Headline
Ubuntu Security Notice USN-6062-1
Ubuntu Security Notice 6062-1 - It was discovered that FreeType incorrectly handled certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash, or possibly execute arbitrary code.
=========================================================================
Ubuntu Security Notice USN-6062-1
May 09, 2023
freetype vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
FreeType could be made to crash or possibly execute arbitrary
code if it opened a specially crafted font file.
Software Description:
- freetype: FreeType 2 is a font engine library
Details:
It was discovered that FreeType incorrectly handled certain malformed
font files. If a user were tricked into using a specially crafted font
file, a remote attacker could cause FreeType to crash, or possibly execute
arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
libfreetype6 2.12.1+dfsg-4ubuntu0.1
Ubuntu 22.10:
libfreetype6 2.12.1+dfsg-3ubuntu0.1
Ubuntu 22.04 LTS:
libfreetype6 2.11.1+dfsg-1ubuntu0.2
Ubuntu 20.04 LTS:
libfreetype6 2.10.1-2ubuntu0.3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6062-1
CVE-2023-2004
Package Information:
https://launchpad.net/ubuntu/+source/freetype/2.12.1+dfsg-4ubuntu0.1
https://launchpad.net/ubuntu/+source/freetype/2.12.1+dfsg-3ubuntu0.1
https://launchpad.net/ubuntu/+source/freetype/2.11.1+dfsg-1ubuntu0.2
https://launchpad.net/ubuntu/+source/freetype/2.10.1-2ubuntu0.3
Related news
Gentoo Linux Security Advisory 202402-6 - Multiple vulnerabilities have been discovered in FreeType, the worst of which can lead to remote code execution. Versions greater than or equal to 2.13.0 are affected.
Red Hat Security Advisory 2023-5745-01 - The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. This release of the Red Hat build of OpenJDK 17 for portable Linux serves as a replacement for the Red Hat build of OpenJDK 17 and includes security and bug fixes, and enhancements. Issues addressed include an integer overflow vulnerability.
An integer overflow vulnerability was discovered in Freetype in tt_hvadvance_adjust() function in src/truetype/ttgxvar.c.