[Bug 800607] CVE-2012-1144 freetype: insufficient checking of first outline point in TTF parser (#35689)

bugzilla at redhat.com bugzilla at redhat.com
Thu Mar 22 11:19:24 UTC 2012


Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=800607

Tomas Hoger <thoger at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|CVE-2012-1144 freetype:     |CVE-2012-1144 freetype:
                   |Out-of heap-based buffer    |insufficient checking of
                   |write in the TrueType       |first outline point in TTF
                   |bytecode interpreter by     |parser (#35689)
                   |moving zone2 pointer point  |
                   |(FU#35689)                  |
  Status Whiteboard|impact=important,public=201 |impact=moderate,public=2012
                   |20302,reported=20120302,sou |0302,reported=20120302,sour
                   |rce=google,cvss2=6.8/AV:N/A |ce=secalert,cvss2=5.1/AV:N/
                   |C:M/Au:N/C:P/I:P/A:P,rhel-5 |AC:H/Au:N/C:P/I:P/A:P,rhel-
                   |/freetype=new,rhel-6/freety |5/freetype=affected,rhel-6/
                   |pe=new,fedora-all/freetype= |freetype=affected,fedora-al
                   |new                         |l/freetype=affected,fedora-
                   |                            |all/mingw32-freetype=affect
                   |                            |ed

--- Comment #2 from Tomas Hoger <thoger at redhat.com> 2012-03-22 07:19:22 EDT ---
(In reply to comment #0)
> An out-of heap-based buffer write flaw was found in the way TrueType bytecode /
> opcode interpreter of the FreeType font rendering engine performed moving of
> zone2 pointer point by execution of 'SHift Contour' (SHC) instruction.

Bytecode interpreter (BCI) is where the problem surfaced, but it was addressed
in a TTF loading code that is not BCI specific.  BCI support is disabled in Red
Hat Enterprise Linux freetype packages and is only enabled upstream by default
starting with version 2.4.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the fonts-bugs mailing list