Mozilla Foundation Security Advisory 2012-21

Multiple security flaws fixed in FreeType v2.4.9

Announced
April 24, 2012
Reporter
Mateusz Jurczyk
Impact
Critical
Products
Firefox Mobile
Fixed in
  • Firefox Mobile 10.0.4

Description

Mateusz Jurczyk of the Google Security Team used the Address Sanitizer tool to discover a series of memory safety bugs in the FreeType library, some of which could cause memory corruption and exploitable crashes with certain fonts and font parsing. Firefox Mobile has been upgraded to FreeType version 2.4.9 which addresses these issues. Desktop Firefox does not use Freetype for fonts and was not affected.

On Linux systems, Firefox will use the installed system library for FreeType. Linux users should make sure they are current on system security updates.

References