An out-of heap-based buffer read flaw was found in the way TrueType bytecode / opcode interpreter of the FreeType font rendering engine performed execution of NPUSHB and NPUSHW instructions. A remote attacker could provide a specially-crafted font file, which once opened in an application linked against FreeType would lead to that application crash. Upstream bug report: [1] https://savannah.nongnu.org/bugs/?35640 Upstream patch: [2] http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=5dddcc45a03b336860436a180aec5b358517336b Acknowledgements: Red Hat would like to thank Mateusz Jurczyk of the Google Security Team for reporting this issue.
Added CVE as per http://www.openwall.com/lists/oss-security/2012/03/06/16
This flaw is in the TrueType bytecode interpreter (BCI) implementation. BCI is not enabled in Red Hat Enterprise Linux 4, 5, and 6 freetype packages (it was disabled by default upstream because of the patent concerns). BCI support is now enabled by default in upstream versions 2.4 and later, as relevant patents expired: http://www.freetype.org/patents.html Statement: Not vulnerable. This issue did not affect freetype packages as shipped with Red Hat Enterprise Linux 5 and 6, as they do not enable TrueType bytecode interpreter.