Type1
Xpdf runs under the X Window System on UNIX, VMS, and OS/2. The non-X
components (pdftops, pdftotext, etc.) also run on Win32 systems and
should run on pretty much any system with a decent C++ compiler.
Xpdf is designed to be small and efficient. It can use Type 1 or
TrueType fonts.
- --[ Synopsis:
Debian-specific: no
CVE ID : CVE-2010-2642 CVE-2011-0433 CVE-2011-0764 CVE-2011-1552
CVE-2011-1553 CVE-2011-1554
Debian Bug : 652996
Several vulnerabilities were discovered in t1lib, a Postscript Type 1
font rasterizer library, some of which might lead to code execution
through the opening of files embedding bad fonts.
CVE-2010-2642
A heap-based buffer overflow in the AFM font metrics parser
Xpdf is an open-source viewer for Portable Document Format (PDF) files. Xpdf project also includes
a PDF text extractor, PDF-to-PostScript converter, and various other utilities. Xpdf runs under
the X Window System on UNIX, VMS, and OS/2. The non-X components (pdftops, pdftotext, etc.) also
run on Win32 systems and should run on pretty much any system with a decent C++ compiler.
Xpdf is designed to be small and efficient. It can use Type 1, TrueType, or standard X fonts.
Details:
browser includes new security improvements such as a Cross Site Scripting
(XSS) filter. This version also includes a new object that safely allows
transferring data across domains, allowing them to interact with each other.
The Anti-XSS filter has been found to have some security holes in the
current implementation. Microsoft decided to filter "Type 1 XSS" which is
free text send to the server being reflected to the user and therefore
injecting HTML code into the website's page. They chose not to handle
certain situations such as injection into a JavaScript tag space, which
would be extremely difficult to filter. The software giant also chose not
to filter injection into HTTP headers, which will drive hackers to focus on
Vulnerability class: Cross-Site Scripting
Severity: Medium
Vulnerability details:
Calcium web calendar is vulnerable to "reflected" (type 1) cross-site scripting (XSS). For a discussion of the various types of XSS, and XSS in general, see
http://en.wikipedia.org/wiki/Cross_Site_Scripting
Proof of concept, version 4.0.4:
https://[yourserver]/cgi-bin/Calcium40.pl?Op=ShowIt&CalendarName=XSS_%3Cbody%20onload=alert(document.cookie)%3E_here
Several vulnerabilities were identified from CMC-TC PU II web
interface. These include XSS Type I, XSS Type II, weak session
management and insecure default configuration.
XSS Type 1:
-----------
Web application fails to validate and/or htmlencode user input when
handling erroneous requests. This allows attacker to inject HTML and
client-side scripts to victim's browser by creating suitable links.
The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5,
allows context-dependent attackers to cause a denial of service (crash)
via unknown vectors that trigger an uninitialized pointer dereference
(CVE-2010-3702).
The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser
in xpdf before 3.02pl5, allows context-dependent attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a PDF
file with a crafted Type1 font that contains a negative array index,
which bypasses input validation and which triggers memory corruption
(CVE-2010-3704).
The Gfx::getPos function in the PDF parser in poppler, allows
context-dependent attackers to cause a denial of service (crash)
via unknown vectors that trigger an uninitialized pointer dereference
(CVE-2010-3702).
The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser
in poppler, allows context-dependent attackers to cause a denial
of service (crash) and possibly execute arbitrary code via a PDF
file with a crafted Type1 font that contains a negative array index,
which bypasses input validation and which triggers memory corruption
(CVE-2010-3704).
Remote exploitation of an integer overflow vulnerability in Apple Inc.'s
Mac OS X could allow an attacker to execute arbitrary code with the
privileges of the currently logged in user.
This vulnerability exists due to the way PDF files containing Type 1
fonts are handled. When processing a font with an overly large length,
integer overflow could occur. This issue leads to heap corruption which
can allow for arbitrary code execution.
III. ANALYSIS
CVE-2010-2808
Buffer overflow in the Mac_Read_POST_Resource function in
base/ftobjs.c in FreeType allows remote attackers to cause a denial
of service (memory corruption and application crash) or possibly
execute arbitrary code via a crafted Adobe Type 1 Mac Font File (aka
LWFN) font.
