Marc Schoenefeld found an input stream position error in the way FreeType font rendering engine processed input file streams. If a user loaded a specially-crafted font file with an application linked against FreeType and relevant font glyphs were subsequently rendered with the X FreeType library (libXft), it could cause the application to crash or, possibly execute arbitrary code (integer overflow leading to heap-based buffer overflow in the libXft library) with the privileges of the user running the application. Different vulnerability than CVE-2010-1797. Affected versions: freetype-2.3 and before that. Latest upstream version (2.4) is not affected
Created freetype tracking bugs for this issue Affects: fedora-all [bug 638522]
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Via RHSA-2010:0736 https://rhn.redhat.com/errata/RHSA-2010-0736.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0737 https://rhn.redhat.com/errata/RHSA-2010-0737.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0864 https://rhn.redhat.com/errata/RHSA-2010-0864.html
(In reply to comment #0) > Marc Schoenefeld found an input stream position error in the > way FreeType font rendering engine processed input file streams. > If a user loaded a specially-crafted font file with an application > linked against FreeType and relevant font glyphs were subsequently > rendered with the X FreeType library (libXft), it could cause the > application to crash or, possibly execute arbitrary code (integer > overflow leading to heap-based buffer overflow in the libXft library) > with the privileges of the user running the application. Different > vulnerability than CVE-2010-1797. > > Affected versions: freetype-2.3 and before that. > Latest upstream version (2.4) is not affected as patch file (don't seek behind stream (1.07 KB, patch) 2010-08-16 09:52 EDT, Marek Kašík ), version 2.4.x(x=1~4) should also be affected, Jan Lieskovsky, do you think so?
Hi, (In reply to comment #38) > as patch file (don't seek behind stream (1.07 KB, patch) 2010-08-16 09:52 EDT, > Marek Kašík ), version 2.4.x(x=1~4) should also be affected, Jan Lieskovsky, do > you think so? The following upstream commit fixes this problem in freetype 2.4.x: commit 75787c19eab20874c5d588842c52e59cfbd9302a Author: Werner Lemberg <wl> Date: Sat Jun 26 09:24:08 2010 +0200 Add some memory checks (mainly for debugging). * src/base/ftstream.c (FT_Stream_EnterFrame): Exit with error if the frame size is larger than the stream size. * src/base/ftsystem.c (ft_ansi_stream_io): Exit with error if seeking a position larger than the stream size.
(In reply to comment #39) > Hi, > (In reply to comment #38) > > as patch file (don't seek behind stream (1.07 KB, patch) 2010-08-16 09:52 EDT, > > Marek Kašík ), version 2.4.x(x=1~4) should also be affected, Jan Lieskovsky, do > > you think so? > The following upstream commit fixes this problem in freetype 2.4.x: > commit 75787c19eab20874c5d588842c52e59cfbd9302a > Author: Werner Lemberg <wl> > Date: Sat Jun 26 09:24:08 2010 +0200 > Add some memory checks (mainly for debugging). > * src/base/ftstream.c (FT_Stream_EnterFrame): Exit with error > if the frame size is larger than the stream size. > * src/base/ftsystem.c (ft_ansi_stream_io): Exit with error if > seeking a position larger than the stream size. thanks, Huzaifa.