An array index error, leading to heap-based buffer overflow was found in the way the FreeType font rendering engine processed FontType42 font files with negative length of certain special font name table strings. An attacker could use this flaw to create a specially-crafted font file (which bypasses a size check and triggers a heap-based buffer overflow). Such file, when opened, would cause an application linked against libfreetype to crash, or, possibly execute arbitrary code. Upstream bug report: [1] https://savannah.nongnu.org/bugs/?30656 Public reproducer: [2] http://alt.swiecki.net/j/f/sigsegv29.ttf Upstream changeset: [3] http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c06da1ad34663da7b6fc39b030dc3ae185b96557
Created attachment 437208 [details] Local copy of the PoC from Robert Swiecki
Created attachment 437209 [details] Upstream Savannah bug #30656 patch
This issue affects the versions of the freetype package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue affects the versions of the freetype package, as shipped with Fedora release of 12 and 13.
The CVE identifier of CVE-2010-2806 has been assigned to this.
Created freetype tracking bugs for this issue Affects: fedora-all [bug 638522]
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Via RHSA-2010:0736 https://rhn.redhat.com/errata/RHSA-2010-0736.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0737 https://rhn.redhat.com/errata/RHSA-2010-0737.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0864 https://rhn.redhat.com/errata/RHSA-2010-0864.html