnHSPSQMOGd5WZm5CgN5sBVZywT5WP4NR4E92u1nfx+ApriPqlLy
xlH9DCY08Y4PTm4ocFBxXCFywbpR5SCLPEToFu6FSA0bSI9IokvKWIia6ZxJ0pM4
FR13GoAGIhpUQ0btljDWWGgAw50FOPsfazQi08ZQnH6pY2bP9FD2qDBEMRla/imX
uxnHntTuYEs=
=Pv+4
-----END PGP SIGNATURE-----