CVE-2008-1808

FreeType off-by-one flaws

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple off-by-one errors in FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via (1) a crafted table in a Printer Font Binary (PFB) file or (2) a crafted SHC instruction in a TrueType Font (TTF) file, which triggers a heap-based buffer overflow.

Múltiples errores de superación de límite (off-by-one) en FreeType2 antes de 2.3.6 permite a atacantes dependientes del contexto ejecutar código arbitrario mediante (1) una tabla manipulada en un archivo Printer Font Binary (PFB) o (2) una instrucción SHC manipulada en un archivo TrueType Font (TTF), lo que dispara un desbordamiento de búfer basado en montículo.

Multiple vulnerabilities were discovered in FreeType's Printer Font Binary (PFB) font-file format parser. If a user were to load a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or potentially execute arbitrary code. The updated packages have been patched to prevent this issue. The patches used to correct the problem on Corporate Server 4.0 and Corporate 3.0 contained a problem where certain fonts would not be displayed and would cause applications, such as drakfont, to crash. This update corrects the regression.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2008-04-15 CVE Reserved
2008-06-11 CVE Published
2024-08-07 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-189: Numeric Errors
CWE-193: Off-by-one Error

CAPEC

References (61)

URL	Tag	Source
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=717	Third Party Advisory
http://lists.grok.org.uk/pipermail/full-disclosure/2008-August/064118.html	Mailing List
http://secunia.com/advisories/30721	Third Party Advisory
http://secunia.com/advisories/30740	Third Party Advisory
http://secunia.com/advisories/30766	Third Party Advisory
http://secunia.com/advisories/30819	Third Party Advisory
http://secunia.com/advisories/30821	Third Party Advisory
http://secunia.com/advisories/30967	Third Party Advisory
http://secunia.com/advisories/31479	Third Party Advisory
http://secunia.com/advisories/31577	Third Party Advisory
http://secunia.com/advisories/31707	Third Party Advisory
http://secunia.com/advisories/31709	Third Party Advisory
http://secunia.com/advisories/31711	Third Party Advisory
http://secunia.com/advisories/31712	Third Party Advisory
http://secunia.com/advisories/31823	Third Party Advisory
http://secunia.com/advisories/31856	Third Party Advisory
http://secunia.com/advisories/31900	Third Party Advisory
http://secunia.com/advisories/33937	Third Party Advisory
http://secunia.com/advisories/35204	Third Party Advisory
http://securitytracker.com/id?1020240	Vdb Entry
http://sourceforge.net/project/shownotes.php?group_id=3157&release_id=605780	X_refsource_misc
http://support.apple.com/kb/HT3026	X_refsource_confirm
http://support.apple.com/kb/HT3129	X_refsource_confirm
http://support.apple.com/kb/HT3438	X_refsource_confirm
http://support.avaya.com/elmodocs2/security/ASA-2008-318.htm	X_refsource_confirm
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0255	X_refsource_confirm
http://www.securityfocus.com/archive/1/495497/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/495869/100/0/threaded	Mailing List
http://www.vmware.com/security/advisories/VMSA-2008-0014.html	X_refsource_confirm
http://www.vmware.com/support/player/doc/releasenotes_player.html	X_refsource_confirm
http://www.vmware.com/support/player2/doc/releasenotes_player2.html	X_refsource_confirm
http://www.vmware.com/support/server/doc/releasenotes_server.html	X_refsource_confirm
http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html	X_refsource_confirm
http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html	X_refsource_confirm
http://www.vupen.com/english/advisories/2008/1794	Vdb Entry
http://www.vupen.com/english/advisories/2008/1876/references	Vdb Entry
http://www.vupen.com/english/advisories/2008/2423	Vdb Entry
http://www.vupen.com/english/advisories/2008/2466	Vdb Entry
http://www.vupen.com/english/advisories/2008/2525	Vdb Entry
http://www.vupen.com/english/advisories/2008/2558	Vdb Entry
https://issues.rpath.com/browse/RPL-2608	X_refsource_confirm
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11188	Signature

