An out-of heap-based buffer read flaw was found in the way TrueType bytecode / opcode interpreter of FreeType font rendering engine executed the 'Move Indirect Relative Point' (MIRP) instruction. A remote attacker could provide a specially-crafted font file, which once opened in an application linked against FreeType would lead to that application crash. Upstream bug report: [1] https://savannah.nongnu.org/bugs/?35646 Upstream patch: [2] http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a33c013fe2dc6e65de2879682201d9c155292349 Acknowledgements: Red Hat would like to thank Mateusz Jurczyk of the Google Security Team for reporting this issue.
Added CVE as per http://www.openwall.com/lists/oss-security/2012/03/06/16
This flaw is in the TrueType bytecode interpreter (BCI) implementation. BCI is not enabled in Red Hat Enterprise Linux 4, 5, and 6 freetype packages (it was disabled by default upstream because of the patent concerns). BCI support is now enabled by default in upstream versions 2.4 and later, as relevant patents expired: http://www.freetype.org/patents.html Statement: Not vulnerable. This issue did not affect freetype packages as shipped with Red Hat Enterprise Linux 5 and 6, as they do not enable TrueType bytecode interpreter.