Integer overflow in FreeType2 before 2.3.6 allows context-dependent attackers to execute arbitrary code via a crafted set of 16-bit length values within the Private dictionary table in a Printer Font Binary (PFB) file, which triggers a heap-based buffer overflow.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Freetype | Freetype | 1.3.1 (including) | 1.3.1 (including) |
| Freetype | Freetype | 2.3.3 (including) | 2.3.3 (including) |
| Freetype | Freetype | 2.3.4 (including) | 2.3.4 (including) |
| Freetype | Freetype | 2.3.5 (including) | 2.3.5 (including) |
| Red Hat Enterprise Linux 2.1 | RedHat | freetype-0:2.0.3-15.el21 | * |
| Red Hat Enterprise Linux 3 | RedHat | freetype-0:2.1.4-10.el3 | * |
| Red Hat Enterprise Linux 4 | RedHat | freetype-0:2.1.9-8.el4.6 | * |
| Red Hat Enterprise Linux 5 | RedHat | freetype-0:2.2.1-20.el5_2 | * |
| Freetype | Ubuntu | dapper | * |
| Freetype | Ubuntu | feisty | * |
| Freetype | Ubuntu | gutsy | * |
| Freetype | Ubuntu | hardy | * |
| Freetype | Ubuntu | upstream | * |