FreeType is prone to an overflow condition. The 'ft_var_readpackedpoints()' function in 'truetype/ttgxvar.c' fails to properly sanitize user-supplied input resulting in a buffer overflow. With a specially crafted TrueType GX font, a context-dependent attacker can potentially execute arbitrary code.

Upgrade to version 2.4.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1024745
• CVE ID: 2010-3855 (see also: NVD)
• Secunia Advisory ID: 41738 42289 42295 43138 43697 43814 44008 45224 47676 48951
• Bugtraq ID: 44214
• VUPEN Advisory: ADV-2010-3037
• Vendor Specific News/Changelog Entry: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602221
  http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=59eb9f8cfe7d1df379a2318316d1f04f80fba54a
  http://lists.debian.org/debian-security-announce/2011/msg00019.html
  http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00020.html
  http://security.gentoo.org/glsa/glsa-201201-09.xml
  https://savannah.nongnu.org/bugs/?31310
  https://savannah.nongnu.org/bugs/index.php?31310
• Mail List Post: http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050965.html
  http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051231.html
  http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051251.html
• Vendor Specific Advisory URL: http://support.apple.com/kb/HT1222
  http://support.apple.com/kb/HT4565
  http://support.apple.com/kb/HT4581
  http://support.apple.com/kb/HT4802
  http://support.apple.com/kb/HT4803
  https://hermes.opensuse.org/messages/7850332
• Other Advisory URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:235
  http://www.mandriva.com/security/advisories?name=MDVSA-2010:236
• News Article: http://www.scmagazineus.com/apple-issues-slew-of-patches/article/198899/
• RedHat RHSA: RHSA-2010:0889

• Not Available