Secunia

Some vulnerabilities have been reported in FreeType, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise applications using the library.

1) An integer overflow error exists within the "read_lwfn()" function in src/base/ftmac.c. This can potentially be exploited to cause a heap-based buffer overflow via a specially crafted LWFN file.

The vulnerability has been reported in version 2.2. Prior versions may also be affected.

2) An integer underflow error exists within the "src/pshinter/pshglob.c:psh_blues_set_zones_0()" function when handling a specially crafted font file where the number of blue values is odd. This can be exploited to cause an integer underflow which corrupts the heap.

The vulnerability has been reported in version 2.2. Prior versions may also be affected.

3) Integer overflow errors exist within the BDF, PCF and Type1 font file parsers. This can potentially be exploited to cause a heap-based buffer overflow via a specially crafted font file.

The vulnerabilities have been reported in version 2.1.10. Prior versions may also be affected.

Solution
Update to version 2.2.1.
Further details available in Customer Area

Provided and/or discovered by
1) Chris Evans
2) Josh Bressers
3) Chris Evans

Changelog
Further details available in Customer Area

Original Advisory
http://sourceforge.net/project/shownotes.php?release_id=416463
http://scary.beasts.org/security/CESA-2006-001.html

Red Hat Bugzilla:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190593
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183676

Deep Links
Links available in Customer Area