Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.1066.3 Remote execution vulnerability in freetype 26 October 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: freetype2 Publisher: Mandriva Operating System: Mandriva Linux Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2011-3256 Reference: ESB-2011.1032 Original Bulletin: http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:157 Comment: This advisory references vulnerabilities in products which run on platforms other than Mandriva. It is recommended that administrators running freetype2 check for an updated version of the software for their operating system. Revision History: October 26 2011: Modified impact to denial of service October 25 2011: Added reference October 24 2011: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:157 http://www.mandriva.com/security/ _______________________________________________________________________ Package : freetype2 Date : October 21, 2011 Affected: 2010.1, 2011., Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been discovered and corrected in freetype2: FreeType allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font (CVE-2011-3256). A regression was found in freetype2 in Mandriva Enterprise Server 5 that caused ugly font rendering with firefox (#63892). Additionally, improvements conserning the LZW handling (as noted in the freetype-2.4.7 version) was added. The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3256 https://qa.mandriva.com/63892 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: 5cb7a45af29372a1b91c23088a3be78f 2010.1/i586/libfreetype6-2.3.12-1.7mdv2010.2.i586.rpm 18b8a3231fab96584207b6e8a4a8e81d 2010.1/i586/libfreetype6-devel-2.3.12-1.7mdv2010.2.i586.rpm 7d6147c1638bcb6d16cee6e2a9939f27 2010.1/i586/libfreetype6-static-devel-2.3.12-1.7mdv2010.2.i586.rpm 77690084036cd92f1f19333d383897ad 2010.1/SRPMS/freetype2-2.3.12-1.7mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 7ae7f8215e3542d2fb8f6377c7cf4469 2010.1/x86_64/lib64freetype6-2.3.12-1.7mdv2010.2.x86_64.rpm 6b97bbef06367d203527cfb65bcd899f 2010.1/x86_64/lib64freetype6-devel-2.3.12-1.7mdv2010.2.x86_64.rpm 2864878ad4d4294790f4e5a00cbe4390 2010.1/x86_64/lib64freetype6-static-devel-2.3.12-1.7mdv2010.2.x86_64.rpm 77690084036cd92f1f19333d383897ad 2010.1/SRPMS/freetype2-2.3.12-1.7mdv2010.2.src.rpm Mandriva Linux 2011: e9fab15c8a7e45a3b59f81ce166cc85d 2011/i586/freetype2-demos-2.4.5-2.1-mdv2011.0.i586.rpm 3c9cb8ee3857996cc5dc5829dcf8e41e 2011/i586/libfreetype6-2.4.5-2.1-mdv2011.0.i586.rpm 592bdc4c63e31b7692da26a8ba001528 2011/i586/libfreetype6-devel-2.4.5-2.1-mdv2011.0.i586.rpm edc8653f7609c869c0ec20a0fcd012fa 2011/i586/libfreetype6-static-devel-2.4.5-2.1-mdv2011.0.i586.rpm 86535a7b5e2ccef2e1ba0d037f18e000 2011/SRPMS/freetype2-2.4.5-2.1.src.rpm Mandriva Linux 2011/X86_64: 35eaf601f67489ea952087e2f6339c1f 2011/x86_64/freetype2-demos-2.4.5-2.1-mdv2011.0.x86_64.rpm 7ccc207101ce7840e5e0abd0f4642067 2011/x86_64/lib64freetype6-2.4.5-2.1-mdv2011.0.x86_64.rpm 91aec2804157d8817fcab99ede4da4f0 2011/x86_64/lib64freetype6-devel-2.4.5-2.1-mdv2011.0.x86_64.rpm 92fb10c2f9a1847db4423f1c6c67c0fa 2011/x86_64/lib64freetype6-static-devel-2.4.5-2.1-mdv2011.0.x86_64.rpm 86535a7b5e2ccef2e1ba0d037f18e000 2011/SRPMS/freetype2-2.4.5-2.1.src.rpm Mandriva Enterprise Server 5: 097b5a0bc581233000e5e4612101d500 mes5/i586/libfreetype6-2.3.7-1.8mdvmes5.2.i586.rpm 17c6796fb526c1c3e53074e0834db5c3 mes5/i586/libfreetype6-devel-2.3.7-1.8mdvmes5.2.i586.rpm c3e708211d845e14ad63bfe14e108d6c mes5/i586/libfreetype6-static-devel-2.3.7-1.8mdvmes5.2.i586.rpm 13576b846900d36ed12b74f7ef612850 mes5/SRPMS/freetype2-2.3.7-1.8mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: aa08ec531c3b663dec9fe150316b69f8 mes5/x86_64/lib64freetype6-2.3.7-1.8mdvmes5.2.x86_64.rpm c1a715c5816d9db37159000ce71fc4fb mes5/x86_64/lib64freetype6-devel-2.3.7-1.8mdvmes5.2.x86_64.rpm 6f59f92a9e60158c4cd53bc7fb34d54d mes5/x86_64/lib64freetype6-static-devel-2.3.7-1.8mdvmes5.2.x86_64.rpm 13576b846900d36ed12b74f7ef612850 mes5/SRPMS/freetype2-2.3.7-1.8mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOoSQgmqjQ0CJFipgRAu7bAKCNJuDDSIC2BGla3ck+cJp/Kn88ZwCg1jD/ dxu3TlyhMXF4coBC+GcK+2g= =QK6b - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTqdIeO4yVqjM2NGpAQJNnw//VQHvMd1+Cdg6XTJ8O4oSTrj22cr1jgVY AsKJHAvMr/2AoBxDjDVP4hhYzJizlXxI/z6xnE+NspQM2ZEx27lx6UrbIAGcEGVK UueBWHZGASzUt7vZf//nFjOvrgosaR6ifPEuuL/rlI28r/tNpcAwT0AUyqQo4FlI bXyQwGSBc2sJ9gZJ8jOitlIyIDse7Q8W5FQMsC7xhnP7ZCnZGmMzZPtA7uMSOFsT RzsdVJaPPL/oBJIaTVu7XMXHUj0+EGxedg29f8paCqHy/cx5PHpojjaL/sVMFmJC 6uHHoYzOtenWnejtEUL7uqQvVCVGJUtQE7XTLXCly0IIB5aOXPcG9jcMGTb1yzAh tXFY4MTUwMrq53t3avoNFBIEaONEiVxKDNW3P5ZWObmfIW/a7wN4WbbsvQ0P2OUC jXRetdFFN7+oGOKE40t9TK8RCbRUh0LZ51PF2TFG9ZNyTgLURfB8p6EVkqsTa4Yo 4KN0TMKwv6btdnHSPSQMOGd5WZm5CgN5sBVZywT5WP4NR4E92u1nfx+ApriPqlLy xlH9DCY08Y4PTm4ocFBxXCFywbpR5SCLPEToFu6FSA0bSI9IokvKWIia6ZxJ0pM4 FR13GoAGIhpUQ0btljDWWGgAw50FOPsfazQi08ZQnH6pY2bP9FD2qDBEMRla/imX uxnHntTuYEs= =Pv+4 -----END PGP SIGNATURE-----