CVE-2006-3467
published 2006-07-21CVE-2006-3467: Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PCF…
PriorityP431high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
4.30%
89.9th percentile
Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PCF file, as demonstrated by the Red Hat bad1.pcf test file, due to a partial fix of CVE-2006-1861.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | freetype | < freetype 2.2.1-5 (bookworm) | freetype 2.2.1-5 (bookworm) |
| debian | libxfont | < freetype 2.2.1-5 (bookworm) | freetype 2.2.1-5 (bookworm) |
| freetype | freetype | <= 2.1 | — |
| freetype | freetype | >= 0 < 2.2.1-5 | 2.2.1-5 |
| freetype | freetype | >= 0 < 2.2.1-5 | 2.2.1-5 |
| freetype | freetype | >= 0 < 2.2.1-5 | 2.2.1-5 |
| freetype | freetype | >= 0 < 2.2.1-5 | 2.2.1-5 |
| x.org | libxfont | >= 0 < 1:1.2.0-2 | 1:1.2.0-2 |
| x.org | libxfont | >= 0 < 1:1.2.0-2 | 1:1.2.0-2 |
| x.org | libxfont | >= 0 < 1:1.2.0-2 | 1:1.2.0-2 |
| x.org | libxfont | >= 0 < 1:1.2.0-2 | 1:1.2.0-2 |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5MEDIUM
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f3f6-hw6f-fq9r: Integer overflow in FreeType before 2
ghsa_unreviewed·2022-05-03·CVSS 7.5
CVE-2006-3467 [HIGH] GHSA-f3f6-hw6f-fq9r: Integer overflow in FreeType before 2
Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PCF file, as demonstrated by the Red Hat bad1.pcf test file, due to a partial fix of CVE-2006-1861.
OSV
CVE-2006-3467: Integer overflow in FreeType before 2
osv·2006-07-21·CVSS 7.5
CVE-2006-3467 [HIGH] CVE-2006-3467: Integer overflow in FreeType before 2
Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PCF file, as demonstrated by the Red Hat bad1.pcf test file, due to a partial fix of CVE-2006-1861.
Ubuntu
libxfont vulnerability
vendor_ubuntu·2006-09-07
CVE-2006-3467 libxfont vulnerability
Title: libxfont vulnerability
Summary: libxfont vulnerability
An integer overflow has been discovered in X.org's font handling
library. By using a specially crafted font file, this could be
exploited to crash the X server or execute arbitrary code with root
privileges.
Instructions: After a standard system upgrade you need to reboot your computer to
effect the necessary changes.
Ubuntu
freetype vulnerability
vendor_ubuntu·2006-07-28
CVE-2006-3467 freetype vulnerability
Title: freetype vulnerability
Summary: freetype vulnerability
An integer overflow has been discovered in the FreeType library. By
tricking a user into installing and/or opening a specially crafted
font file, these could be exploited to execute arbitrary code with the
privileges of that user.
Instructions: After a standard system upgrade you need to restart your session to
effect the necessary changes.
Red Hat
freetype: integer overflow vulnerability due to incomplete fix for CVE-2006-1861
vendor_redhat·2006-07-18·CVSS 7.5
CVE-2006-3467 [HIGH] CWE-190 freetype: integer overflow vulnerability due to incomplete fix for CVE-2006-1861
freetype: integer overflow vulnerability due to incomplete fix for CVE-2006-1861
Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PCF file, as demonstrated by the Red Hat bad1.pcf test file, due to a partial fix of CVE-2006-1861.
Statement: Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Debian
CVE-2006-3467: freetype - Integer overflow in FreeType before 2.2 allows remote attackers to cause a denia...
vendor_debian·2006·CVSS 7.5
CVE-2006-3467 [HIGH] CVE-2006-3467: freetype - Integer overflow in FreeType before 2.2 allows remote attackers to cause a denia...
Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PCF file, as demonstrated by the Red Hat bad1.pcf test file, due to a partial fix of CVE-2006-1861.
Scope: local
bookworm: resolved (fixed in 2.2.1-5)
bullseye: resolved (fixed in 2.2.1-5)
forky: resolved (fixed in 2.2.1-5)
sid: resolved (fixed in 2.2.1-5)
trixie: resolved (fixed in 2.2.1-5)
No detection rules found.
No public exploits indexed.
