A NULL pointer dereference flaw as found in the way TrueType bytecode interpreter of the FreeType font rendering engine performed movement of the zone2 pointer point for certain TrueType fonts. A remote attacker could provide a specially-crafted TrueType font file, which once opened in an application linked against FreeType would lead to that application crash. Upstream bug report: [1] https://savannah.nongnu.org/bugs/?35601 Upstream patch: [2] http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=96cddb8d1d32d6738b06552083db9d6cee5b5cb4 Acknowledgements: Red Hat would like to thank Mateusz Jurczyk of the Google Security Team for reporting this issue.
Added CVE as per http://www.openwall.com/lists/oss-security/2012/03/06/16
This issue did NOT affect the versions of the freetype package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the freetype package, as shipped with Fedora release of 15 and 16.
This flaw is in the TrueType bytecode interpreter (BCI) implementation. BCI is not enabled in Red Hat Enterprise Linux 4, 5, and 6 freetype packages (it was disabled by default upstream because of the patent concerns). BCI support is now enabled by default in upstream versions 2.4 and later, as relevant patents expired: http://www.freetype.org/patents.html Statement: Not vulnerable. This issue did not affect freetype packages as shipped with Red Hat Enterprise Linux 5 and 6, as they do not enable TrueType bytecode interpreter.