Debian Security Advisory

DSA-2428-1 freetype -- several vulnerabilities

Date Reported:
07 Mar 2012
Affected Packages:
freetype
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2012-1133, CVE-2012-1134, CVE-2012-1136, CVE-2012-1142, CVE-2012-1144.
More information:

Mateusz Jurczyk from the Google Security Team discovered several vulnerabilties in Freetype's parsing of BDF, Type1 and TrueType fonts, which could result in the execution of arbitrary code if a malformed font file is processed.

For the stable distribution (squeeze), this problem has been fixed in version 2.4.2-2.1+squeeze4. The updated packages are already available since yesterday, but the advisory text couldn't be send earlier.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your freetype packages.