A stack-based buffer overflow was found in the way FreeType font rendering engine processed certain Adobe Type 1 Mac Font File (LWFN) fonts. An attacker could use this flaw to create a specially-crafted font file that, when opened, would cause an application linked against libfreetype to crash, or, possibly execute arbitrary code. Upstream bug report: [1] https://savannah.nongnu.org/bugs/?30658 Public reproducer: [2] http://alt.swiecki.net/j/f/sigsegv31.ttf Upstream changeset: [3] http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=81f3472c0ba7b8f6466e2e214fa8c1c17fade975 Credit: Robert Swiecki
This issue does NOT affect the version of the freetype package, as shipped with Red Hat Enterprise Linux 3. This issue affects the versions of the freetype package, as shipped with Red Hat Enterprise Linux 4 and 5. -- This issue affects the versions of the freetype package, as shipped with Fedora release of 12 and 13.
Created attachment 437146 [details] Proposed upstream patch
Created attachment 437147 [details] Local copy of the reproducer
The CVE identifier of CVE-2010-2808 has been assigned to this.
Created freetype tracking bugs for this issue Affects: fedora-all [bug 638522]
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0737 https://rhn.redhat.com/errata/RHSA-2010-0737.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0864 https://rhn.redhat.com/errata/RHSA-2010-0864.html