FreeType: Arbitrary code execution — GLSA 201408-02

A vulnerability in FreeType could result in execution of arbitrary code or Denial of Service.

Affected packages

media-libs/freetype on all architectures
Affected versions < 2.5.3-r1
Unaffected versions >= 2.5.3-r1

Background

FreeType is a high-quality and portable font engine.

Description

A stack-based buffer overflow exists in Freetype’s cf2_hintmap_build function in cff/cf2hints.c.

Impact

A remote attacker may be able to execute arbitrary code or cause a Denial of Service condition via specially crafted font file.

Workaround

There is no known workaround at this time.

Resolution

All FreeType users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-libs/freetype-2.5.3-r1"
 

Packages which depend on this library may need to be recompiled. Tools such as revdep-rebuild may assist in identifying these packages.

References

Release date
August 09, 2014

Latest revision
August 09, 2014: 1

Severity
normal

Exploitable
remote

Bugzilla entries