** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Tavis Ormandy of Google Security discovered multiple integer overflows in freetype.
This is still lacking CVE id and upstream approval for the patch provided by Tavis. Reproducers are available.
Created attachment 185509 [details, diff] freetype-2.3.8-sec.diff
This is now public. Patches are here: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=79972af4f0485a11dcb19551356c45245749fc5b http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a18788b14db60ae3673f932249cd02d33a227c4e http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0a05ba257b6ddd87dacf8d54b626e4b360e0a596 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0545ec1ca36b27cb928128870a83e5f668980bc5
CVE-2009-0946 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0946): Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c.
Created attachment 190235 [details, diff] freetype-2.3.9-CVE-2009-0946.patch
freetype-2.3.9-r1 added to tree
Arches, please test and mark stable: =media-libs/freetype-2.3.9-r1 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
ppc64 done
ppc done
amd64 stable
x86 stable
Stable for HPPA.
alpha/arm/ia64/m68k/s390/sh/sparc stable
GLSA request filed.
GLSA 200905-05
Does this bug also affect freetype-1.4? I still need this for texlive, but it doesn't appear to have been patched.