Bugzilla
nx: Appears to embed a vulnerable version of libXfont prone to CVE-2008-0006
bugzilla·2010-12-03·CVSS 7.5
CVE-2008-0006 [HIGH] nx: Appears to embed a vulnerable version of libXfont prone to CVE-2008-0006
nx: Appears to embed a vulnerable version of libXfont prone to CVE-2008-0006
This package appears to embed an old and vulnerable version of libXfont which
is prone to CVE-2008-0006
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0006
There is also an older vulnerability in libXfont CVE-2006-3467 which I have not
verified is or isn't present in nx.
Version-Release number of selected component (if applicable):
Name: nx
Arch: i686
Version: 3.3.0
Release 38.fc12
Additional info:
It has been hard to figure out exactly which version of libXfont is in nx.
Instead I have done a diff between the current Fedora release of libXfont
(1.4.1) and the nx version. Note that the CVE alert says that the version of
libXfont that is first fixed is in 1.4.1.
The diff shows a number of changes, b
Bugzilla
CVE-2006-3467 freetype: integer overflow vulnerability due to incomplete fix for CVE-2006-1861
bugzilla·2009-02-23·CVSS 7.5
CVE-2006-3467 [HIGH] CVE-2006-3467 freetype: integer overflow vulnerability due to incomplete fix for CVE-2006-1861
CVE-2006-3467 freetype: integer overflow vulnerability due to incomplete fix for CVE-2006-1861
Common Vulnerabilities and Exposures assigned an identifier CVE-2006-3467 to the following vulnerability:
Name: CVE-2006-3467
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3467
Assigned: 20060710
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/451426/100/200/threaded
Reference: MISC: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190593
Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PCF file, as demonstrated by the Red Hat
bad1.pcf test file, due to a partial fix of CVE-2006-1861.
Discussion:
This was addressed via:
Red Hat Enterprise Linux version 2.1
Bugzilla
CVE-2006-3467 Xorg PCF handling Integer overflow
bugzilla·2006-08-15·CVSS 7.5
CVE-2006-3467 [HIGH] CVE-2006-3467 Xorg PCF handling Integer overflow
CVE-2006-3467 Xorg PCF handling Integer overflow
Same issue affects fc6test2
+++ This bug was initially created as a clone of Bug #202469 +++
An integer overflow was discovered in the way freetype processes malformed PCF
files. It seems that Xorg also contains the same PCF processing code as
freetype, there it too is vulnerable this issue.
We initally described this issue for freetype in bug 190593.
The upstream bug is here:
https://bugs.freedesktop.org/show_bug.cgi?id=7535
-- Additional comment from [email protected] on 2006-08-14 14:09 EST --
The upstream patch is attachment 134155
-- Additional comment from [email protected] on 2006-08-14 14:37 EST --
We should also try to fix this in FC6
-- Additional comment from [email protected] on 2006-08-14 14:58 EST --
Moving to lib
Bugzilla
CVE-2006-1861 freetype multiple integer overflows (CVE-2006-3467)
bugzilla·2006-05-03·CVSS 7.5
CVE-2006-1861 [HIGH] CVE-2006-1861 freetype multiple integer overflows (CVE-2006-3467)
CVE-2006-1861 freetype multiple integer overflows (CVE-2006-3467)
Several integer overflow bugs in freetype have been fixed in CVS. The details
are below.
The descriptions are the CVS commit messages. That patch for each particular
comment is keyed off it's # identifier.
* Integer overflow
#2
* src/bdf/bdflib.c (ERRMSG4): New macro.
(_bdf_parse_glyphs): Handle invalid BBX values.
* include/freetype/fterrdef.h (FT_Err_Bbx_Too_Big): New error
macro.
#3
* src/sfnt/ttcmap.c (tt_face_build_cmaps): Handle invalid offset
correctly.
#4
* src/cff/cfftypes.h (CFF_CharsetRec): Add `max_cid' member.
* src/cff/cffload.c (cff_charset_load): Set `charset->max_cid'.
* src/cff/cffgload.c (cff_slot_load): Change type of third parameter
to `FT_UInt'.
Check range of `glyph_index'.
