[Bug 800593] CVE-2012-1135 freetype: heap off by one read in boundary check for NPUSHB and NPUSHW instructions in TTF BIC (#35640)

bugzilla at redhat.com bugzilla at redhat.com
Thu Mar 15 09:28:07 UTC 2012 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=800593

Tomas Hoger <thoger at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|CVE-2012-1135 freetype:     |CVE-2012-1135 freetype:
                   |Out-of heap-based buffer    |heap off by one read in
                   |read in TrueType bytecode   |boundary check for NPUSHB
                   |interpreter by executing    |and NPUSHW instructions in
                   |NPUSHB and NPUSHW           |TTF BIC (#35640)
                   |instructions (FU#35640)     |
  Status Whiteboard|impact=low,public=20120227, |impact=low,public=20120227,
                   |reported=20120302,source=go |reported=20120302,source=se
                   |ogle,cvss2=4.3/AV:N/AC:M/Au |calert,cvss2=2.6/AV:N/AC:H/
                   |:N/C:N/I:N/A:P,rhel-5/freet |Au:N/C:N/I:N/A:P,rhel-5/fre
                   |ype=new,rhel-6/freetype=new |etype=notaffected,rhel-6/fr
                   |,fedora-all/freetype=new    |eetype=notaffected,fedora-a
                   |                            |ll/freetype=affected,fedora
                   |                            |-all/mingw32-freetype=affec
                   |                            |ted

--- Comment #2 from Tomas Hoger <thoger at redhat.com> 2012-03-15 05:28:05 EDT ---
This flaw is in the TrueType bytecode interpreter (BCI) implementation.  BCI is
not enabled in Red Hat Enterprise Linux 4, 5, and 6 freetype packages (it was
disabled by default upstream because of the patent concerns).  BCI support is
now enabled by default in upstream versions 2.4 and later, as relevant patents
expired: http://www.freetype.org/patents.html

Statement:

Not vulnerable. This issue did not affect freetype packages as shipped with Red
Hat Enterprise Linux 5 and 6, as they do not enable TrueType bytecode
interpreter.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the fonts-bugs mailing list