Skip to navigation

Security Advisory Important: freetype security update

Advisory: RHSA-2012:0094-1
Type: Security Advisory
Severity: Important
Issued on: 2012-02-02
Last updated on: 2012-02-02
Affected Products: Red Hat Enterprise Linux EUS (v. 5.6.z server)
Red Hat Enterprise Linux Long Life (v. 5.6 server)
CVEs (cve.mitre.org): CVE-2011-3256
CVE-2011-3439

Details

Updated freetype packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 5.6 Extended Update Support.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

FreeType is a free, high-quality, portable font engine that can open and
manage font files. It also loads, hints, and renders individual glyphs
efficiently.

Multiple input validation flaws were found in the way FreeType processed
bitmap font files. If a specially-crafted font file was loaded by an
application linked against FreeType, it could cause the application to
crash or, potentially, execute arbitrary code with the privileges of the
user running the application. (CVE-2011-3256)

Multiple input validation flaws were found in the way FreeType processed
CID-keyed fonts. If a specially-crafted font file was loaded by an
application linked against FreeType, it could cause the application to
crash or, potentially, execute arbitrary code with the privileges of the
user running the application. (CVE-2011-3439)

Users are advised to upgrade to these updated packages, which contain
backported patches to correct these issues. The X server must be restarted
(log out, then log back in) for this update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux EUS (v. 5.6.z server)

SRPMS:
freetype-2.2.1-28.el5_6.1.src.rpm     MD5: 2d5a27d4fd97f1faa88fb349e64c7f89
SHA-256: 7d3b2503c45122f66015771b7afc79ad8c272ef5c2889f59e9bd800168f42484
 
IA-32:
freetype-2.2.1-28.el5_6.1.i386.rpm     MD5: 37de9a290710f4d5f9c020d7a726da81
SHA-256: bce0172b00cc151904fca6e9c3cbf04a21905a04b7ac653444147be95fa678ce
freetype-demos-2.2.1-28.el5_6.1.i386.rpm     MD5: f73aa56e086752acd928db13b69350bf
SHA-256: ba144269239858bf6d07be63063ca5a6eb83cda7b3e5d863c6e8249862cada9d
freetype-devel-2.2.1-28.el5_6.1.i386.rpm     MD5: e963b78877ae40f258b9dbf9f5ee18a3
SHA-256: 9dbe98330ca9fe5e6362e47de0ea459efe8fd1f3081c039c91e7109a63cc0355
 
IA-64:
freetype-2.2.1-28.el5_6.1.i386.rpm     MD5: 37de9a290710f4d5f9c020d7a726da81
SHA-256: bce0172b00cc151904fca6e9c3cbf04a21905a04b7ac653444147be95fa678ce
freetype-2.2.1-28.el5_6.1.ia64.rpm     MD5: 0bfd06c88cf3e4465bd1f2667039edb6
SHA-256: c72cfea89ff0de51be2e5d03df11ea104fbd6203be0da785b31f24c88d7a23af
freetype-demos-2.2.1-28.el5_6.1.ia64.rpm     MD5: 7f84de73ce0ec4d2f872ff0dc8d5eaf2
SHA-256: d34747963aae7ff1c7c4d1053426d8f8faa09f347fa5fa37e3ccc2099f8e9ce7
freetype-devel-2.2.1-28.el5_6.1.ia64.rpm     MD5: 01d430d15d39a5595b168662a5b16004
SHA-256: 0607f034c3a8480c1c64f33fb522da12bb45a56de9a6d9439657aa486249aadc
 
PPC:
freetype-2.2.1-28.el5_6.1.ppc.rpm     MD5: 2c02abbd85bffdc932da96e2c3b7d365
SHA-256: 9e91f0c5f1c3dffc9c5cb0f5003953a652b478d6c056eec88b7c22c008092619
freetype-2.2.1-28.el5_6.1.ppc64.rpm     MD5: a5d7af564a8dbc10622c8d94cbce2011
SHA-256: d150e05efb3b3710baca7d5952c0478f8909f0ff9c2edefeb2e6a47a6f17fd10
freetype-demos-2.2.1-28.el5_6.1.ppc.rpm     MD5: 3db4151c42811f8a253e14349598c3a2
SHA-256: c8da23fb8d5d4abab17979f470db8c5ab7e69d6167196e5574b22a907dac1a37
freetype-devel-2.2.1-28.el5_6.1.ppc.rpm     MD5: 7e968a5d69776704d25e7c246f2105a2
SHA-256: 46500e2b17b21651bc2ed8b6cd2b3a07fcca393b753a8291bc8ed1ae7f17e312
freetype-devel-2.2.1-28.el5_6.1.ppc64.rpm     MD5: 9ad886cbb30fb09735e2f8bbd00db32f
SHA-256: 85382441342578469bdc8c0945afa3e9a33a843f7afb82e285b5a2762ce2d669
 
s390x:
freetype-2.2.1-28.el5_6.1.s390.rpm     MD5: bbc394c070dd998a595346c263fb72ab
SHA-256: 93df5b3f17103b983003f2d2d6c15c8a599faf7c982eafbe2d97cd148a907397
freetype-2.2.1-28.el5_6.1.s390x.rpm     MD5: e4a0a6bd8c02bce251de4e7b5f724ee3
SHA-256: d3d4edab42c3c81937e847317d589b83467b94dd5ec592a6786f5749bc4da056
freetype-demos-2.2.1-28.el5_6.1.s390x.rpm     MD5: 0fd8b0d8ba537c53a4b4c3b48e821c23
SHA-256: 9e7df84206dc2e7da6bd4a848d4c29a3ab3e8543f762b1202bbf0a5050234437
freetype-devel-2.2.1-28.el5_6.1.s390.rpm     MD5: cc85ba7c9f664884430b698174273ed6
SHA-256: faf07f4e31e4dd4ae55d4782be976e5a39ae796cc5c190b00dc86fbc1e85eed7
freetype-devel-2.2.1-28.el5_6.1.s390x.rpm     MD5: 3e30f986dbd0d5b6c53eac76165f5245
SHA-256: 59bf1a483b02491d038da762408095ac68b3b3f873ff75eb8a40950a42684bed
 
