An integer overflow flaw was found in FreeType's PFB processor. According to the advisory: The vulnerability exists within the code responsible for parsing Printer Font Binary (PFB) format font files. PFB files contain a section known as the "Private" dictionary table which is used to describe how characters are constructed. When parsing this data structure, a series of 16-bit length values are read in from the file. These values are added together and used to allocate a dynamic buffer. The addition can result in an integer overflow, which subsequently leads to a heap overflow.
Created attachment 308965 [details] Patch extracted from upstream This patch contains the fixes for CVE-2008-1806, CVE-2008-1807, and CVE-2008-1808
Parts of the patch (seems to be TTF part of the CVE-2008-1808) also seem to apply to freetype1 shipped in Fedora. freetype1 only seems to be used by MagicPoint, which probably does not load arbitrary font files.
freetype-2.3.5-4.fc8 has been submitted as an update for Fedora 8
freetype-2.3.5-6.fc9 has been submitted as an update for Fedora 9
freetype-2.3.5-6.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
freetype-2.3.5-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0558.html http://rhn.redhat.com/errata/RHSA-2008-0556.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-5430 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-5425