CVE-2010-2807 — Incorrect Conversion between Numeric Types in Freetype

CWE-681 — Incorrect Conversion between Numeric Types7 documents7 sources

Severity

6.8MEDIUMNVD

EPSS

5.2%

top 10.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freetype Apple Iphone OS Apple MAC OS X +3 more

Timeline

PublishedAug 19

Latest updateMay 13

Description

FreeType before 2.4.2 uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages6 packages

▶debiandebian/freetype< freetype 2.4.2-1 (bookworm)

▶NVDfreetype/freetype< 2.4.2

▶Debianfreetype/freetype< 2.4.2-1+3

▶NVDapple/tvos< 4.1.0

▶NVDapple/mac_os_x< 10.6.5

Also affects: Ubuntu Linux 10.04, 6.06, 8.04, 9.04, 9.10

Patches

Patch: git.savannah.gnu.org ↗Patch: marc.info ↗Patch: git.savannah.gnu.org ↗

🔴Vulnerability Details

GHSA

GHSA-82hp-4wv7-4pr5: FreeType before 2↗2022-05-13

▶

OSV

CVE-2010-2807: FreeType before 2↗2010-08-19

▶

📋Vendor Advisories

Ubuntu

FreeType vulnerabilities↗2010-08-17

▶

Red Hat

freetype: incorrect integer data types used during bounds checking↗2010-08-05

▶

Debian

CVE-2010-2807: freetype - FreeType before 2.4.2 uses incorrect integer data types during bounds checking, ...↗2010

▶

💬Community

Bugzilla

CVE-2010-2807 freetype: incorrect integer data types used during bounds checking↗2010-08-20

▶