Red Hat Bugzilla – Bug 800584
CVE-2012-1128 freetype: NULL dereference in the SHZ instruction implementation in TTF BCI (#35601)
Last modified: 2016-11-08 11:14:01 EST
A NULL pointer dereference flaw as found in the way TrueType bytecode interpreter of the FreeType font rendering engine performed movement of the zone2 pointer point for certain TrueType fonts. A remote attacker could provide a specially-crafted TrueType font file, which once opened in an application linked against FreeType would lead to that application crash.
Upstream bug report:
Red Hat would like to thank Mateusz Jurczyk of the Google Security Team for reporting this issue.
Added CVE as per http://www.openwall.com/lists/oss-security/2012/03/06/16
This issue did NOT affect the versions of the freetype package, as shipped with Red Hat Enterprise Linux 5 and 6.
This issue affects the versions of the freetype package, as shipped with Fedora release of 15 and 16.
This flaw is in the TrueType bytecode interpreter (BCI) implementation. BCI is not enabled in Red Hat Enterprise Linux 4, 5, and 6 freetype packages (it was disabled by default upstream because of the patent concerns). BCI support is now enabled by default in upstream versions 2.4 and later, as relevant patents expired: http://www.freetype.org/patents.html
Not vulnerable. This issue did not affect freetype packages as shipped with Red Hat Enterprise Linux 5 and 6, as they do not enable TrueType bytecode interpreter.