URL	Date	SRC

URL	Date	SRC
http://www.securityfocus.com/bid/29637	2021-01-26
http://www.securityfocus.com/bid/29639	2021-01-26

URL	Date	SRC
http://lists.apple.com/archives/security-announce//2008/Sep/msg00003.html	2021-01-26
http://lists.apple.com/archives/security-announce//2008/Sep/msg00004.html	2021-01-26
http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html	2021-01-26
http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html	2021-01-26
http://secunia.com/advisories/30600	2021-01-26
http://security.gentoo.org/glsa/glsa-200806-10.xml	2021-01-26
http://security.gentoo.org/glsa/glsa-201209-25.xml	2021-01-26
http://sunsolve.sun.com/search/document.do?assetkey=1-26-239006-1	2021-01-26
http://www.mandriva.com/security/advisories?name=MDVSA-2008:121	2021-01-26
http://www.redhat.com/support/errata/RHSA-2008-0556.html	2021-01-26
http://www.redhat.com/support/errata/RHSA-2008-0558.html	2021-01-26
http://www.redhat.com/support/errata/RHSA-2009-0329.html	2021-01-26
http://www.ubuntu.com/usn/usn-643-1	2021-01-26
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00717.html	2021-01-26
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00721.html	2021-01-26
https://access.redhat.com/security/cve/CVE-2008-1808	2009-05-22
https://bugzilla.redhat.com/show_bug.cgi?id=450774	2009-05-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Freetype Search vendor "Freetype"		Freetype Search vendor "Freetype" for product "Freetype"				1.3.1 Search vendor "Freetype" for product "Freetype" and version "1.3.1"		-		Affected
Freetype Search vendor "Freetype"		Freetype Search vendor "Freetype" for product "Freetype"				2.0.6 Search vendor "Freetype" for product "Freetype" and version "2.0.6"		-		Affected
Freetype Search vendor "Freetype"		Freetype Search vendor "Freetype" for product "Freetype"				2.0.9 Search vendor "Freetype" for product "Freetype" and version "2.0.9"		-		Affected
Freetype Search vendor "Freetype"		Freetype Search vendor "Freetype" for product "Freetype"				2.1.7 Search vendor "Freetype" for product "Freetype" and version "2.1.7"		-		Affected
Freetype Search vendor "Freetype"		Freetype Search vendor "Freetype" for product "Freetype"				2.1.9 Search vendor "Freetype" for product "Freetype" and version "2.1.9"		-		Affected
Freetype Search vendor "Freetype"		Freetype Search vendor "Freetype" for product "Freetype"				2.1.10 Search vendor "Freetype" for product "Freetype" and version "2.1.10"		-		Affected
Freetype Search vendor "Freetype"		Freetype Search vendor "Freetype" for product "Freetype"				2.2.0 Search vendor "Freetype" for product "Freetype" and version "2.2.0"		-		Affected
Freetype Search vendor "Freetype"		Freetype Search vendor "Freetype" for product "Freetype"				2.2.1 Search vendor "Freetype" for product "Freetype" and version "2.2.1"		-		Affected
Freetype Search vendor "Freetype"		Freetype Search vendor "Freetype" for product "Freetype"				2.2.10 Search vendor "Freetype" for product "Freetype" and version "2.2.10"		-		Affected
Freetype Search vendor "Freetype"		Freetype Search vendor "Freetype" for product "Freetype"				2.3.3 Search vendor "Freetype" for product "Freetype" and version "2.3.3"		-		Affected
Freetype Search vendor "Freetype"		Freetype Search vendor "Freetype" for product "Freetype"				2.3.4 Search vendor "Freetype" for product "Freetype" and version "2.3.4"		-		Affected
Freetype Search vendor "Freetype"		Freetype Search vendor "Freetype" for product "Freetype"				2.3.5 Search vendor "Freetype" for product "Freetype" and version "2.3.5"		-		Affected