* src/cff/cffgload.h:
ftp://patches.sgi.com/support/free/security/advisories/20060701-01-Uhttp://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190593http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2007-10/msg00006.htmlhttp://lists.suse.com/archive/suse-security-announce/2006-Aug/0002.htmlhttp://secunia.com/advisories/21062http://secunia.com/advisories/21135http://secunia.com/advisories/21144http://secunia.com/advisories/21232http://secunia.com/advisories/21285http://secunia.com/advisories/21566http://secunia.com/advisories/21567http://secunia.com/advisories/21606http://secunia.com/advisories/21626http://secunia.com/advisories/21701http://secunia.com/advisories/21793http://secunia.com/advisories/21798http://secunia.com/advisories/21836http://secunia.com/advisories/22027http://secunia.com/advisories/22332http://secunia.com/advisories/22875http://secunia.com/advisories/22907http://secunia.com/advisories/23400http://secunia.com/advisories/23939http://secunia.com/advisories/27271http://secunia.com/advisories/33937http://security.gentoo.org/glsa/glsa-200609-04.xmlhttp://securitytracker.com/id?1016522http://sunsolve.sun.com/search/document.do?assetkey=1-26-102705-1http://support.apple.com/kb/HT3438http://support.avaya.com/elmodocs2/security/ASA-2006-176.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-186.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-284.htmhttp://www.debian.org/security/2006/dsa-1178http://www.debian.org/security/2006/dsa-1193http://www.mandriva.com/security/advisories?name=MDKSA-2006:129http://www.mandriva.com/security/advisories?name=MDKSA-2006:148http://www.redhat.com/support/errata/RHSA-2006-0500.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0634.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0635.htmlhttp://www.securityfocus.com/archive/1/444318/100/0/threadedhttp://www.securityfocus.com/archive/1/451404/100/0/threadedhttp://www.securityfocus.com/archive/1/451417/100/200/threadedhttp://www.securityfocus.com/archive/1/451419/100/200/threadedhttp://www.securityfocus.com/archive/1/451426/100/200/threadedhttp://www.trustix.org/errata/2006/0052/http://www.ubuntu.com/usn/usn-324-1http://www.ubuntu.com/usn/usn-341-1http://www.vmware.com/download/esx/esx-202-200610-patch.htmlhttp://www.vmware.com/download/esx/esx-213-200610-patch.htmlhttp://www.vmware.com/download/esx/esx-254-200610-patch.htmlhttp://www.vupen.com/english/advisories/2006/4502http://www.vupen.com/english/advisories/2006/4522http://www.vupen.com/english/advisories/2007/0381https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10673ftp://patches.sgi.com/support/free/security/advisories/20060701-01-Uhttp://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190593http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2007-10/msg00006.htmlhttp://lists.suse.com/archive/suse-security-announce/2006-Aug/0002.htmlhttp://secunia.com/advisories/21062http://secunia.com/advisories/21135http://secunia.com/advisories/21144http://secunia.com/advisories/21232http://secunia.com/advisories/21285http://secunia.com/advisories/21566http://secunia.com/advisories/21567http://secunia.com/advisories/21606http://secunia.com/advisories/21626http://secunia.com/advisories/21701http://secunia.com/advisories/21793http://secunia.com/advisories/21798http://secunia.com/advisories/21836http://secunia.com/advisories/22027http://secunia.com/advisories/22332http://secunia.com/advisories/22875http://secunia.com/advisories/22907http://secunia.com/advisories/23400http://secunia.com/advisories/23939http://secunia.com/advisories/27271http://secunia.com/advisories/33937http://security.gentoo.org/glsa/glsa-200609-04.xmlhttp://securitytracker.com/id?1016522http://sunsolve.sun.com/search/document.do?assetkey=1-26-102705-1http://support.apple.com/kb/HT3438http://support.avaya.com/elmodocs2/security/ASA-2006-176.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-186.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-284.htmhttp://www.debian.org/security/2006/dsa-1178http://www.debian.org/security/2006/dsa-1193http://www.mandriva.com/security/advisories?name=MDKSA-2006:129http://www.mandriva.com/security/advisories?name=MDKSA-2006:148http://www.redhat.com/support/errata/RHSA-2006-0500.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0634.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0635.htmlhttp://www.securityfocus.com/archive/1/444318/100/0/threadedhttp://www.securityfocus.com/archive/1/451404/100/0/threadedhttp://www.securityfocus.com/archive/1/451417/100/200/threadedhttp://www.securityfocus.com/archive/1/451419/100/200/threadedhttp://www.securityfocus.com/archive/1/451426/100/200/threaded
+ 10 more references
2006-07-21
Published