CVE-2011-0226
published 2011-07-19CVE-2011-0226: Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other…
PriorityP268critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWVulnCheck KEV
Exploited in the wild
EPSS
6.65%
93.0th percentile
Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011.
Affected
70 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | iphone_os | <= 4.2.8 | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2011-0226 is an integer signedness error in FreeType's Type 1 font decoder (psaux/t1decode.c). Trigger vector is a crafted Type 1 font embedded in a PDF document delivered remotely; flag suspicious PDF files containing embedded Type 1 fonts for inspection. ↗
- →This vulnerability was actively exploited in the wild in July 2011; prioritize detection and patching on systems running FreeType versions prior to 2.4.6, particularly those processing untrusted PDF documents. ↗
- →The vulnerability affects FreeType's postscript Type 1 font parsing; monitor for application crashes or memory corruption in processes that invoke FreeType when rendering PDF documents containing Type 1 fonts. ↗
- ·Red Hat Enterprise Linux 4 and 5 are listed as Not Affected for CVE-2011-0226; do not apply FreeType-specific mitigations for this CVE on those platforms. ↗
- ·CVE-2011-0226 is a distinct vulnerability from CVE-2011-3256; ensure detection and patching efforts target the correct CVE — CVE-2011-0226 is fixed in FreeType 2.4.6, while CVE-2011-3256 requires 2.4.7. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
ghsa5.9MEDIUM
osv9.3CRITICAL
vulncheck9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-85gm-r6vh-gfc5: Integer signedness error in psaux/t1decode
ghsa_unreviewed·2022-05-17
CVE-2011-0226 [HIGH] GHSA-85gm-r6vh-gfc5: Integer signedness error in psaux/t1decode
Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011.
GHSA
GHSA-mjq4-j36x-7h6p: FreeType 2 before 2
ghsa_unreviewed·2022-05-17·CVSS 9.3
CVE-2011-3256 [CRITICAL] CWE-94 GHSA-mjq4-j36x-7h6p: FreeType 2 before 2
FreeType 2 before 2.4.7, as used in CoreGraphics in Apple iOS before 5, Mandriva Enterprise Server 5, and possibly other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font, a different vulnerability than CVE-2011-0226.
GHSA
Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J
ghsa·2022-05-14·CVSS 5.9
CVE-2015-0226 [MEDIUM] CWE-327 Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J
Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J
Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.
OSV
CVE-2011-3256: FreeType 2 before 2
osv·2011-10-14·CVSS 9.3
CVE-2011-3256 [CRITICAL] CVE-2011-3256: FreeType 2 before 2
FreeType 2 before 2.4.7, as used in CoreGraphics in Apple iOS before 5, Mandriva Enterprise Server 5, and possibly other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font, a different vulnerability than CVE-2011-0226.
OSV
CVE-2011-0226: Integer signedness error in psaux/t1decode
osv·2011-07-19·CVSS 9.3
CVE-2011-0226 [CRITICAL] CVE-2011-0226: Integer signedness error in psaux/t1decode
Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011.
VulnCheck
Apple iOS before 4.2.9 and 4.3.x before 4.3. CoreGraphics Remote Code Execution
vulncheck·2011·CVSS 9.3
CVE-2011-0226 [CRITICAL] Apple iOS before 4.2.9 and 4.3.x before 4.3. CoreGraphics Remote Code Execution
Apple iOS before 4.2.9 and 4.3.x before 4.3. CoreGraphics Remote Code Execution
Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011.
Affected: FreeType FreeType
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2011-0226; https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_pidief.smxz
Red Hat
wss4j: Apache WSS4J is vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487)
vendor_redhat·2015-02-10·CVSS 5.9
CVE-2015-0226 [MEDIUM] CWE-327 wss4j: Apache WSS4J is vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487)
wss4j: Apache WSS4J is vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487)
Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.
It was found that a prior countermeasure in Apache WSS4J for Bleichenbacher's attack on XML Encryption (CVE-2011-2487) threw an exception that permitted an attacker to determine the failure of the attempted attack, thereby leaving WSS4J vulnerable to the attack. The original flaw allowed a remote attacker to recover the entire plain text f
Red Hat
freetype: FT_Bitmap_New integer overflow, FreeType TT_Vary_Get_Glyph_Deltas improper input validation
vendor_redhat·2011-10-12·CVSS 9.3
CVE-2011-3256 [CRITICAL] CWE-190 freetype: FT_Bitmap_New integer overflow, FreeType TT_Vary_Get_Glyph_Deltas improper input validation
freetype: FT_Bitmap_New integer overflow, FreeType TT_Vary_Get_Glyph_Deltas improper input validation
FreeType 2 before 2.4.7, as used in CoreGraphics in Apple iOS before 5, Mandriva Enterprise Server 5, and possibly other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font, a different vulnerability than CVE-2011-0226.
Ubuntu
FreeType vulnerability
vendor_ubuntu·2011-07-25
CVE-2011-0226 FreeType vulnerability
Title: FreeType vulnerability
Summary: FreeType could be made to run programs as your login if it opened a
specially crafted font file.
It was discovered that FreeType did not correctly handle certain malformed
Type 1 font files. If a user were tricked into using a specially crafted
font file, a remote attacker could cause FreeType to crash or possibly
execute arbitrary code with user privileges.
Instructions: After a standard system update you need to restart your session to make
all the necessary changes.
Red Hat
freetype: postscript type1 font parsing vulnerability
vendor_redhat·2011-07-08·CVSS 9.3
CVE-2011-0226 [CRITICAL] freetype: postscript type1 font parsing vulnerability
freetype: postscript type1 font parsing vulnerability
Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011.
