An out-of heap-based buffer read flaw was found in the way TrueType bytecode / opcode interpreter of FreeType font rendering engine executed the 'Move Indirect Relative Point' (MIRP) instruction. A remote attacker could provide a specially-crafted font file, which once opened in an application linked against FreeType would lead to that application crash.
Upstream bug report:
Red Hat would like to thank Mateusz Jurczyk of the Google Security Team for reporting this issue.
Added CVE as per http://www.openwall.com/lists/oss-security/2012/03/06/16
This flaw is in the TrueType bytecode interpreter (BCI) implementation. BCI is not enabled in Red Hat Enterprise Linux 4, 5, and 6 freetype packages (it was disabled by default upstream because of the patent concerns). BCI support is now enabled by default in upstream versions 2.4 and later, as relevant patents expired: http://www.freetype.org/patents.html
Not vulnerable. This issue did not affect freetype packages as shipped with Red Hat Enterprise Linux 5 and 6, as they do not enable TrueType bytecode interpreter.