CVE-2010-3053
bdf/bdflib.c in FreeType allows remote attackers to cause a denial of
1) SSH/Telnet to router using one of these hidden accounts:
support:support
user:5
nobody:admin
2) Type 9
3) Type 1
3) Type 3 to dump the configuration
4) Locate the sysPassword field:
<sysPassword value="cXdlcnR5Cg=="/>
5) Decode the admin password:
roland@hp6720s:~$ echo -ne "cXdlcnR5Cg==" | base64 -d
Mallory</a>' from Web at IP 1.2.3.4</TD>
Entries from event log are also displayed on the AMM Service
Data page.
Type 1:
-------
File manager displays user input on the page "as is".
Successful exploitation requires social engineering
an authenticated administrator to visit the hostile URL.
util.printf JavaScript function that incorrectly handles the format
string argument (CVE-2008-2992).
* Greg MacManus of iDefense Labs reported an array index error that
can be leveraged for an out-of-bounds write, related to parsing of
Type 1 fonts (CVE-2008-4812).
* Javier Vicente Vallejo and Peter Vregdenhil, via Zero Day
Initiative, reported multiple unspecified memory corruption
vulnerabilities (CVE-2008-4813).
font file (CVE-2010-2807).
Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c
in FreeType before 2.4.2 allows remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN)
font (CVE-2010-2808).
bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause
a denial of service (application crash) via a crafted BDF font file,
related to an attempted modification of a value in a static string
execution of arbitrary code.
Background
==========
T1Lib is a library for rasterizing bitmaps from Adobe Type 1 fonts.
Affected packages
=================
-------------------------------------------------------------------
the CPU's time introducing a Denial of Service condition.
Details
*******
Once a client connects to the database process and performs protocol
negoation (TNS packet type 1) and data type represenations (packet type 2)
it may then send packets of type 6 - Data packets. If the server gets a
packet with the 2nd bit of the Data flags is set then the server runs at
100% CPU:
"\x00\x1D" // Packet Size
The Gfx::getPos function in the PDF parser in kdegraphics, allows
context-dependent attackers to cause a denial of service (crash)
via unknown vectors that trigger an uninitialized pointer dereference
(CVE-2010-3702).
The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser
in kdegraphics, allows context-dependent attackers to cause a denial
of service (crash) and possibly execute arbitrary code via a PDF
file with a crafted Type1 font that contains a negative array index,
which bypasses input validation and which triggers memory corruption
(CVE-2010-3704).
Debian-specific: no
CVE ID : CVE-2011-0226
Debian Bug : 635871
It was discovered that insufficient input saniting in Freetype's code to
parse Type1 could lead to the execution of arbitrary code.
For the oldstable distribution (lenny), this problem has been fixed in
version 2.3.7-2+lenny6.
For the stable distribution (squeeze), this problem has been fixed in
poppler/Function.cc in the PDF parser in poppler, allows
context-dependent attackers to cause a denial of service (crash)
via a PDF file that triggers an uninitialized pointer dereference
(CVE-2010-3703).
The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser
in poppler, allows context-dependent attackers to cause a denial
of service (crash) and possibly execute arbitrary code via a PDF
file with a crafted Type1 font that contains a negative array index,
which bypasses input validation and which triggers memory corruption
(CVE-2010-3704).
The parameter "type" is used to distinguish between users, CA and host
certificates. Unfortunately, this parameter is passed to the following
code without input validation at all:
<-- cut here -->
TYPE="$1"
cd "$SSLDIR/certs" || exit 1
ls *_${TYPE}.pem |awk -F"_$TYPE.pem" -v"TYPE=$TYPE" '{
<-- cut here -->
An aggressor may easily escape the hardcoded commands, adding arbitrary
Xpdf runs under the X Window System on UNIX, VMS, and OS/2. The non-X
components (pdftops, pdftotext, etc.) also run on Win32 systems and
should run on pretty much any system with a decent C++ compiler.
Xpdf is designed to be small and efficient. It can use Type 1 or
TrueType fonts.
--[ Synopsis:
font file (CVE-2010-2807).
Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c
in FreeType before 2.4.2 allows remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN)
font (CVE-2010-2808).
bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause
a denial of service (application crash) via a crafted BDF font file,
related to an attempted modification of a value in a static string
|
