U radu programskog paketa FreeType uočeni su i ispravljeni višestruki nedostaci koje udaljeni napadač može iskoristiti za izvođenje DoS napada i pokretanje proizvoljnog programskog koda.
Paket:
FreeType 2.x
Operacijski sustavi:
Mandriva Linux 2010.1, Mandriva Linux 2011, Mandriva Linux Enterprise Server 5.0
Kritičnost:
5.9
Problem:
neodgovarajuće rukovanje datotekama, pogreška u programskoj funkciji
Nedostaci su uzrokovani nepravilnostima u datotekama "src/type1/t1parse.c", "src/bdf/bdflib.c", "src/winfonts/winfnt.c", "src/truetype/ttgload.c", "src/bdf/bdflib.c" te prepisivanjem cjelobrojne varijable u funkciji "_bdf_parse_glyphs()".
Posljedica:
Zlonamjerni korisnik može iskoristiti navedene propuste za pokretanje proizvoljnog programskog koda te izvođenje napada uskraćivanjem usluge (DoS napada).
Rješenje:
Savjetuje se nadogradnja paketa na novije inačice.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2012:057
http://www.mandriva.com/security/
_______________________________________________________________________
Package : freetype2
Date : April 12, 2012
Affected: 2010.1, 2011., Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple flaws were found in FreeType. Specially crafted files
could cause application crashes or potentially execute arbitrary
code (CVE-2012-1126, CVE-2012-1127, CVE-2012-1128, CVE-2012-1129,
CVE-2012-1130, CVE-2012-1131, CVE-2012-1132, CVE-2012-1133,
CVE-2012-1134, CVE-2012-1135, CVE-2012-1136, CVE-2012-1137,
CVE-2012-1138, CVE-2012-1139, CVE-2012-1140, CVE-2012-1141,
CVE-2012-1142, CVE-2012-1143, CVE-2012-1144).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1126
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1127
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1129
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1130
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1131
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1132
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1133
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1134
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1135
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1136
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1137
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1139
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1140
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1141
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1142
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1143
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1144
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.1:
27ac5c46bbcaee8f960d654b08c620c3
2010.1/i586/freetype2-demos-2.3.12-1.9mdv2010.2.i586.rpm
d2d6c24a4614ff3b838cd082c4487da6
2010.1/i586/libfreetype6-2.3.12-1.9mdv2010.2.i586.rpm
613f7d3ac7de3f5eee9b1dc925d37816
2010.1/i586/libfreetype6-devel-2.3.12-1.9mdv2010.2.i586.rpm
002b002cde3335b8c16875543886fd92
2010.1/i586/libfreetype6-static-devel-2.3.12-1.9mdv2010.2.i586.rpm
0d6c1904469c22a77428c4323bc9ce59
2010.1/SRPMS/freetype2-2.3.12-1.9mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
fa720ee6e2ba28b1e3ab8b6908dc8389
2010.1/x86_64/freetype2-demos-2.3.12-1.9mdv2010.2.x86_64.rpm
ce9ff4d173364d3f3dd02eadcaa00558
2010.1/x86_64/lib64freetype6-2.3.12-1.9mdv2010.2.x86_64.rpm
cb39f796366819450d8221263bbe52a7
2010.1/x86_64/lib64freetype6-devel-2.3.12-1.9mdv2010.2.x86_64.rpm
0d22f0778fa4fd37c3cf23aca2e540ae
2010.1/x86_64/lib64freetype6-static-devel-2.3.12-1.9mdv2010.2.x86_64.rpm
0d6c1904469c22a77428c4323bc9ce59
2010.1/SRPMS/freetype2-2.3.12-1.9mdv2010.2.src.rpm
Mandriva Linux 2011:
b132cce68da5b73b5c0eb3ab6334344f
2011/i586/freetype2-demos-2.4.5-2.3-mdv2011.0.i586.rpm
49543c61a1547907c31c456023e5e3d6
2011/i586/libfreetype6-2.4.5-2.3-mdv2011.0.i586.rpm
7e2fea21d3346ef0102b01e457338c8c
2011/i586/libfreetype6-devel-2.4.5-2.3-mdv2011.0.i586.rpm
0624a5a99801fdfc15e4e681a6694e1f
2011/i586/libfreetype6-static-devel-2.4.5-2.3-mdv2011.0.i586.rpm
9fa0927b963e00c52a5cc8e52b60488f 2011/SRPMS/freetype2-2.4.5-2.3.src.rpm
Mandriva Linux 2011/X86_64:
1af1f5c163d649294da57bf35747f392
2011/x86_64/freetype2-demos-2.4.5-2.3-mdv2011.0.x86_64.rpm
445ecaeea2d4ff7eb21c13c2d0b6559f
2011/x86_64/lib64freetype6-2.4.5-2.3-mdv2011.0.x86_64.rpm
53f8909052fd9b9d0abf7223d4eccb75
2011/x86_64/lib64freetype6-devel-2.4.5-2.3-mdv2011.0.x86_64.rpm
8d964347212fe30961ec6b542388475e
2011/x86_64/lib64freetype6-static-devel-2.4.5-2.3-mdv2011.0.x86_64.rpm
9fa0927b963e00c52a5cc8e52b60488f 2011/SRPMS/freetype2-2.4.5-2.3.src.rpm
Mandriva Enterprise Server 5:
a8a99f3672f9c34568bcec2ec67c961e
mes5/i586/freetype2-demos-2.3.7-1.10mdvmes5.2.i586.rpm
1350b0bf938ba4ac67a148371578dc67
mes5/i586/libfreetype6-2.3.7-1.10mdvmes5.2.i586.rpm
4e86fcdc1e2b69f12ce4ba3ffc64fe40
mes5/i586/libfreetype6-devel-2.3.7-1.10mdvmes5.2.i586.rpm
3441e06db6fccb035e4f73626c74e694
mes5/i586/libfreetype6-static-devel-2.3.7-1.10mdvmes5.2.i586.rpm
40e296bda353cb4351feb3dec6e8b508
mes5/SRPMS/freetype2-2.3.7-1.10mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
1908a8af14e177717a3c8fc962834019
mes5/x86_64/freetype2-demos-2.3.7-1.10mdvmes5.2.x86_64.rpm
79a9c7f036c2d69027b5aaabc39554a4
mes5/x86_64/lib64freetype6-2.3.7-1.10mdvmes5.2.x86_64.rpm
462b93d5939a507033b2faa414a26141
mes5/x86_64/lib64freetype6-devel-2.3.7-1.10mdvmes5.2.x86_64.rpm
11896142878498128688d0667bbccd9a
mes5/x86_64/lib64freetype6-static-devel-2.3.7-1.10mdvmes5.2.x86_64.rpm
40e296bda353cb4351feb3dec6e8b508
mes5/SRPMS/freetype2-2.3.7-1.10mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFPhrLQmqjQ0CJFipgRAlTjAKCLMBynemZAky8w1QxtTeUExoCobQCePExV
tTU2vHcYIJ41fGp4cPaqOrs=
=RegY
-----END PGP SIGNATURE-----
Posljednje sigurnosne preporuke