[Bug 800607] CVE-2012-1144 freetype: insufficient checking of first outline point in TTF parser (#35689)

bugzilla at redhat.com bugzilla at redhat.com
Thu Mar 22 11:19:24 UTC 2012

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


Tomas Hoger <thoger at redhat.com> changed:

           What    |Removed                     |Added
            Summary|CVE-2012-1144 freetype:     |CVE-2012-1144 freetype:
                   |Out-of heap-based buffer    |insufficient checking of
                   |write in the TrueType       |first outline point in TTF
                   |bytecode interpreter by     |parser (#35689)
                   |moving zone2 pointer point  |
                   |(FU#35689)                  |
  Status Whiteboard|impact=important,public=201 |impact=moderate,public=2012
                   |20302,reported=20120302,sou |0302,reported=20120302,sour
                   |rce=google,cvss2=6.8/AV:N/A |ce=secalert,cvss2=5.1/AV:N/
                   |C:M/Au:N/C:P/I:P/A:P,rhel-5 |AC:H/Au:N/C:P/I:P/A:P,rhel-
                   |/freetype=new,rhel-6/freety |5/freetype=affected,rhel-6/
                   |pe=new,fedora-all/freetype= |freetype=affected,fedora-al
                   |new                         |l/freetype=affected,fedora-
                   |                            |all/mingw32-freetype=affect
                   |                            |ed

--- Comment #2 from Tomas Hoger <thoger at redhat.com> 2012-03-22 07:19:22 EDT ---
(In reply to comment #0)
> An out-of heap-based buffer write flaw was found in the way TrueType bytecode /
> opcode interpreter of the FreeType font rendering engine performed moving of
> zone2 pointer point by execution of 'SHift Contour' (SHC) instruction.

Bytecode interpreter (BCI) is where the problem surfaced, but it was addressed
in a TTF loading code that is not BCI specific.  BCI support is disabled in Red
Hat Enterprise Linux freetype packages and is only enabled upstream by default
starting with version 2.4.

Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the fonts-bugs mailing list