Robert Swiecki reported a possibly exploitable write to non-mapped memory in the way freetype handles certain font [1]. The original report has two sample font files that caused the tested version to crash with a SIGSEGV (sigsegv16.pfb) and SIGABRT (sigabrt24.ttf). When reproducing, observed behaviour was: RHEL3 (freetype 2.1.4): pass on both files RHEL4 (freetype 2.1.9): crashes (segfault) on both files RHEL5 (freetype 2.2.1): crashes (segfault) on sigsegv16.pfb only Fedora (freetype 2.3.11): crashes (segfault) on sigsegv16.pfb only The upstream bug report claims this may be potentially exploitable for more than just a crash. A patch was posted to correct the issue [2]. This needs to be looked at to determine whether or not this can be exploited to execute arbitrary code. [1] http://savannah.nongnu.org/bugs/index.php?30248 [2] http://savannah.nongnu.org/bugs/download.php?file_id=20815
There is actually 21 crashes reported upstream: http://savannah.nongnu.org/bugs/index.php?go_report=Apply&group=freetype&func=browse&set=custom&msort=0&report_id=100&advsrch=0&status_id=0&resolution_id=0&assigned_to=0&bug_group_id=0&history_search=0&history_field=0&history_event=modified&history_date_dayfd=2&history_date_monthfd=7&history_date_yearfd=2010&chunksz=50&spamscore=5&boxoptionwanted=1#options Roughly half of these are NULL pointer derefs or stack exhaustion. This bug, and bug 30083, were noted as being higher risk.
I'm going to close this bug and file individual bugs for each freetype flaw found (there are several)