Upstream commit at $url.
From the Secunia advisory at http://secunia.com/advisories/41738/:
A vulnerability has been reported in FreeType, which can be exploited to cause a DoS (Denial of Service) or potentially compromise an application using the library.
The vulnerability is caused due to an error in the "ft_var_readpackedpoints()" function in src/truetype/ttgxvar.c when processing TrueType GX fonts. This can be exploited to cause a heap-based buffer overflow via a specially crafted font.
The vulnerability is reported in version 2.4.3. Other versions may also be affected.
Patch applied in 2.4.3-r1. 2.4.3 was in the middle of stabilization so I'll close bug #341845 and we'll do it here.
Great, thank you, Ryan.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
ok for me on amd64
amd64 done. Thanks Agostino
Stable for HPPA.
Thanks folks, GLSA request filed.
This is CVE-2010-3855.
Buffer overflow in the ft_var_readpackedpoints function in
truetype/ttgxvar.c in FreeType 2.4.3 and earlier allows remote attackers to
cause a denial of service (application crash) or possibly execute arbitrary
code via a crafted TrueType GX font.
This issue was resolved and addressed in
GLSA 201201-09 at http://security.gentoo.org/glsa/glsa-201201-09.xml
by GLSA coordinator Sean Amoss (ackle).