FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation. This may lead to a DoS.
Upstream Issue: https://savannah.nongnu.org/bugs/?45922
Upstream fix: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/psaux/psobjs.c?id=db5a4a9ae7b0048f033361744421da8569642f73
Created freetype tracking bugs for this issue: Affects: fedora-all [bug 1763616]
The freetype library is able to handle PostScript created fonts, however there's an issue when handling PostScript balanced expressions. On ps_parser_skip_PS_token() a lack of proper validation may lead the reading cursor holding the current position being processed to go beyond the end of the text content. This further causes an out of bounds read o skip_comment() function. An attacker may leverage this bug by creating a crafted input file causing low confidentiality impact as unexpected data may be exposed as a result of the over-read.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:4254 https://access.redhat.com/errata/RHSA-2019:4254
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2015-9382