Otkriveni novi propusti paketa freetype

U radu programskog paketa freetype otkriveno je nekoliko propusta koji zlonamjernom korisniku omogućuju pokretanje proizvoljnog programskog koda.

Paket:	FreeType 2.x
Operacijski sustavi:	Debian Linux 4.0 (etch), Debian Linux 5.0 (lenny), Debian Linux 6.0 (squeeze), Fedora 7, Fedora 8, Fedora 9, Fedora 10, Fedora 11, Fedora 12, Fedora 13, Fedora 14, Fedora 15, Fedora 16, Fedora 17, FreeBSD 4.x, FreeBSD 5.x, FreeBSD 6.x, FreeBSD 7.0, FreeBSD 7.1, FreeBSD 7.2, FreeBSD 7.3, FreeBSD 7.4, FreeBSD 8.0, FreeBSD 8.1, FreeBSD 8.2, Gentoo Linux , Mandrake Linux 7.x, Mandrake Linux 8.x, Mandrake Linux 9.x, Mandriva Linux 2009.0, Mandriva Linux 2010, Mandriva Linux 2010.1, Mandriva Linux 2010.2, Mandriva Linux 2011, Mandriva Linux Corporate 4.0, Mandriva Linux Enterprise Server 5.0, openSUSE 10.2, openSUSE 10.3, openSUSE 11.0, openSUSE 11.1, openSUSE 11.2, openSUSE 11.3, openSUSE 11.4, openSUSE 12.1, Red Hat Desktop 4.x, Red Hat Enterprise Linux 2.1, Red Hat Enterprise Linux 3, Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, Red Hat Linux 7, Red Hat Linux 7.1, Red Hat Linux 7.2, Red Hat Linux 7.3, Red Hat Linux 8.0, Red Hat Linux 9, Slackware Linux 8.0, Slackware Linux 8.1, Slackware Linux 9.0, Slackware Linux 9.1, Slackware Linux 10.0, Slackware Linux 10.1, Slackware Linux 10.2, Slackware Linux 11.0, Slackware Linux 12.0, Slackware Linux 12.1, Slackware Linux 12.2, Slackware Linux 13.0, Slackware Linux 13.1, Slackware Linux 13.37, SUSE Linux Enterprise Desktop 10, SUSE Linux Enterprise Desktop 11, SUSE Linux Enterprise Server (SLES) 9, SUSE Linux Enterprise Server (SLES) 10, SUSE Linux Enterprise Server (SLES) 11, SUSE Linux Enterprise Teradata 10, Ubuntu Linux 11.0, Ubuntu Linux 5.04, Ubuntu Linux 5.10, Ubuntu Linux 6.06, Ubuntu Linux 6.10, Ubuntu Linux 7.04, Ubuntu Linux 7.10, Ubuntu Linux 8.04, Ubuntu Linux 8.10, Ubuntu Linux 9.04, Ubuntu Linux 9.10, Ubuntu Linux 10.04, Ubuntu Linux 10.10, Ubuntu Linux 11.04, Ubuntu Linux 11.10
Kritičnost:	6.8
Problem:	neodgovarajuća provjera ulaznih podataka
Iskorištavanje:	lokalno
Posljedica:	proizvoljno izvršavanje programskog koda
Rješenje:	programska zakrpa proizvođača
CVE:	CVE-2012-1133, CVE-2012-1134, CVE-2012-1136, CVE-2012-1142, CVE-2012-1144
Izvorni ID preporuke:	DSA-2428-1
Izvor:	Debian

Problem:
Ranjivost programskog paketa freetype javlja se pri parsiranju određenih vrsta fontova (BDF, Type1, TrueType).
Posljedica:
Ukoliko programski paket procesira zlonamjerno oblikovanu datoteku fontova, lokalnom se korisniku omogućuje proizvoljno pokretanje programskog koda.
Rješenje:
Izdana je zakrpa proizvođača te se savjetuje njezina instalacija.

Izvorni tekst preporuke

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2428-1                   Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
http://www.debian.org/security/                        Moritz Muehlenhoff
March 07, 2012                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : freetype
Vulnerability  : several
Problem type   : local
Debian-specific: no
CVE ID         : CVE-2012-1133 CVE-2012-1134 CVE-2012-1136 CVE-2012-1142 
                 CVE-2012-1144

Mateusz Jurczyk from the Google Security Team discovered several
vulnerabilties in Freetype's parsing of BDF, Type1 and TrueType fonts,
which could result in the execution of arbitrary code if a malformed
font file is processed.

For the stable distribution (squeeze), this problem has been fixed in
version 2.4.2-2.1+squeeze4. The updated packages are already available
since yesterday, but the advisory text couldn't be send earlier.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your freetype packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk9ZGr4ACgkQXm3vHE4uylrqXwCgt7v0tCWBvNCK1W8+rKdi8QQq
JR8AoOf6lqxPdAkafTtMJjD03zMxHWz8
=9Jet
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
with a subject of "unsubscribe". Trouble? Contact Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
Archive: http://lists.debian.org/Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.

Otkriveni novi propusti paketa freetype

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti

Otkriveni novi propusti paketa freetype

Tražilica portala

Aktivnosti

O CIS-u

Posljednje sigurnosne preporuke

Posljednje vijesti

Popularni članci

Posljednji dokumenti