Package: freetype (Red Hat Enterprise Linux 4) - Not affected
Package: freetype (Red Hat Enterprise Linux 5) - Not affected
Debian
CVE-2011-0226: freetype - Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used i...
vendor_debian·2011·CVSS 9.3
CVE-2011-0226 [CRITICAL] CVE-2011-0226: freetype - Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used i...
Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011.
Scope: local
bookworm: resolved (fixed in 2.4.6-1)
bullseye: resolved (fixed in 2.4.6-1)
forky: resolved (fixed in 2.4.6-1)
sid: resolved (fixed in 2.4.6-1)
trixie: resolved (fixed in 2.4.6-1)
Debian
CVE-2011-3256: freetype - FreeType 2 before 2.4.7, as used in CoreGraphics in Apple iOS before 5, Mandriva...
vendor_debian·2011·CVSS 9.3
CVE-2011-3256 [CRITICAL] CVE-2011-3256: freetype - FreeType 2 before 2.4.7, as used in CoreGraphics in Apple iOS before 5, Mandriva...
FreeType 2 before 2.4.7, as used in CoreGraphics in Apple iOS before 5, Mandriva Enterprise Server 5, and possibly other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font, a different vulnerability than CVE-2011-0226.
Scope: local
bookworm: resolved (fixed in 2.4.7-1)
bullseye: resolved (fixed in 2.4.7-1)
forky: resolved (fixed in 2.4.7-1)
sid: resolved (fixed in 2.4.7-1)
trixie: resolved (fixed in 2.4.7-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2011-0226 freetype: postscript type1 font parsing vulnerability [fedora-all]
bugzilla·2011-07-20·CVSS 9.3
CVE-2011-0226 [CRITICAL] CVE-2011-0226 freetype: postscript type1 font parsing vulnerability [fedora-all]
CVE-2011-0226 freetype: postscript type1 font parsing vulnerability [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=722701
Please note: this issue affects mu
Bugzilla
CVE-2011-0226 freetype: postscript type1 font parsing vulnerability
bugzilla·2011-07-16·CVSS 9.3
CVE-2011-0226 [CRITICAL] CVE-2011-0226 freetype: postscript type1 font parsing vulnerability
CVE-2011-0226 freetype: postscript type1 font parsing vulnerability
The recent exploit for the iPhone is reported [1],[2] to be related to freetype's handling of postscript type1 fonts. This vulnerability is caused due to an error within the t1_decoder_parse_charstrings() function (src/psaux/t1decode.c) and can be exploited to corrupt memory by tricking a user into processing a specially-crafted postscript type1 font in an application that uses the freetype library. The report indicates that the vulnerability is in version 2.4.5, but at a quick glance it also looks like 2.3.11 is affected, but not 2.2.x.
Discussion is happening upstream with potential patches being discussed [3].
[1] http://secunia.com/advisories/45167
[2] http://lists.nongnu.org/archive/html/freetype-devel/2011-07/msg
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.htmlhttp://lists.apple.com/archives/security-announce/2011//Jul/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2011//Jul/msg00001.htmlhttp://lists.nongnu.org/archive/html/freetype-devel/2011-07/msg00014.htmlhttp://lists.nongnu.org/archive/html/freetype-devel/2011-07/msg00015.htmlhttp://lists.nongnu.org/archive/html/freetype-devel/2011-07/msg00020.htmlhttp://lists.nongnu.org/archive/html/freetype-devel/2011-07/msg00026.htmlhttp://lists.nongnu.org/archive/html/freetype-devel/2011-07/msg00028.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-07/msg00015.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-07/msg00016.htmlhttp://secunia.com/advisories/45167http://secunia.com/advisories/45224http://support.apple.com/kb/HT4802http://support.apple.com/kb/HT4803http://support.apple.com/kb/HT5002http://www.appleinsider.com/articles/11/07/06/hackers_release_new_browser_based_ios_jailbreak_based_on_pdf_exploit.htmlhttp://www.debian.org/security/2011/dsa-2294http://www.mandriva.com/security/advisories?name=MDVSA-2011:120http://www.redhat.com/support/errata/RHSA-2011-1085.htmlhttp://www.securityfocus.com/bid/48619http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.htmlhttp://lists.apple.com/archives/security-announce/2011//Jul/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2011//Jul/msg00001.htmlhttp://lists.nongnu.org/archive/html/freetype-devel/2011-07/msg00014.htmlhttp://lists.nongnu.org/archive/html/freetype-devel/2011-07/msg00015.htmlhttp://lists.nongnu.org/archive/html/freetype-devel/2011-07/msg00020.htmlhttp://lists.nongnu.org/archive/html/freetype-devel/2011-07/msg00026.htmlhttp://lists.nongnu.org/archive/html/freetype-devel/2011-07/msg00028.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-07/msg00015.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-07/msg00016.htmlhttp://secunia.com/advisories/45167http://secunia.com/advisories/45224http://support.apple.com/kb/HT4802http://support.apple.com/kb/HT4803http://support.apple.com/kb/HT5002http://www.appleinsider.com/articles/11/07/06/hackers_release_new_browser_based_ios_jailbreak_based_on_pdf_exploit.htmlhttp://www.debian.org/security/2011/dsa-2294http://www.mandriva.com/security/advisories?name=MDVSA-2011:120http://www.redhat.com/support/errata/RHSA-2011-1085.htmlhttp://www.securityfocus.com/bid/48619
2011-07-19
Published
Exploited in the wild