x86_64:
freetype-2.2.1-28.el5_6.1.i386.rpm     MD5: 37de9a290710f4d5f9c020d7a726da81
SHA-256: bce0172b00cc151904fca6e9c3cbf04a21905a04b7ac653444147be95fa678ce
freetype-2.2.1-28.el5_6.1.x86_64.rpm     MD5: 69fb7b02db1f9e8c3dd119f289a300ff
SHA-256: 498f2a003708147714215acb8e16d04f6e9b739fdf528a463e743e0af5848d3b
freetype-demos-2.2.1-28.el5_6.1.x86_64.rpm     MD5: 8e7d6287906216d3254afd3a007d306e
SHA-256: 7fbdfd313c975f2a82f72c0b237b71db94fe31674cff632599f8e8c14586199f
freetype-devel-2.2.1-28.el5_6.1.i386.rpm     MD5: e963b78877ae40f258b9dbf9f5ee18a3
SHA-256: 9dbe98330ca9fe5e6362e47de0ea459efe8fd1f3081c039c91e7109a63cc0355
freetype-devel-2.2.1-28.el5_6.1.x86_64.rpm     MD5: 2f4e6dbd3558b4503e09dbe9b1724326
SHA-256: 7c277afba8c4cfb426fee8b37f7144d7d166acab6d61c1a6f5a63f1b6584306a
 
Red Hat Enterprise Linux Long Life (v. 5.6 server)

SRPMS:
freetype-2.2.1-28.el5_6.1.src.rpm     MD5: 2d5a27d4fd97f1faa88fb349e64c7f89
SHA-256: 7d3b2503c45122f66015771b7afc79ad8c272ef5c2889f59e9bd800168f42484
 
IA-32:
freetype-2.2.1-28.el5_6.1.i386.rpm     MD5: 37de9a290710f4d5f9c020d7a726da81
SHA-256: bce0172b00cc151904fca6e9c3cbf04a21905a04b7ac653444147be95fa678ce
freetype-demos-2.2.1-28.el5_6.1.i386.rpm     MD5: f73aa56e086752acd928db13b69350bf
SHA-256: ba144269239858bf6d07be63063ca5a6eb83cda7b3e5d863c6e8249862cada9d
freetype-devel-2.2.1-28.el5_6.1.i386.rpm     MD5: e963b78877ae40f258b9dbf9f5ee18a3
SHA-256: 9dbe98330ca9fe5e6362e47de0ea459efe8fd1f3081c039c91e7109a63cc0355
 
IA-64:
freetype-2.2.1-28.el5_6.1.i386.rpm     MD5: 37de9a290710f4d5f9c020d7a726da81
SHA-256: bce0172b00cc151904fca6e9c3cbf04a21905a04b7ac653444147be95fa678ce
freetype-2.2.1-28.el5_6.1.ia64.rpm     MD5: 0bfd06c88cf3e4465bd1f2667039edb6
SHA-256: c72cfea89ff0de51be2e5d03df11ea104fbd6203be0da785b31f24c88d7a23af
freetype-demos-2.2.1-28.el5_6.1.ia64.rpm     MD5: 7f84de73ce0ec4d2f872ff0dc8d5eaf2
SHA-256: d34747963aae7ff1c7c4d1053426d8f8faa09f347fa5fa37e3ccc2099f8e9ce7
freetype-devel-2.2.1-28.el5_6.1.ia64.rpm     MD5: 01d430d15d39a5595b168662a5b16004
SHA-256: 0607f034c3a8480c1c64f33fb522da12bb45a56de9a6d9439657aa486249aadc
 
x86_64:
freetype-2.2.1-28.el5_6.1.i386.rpm     MD5: 37de9a290710f4d5f9c020d7a726da81
SHA-256: bce0172b00cc151904fca6e9c3cbf04a21905a04b7ac653444147be95fa678ce
freetype-2.2.1-28.el5_6.1.x86_64.rpm     MD5: 69fb7b02db1f9e8c3dd119f289a300ff
SHA-256: 498f2a003708147714215acb8e16d04f6e9b739fdf528a463e743e0af5848d3b
freetype-demos-2.2.1-28.el5_6.1.x86_64.rpm     MD5: 8e7d6287906216d3254afd3a007d306e
SHA-256: 7fbdfd313c975f2a82f72c0b237b71db94fe31674cff632599f8e8c14586199f
freetype-devel-2.2.1-28.el5_6.1.i386.rpm     MD5: e963b78877ae40f258b9dbf9f5ee18a3
SHA-256: 9dbe98330ca9fe5e6362e47de0ea459efe8fd1f3081c039c91e7109a63cc0355
freetype-devel-2.2.1-28.el5_6.1.x86_64.rpm     MD5: 2f4e6dbd3558b4503e09dbe9b1724326
SHA-256: 7c277afba8c4cfb426fee8b37f7144d7d166acab6d61c1a6f5a63f1b6584306a
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

746226 - CVE-2011-3256 FreeType FT_Bitmap_New integer overflow to buffer overflow, FreeType TT_Vary_Get_Glyph_Deltas improper input validation
753799 - CVE-2011-3439 freetype: Multiple security flaws when loading CID-keyed Type 1 fonts


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/