FNT_Size_Request is an internal function used for font loading that is called internally when a font is requested by a user. The function receives main memory address of the font as input and returns the size of the loaded font in main memory. When the function receives an invalid main memory address, it will crash the program with a SIGSEV error. The vulnerability was discovered in commit 53dfdcd8198d2b3201a23c4bad9190519ba918db. The vulnerable function received a negative value for the size input and the function call was still executed leading to a crash. The crash occurred in libfreetype. When a user sent an input value less than 0, the function received an invalid main memory address and caused a SIGSEX error. Security researchers discovered that the libfreetype had another vulnerable function in commit 02b9451067d1d8f633c118f7a5c51fc61a48e1. The function FNT_Get_Size_Ex could be used to send an invalid main memory address to cause a SIGSEV error. The libfreetype was not the only library that had these vulnerabilities. Other libraries that had a similar function for font loading were also affected including freetype, pangolin, t1lib, and harfbuzz.

Freetype Vulnerabilities

libfreetype was not the only library that had these vulnerabilities. Other libraries that had a similar function for font loading were also affected including freetype, pangolin, t1lib, and harfbuzz.
The vulnerability was discovered in commit 53dfdcd8198d2b3201a23c4bad9190519ba918db. The vulnerable function received a negative value for the size input and the function call was still executed leading to a crash. The crash occurred in libfreetype. When a user sent an input value less than 0, the function received an invalid main memory address and caused a SIGSEX error. Security researchers discovered that the libfreetype had another vulnerable function in commit 02b9451067d1d8f633c118f7a5c51fc61a48e1. The function FNT_Get_Size_Ex could be used to send an invalid main memory address to cause a SIGSEV error.

CVE-2021-28067

FNT_Size_Request is an internal function used for font loading that is called internally when a font is requested by a user. The function receives main memory address of the font as input and returns the size of the loaded font in main memory. When the function receives an invalid main memory address, it will crash the program with a SIGSEV error. The vulnerability was discovered in commit 53dfdcd8198d2b3201a23c4bad9190519ba918db. The vulnerable function received a negative value for the size input and the function call was still executed leading to a crash. The crash occurred in libfreetype. When a user sent an input value less than 0, the function received an invalid main memory address and caused a SIGSEX error. Security researchers discovered that libfreetype had another vulnerable function in commit 02b9451067d1d8f633c118f7a5c51fc61a48e1. The function FNT_Get_Size_Ex could be used to send an invalid main memory address to cause a SIGSEX error. The libfreetype was not the only library that had these vulnerabilities. Other libraries that had a similar function for font loading were also affected including freetype, pangolin, t1lib, and harfbuzz.

Freetype Library Vulnerability

The vulnerabilities in the libfreetype library did not allow for privilege escalation, but they could be exploited to crash the program. There was also a second vulnerability in FNT_Size_Request that could be used to cause a SIGSEV error. The CVE-2022-27405 vulnerability was discovered by researchers at Cisco Talos and it affected the version of FreeType 2.9.2 included in Ubuntu 17.10 and earlier versions of Ubuntu. The vendor released an update for the vulnerable libraries on November 25, 2017 that patched these two vulnerabilities as well as many other vulnerabilities including those in the harfbuzz library.
The original report can be found on this page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27405

An important reason why digital marketing is important is that it helps companies grow their business through advertising on popular websites such as Facebook and Google Plus

Timeline

Published on: 04/22/2022 14:15:00 UTC
Last modified on: 07/27/2022 16:04:00 UTC

References