An integer overflow flaw was found in FreeType's PFB processor.
According to the advisory:
The vulnerability exists within the code responsible for parsing Printer Font
Binary (PFB) format font files. PFB files contain a section known as the
"Private" dictionary table which is used to describe how characters are
constructed. When parsing this data structure, a series of 16-bit length
values are read in from the file. These values are added together and used to
allocate a dynamic buffer. The addition can result in an integer overflow,
which subsequently leads to a heap overflow.
Created attachment 308965 [details]
Patch extracted from upstream
This patch contains the fixes for CVE-2008-1806, CVE-2008-1807, and
Parts of the patch (seems to be TTF part of the CVE-2008-1808) also seem to
apply to freetype1 shipped in Fedora. freetype1 only seems to be used by
MagicPoint, which probably does not load arbitrary font files.
freetype-2.3.5-4.fc8 has been submitted as an update for Fedora 8
freetype-2.3.5-6.fc9 has been submitted as an update for Fedora 9
freetype-2.3.5-6.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
freetype-2.3.5-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Red Hat Enterprise Linux: