Secunia reports:
- An integer overflow error exists in the processing of PFB font
files. This can be exploited to cause a heap-based buffer overflow
via a PFB file containing a specially crafted "Private" dictionary
table.
- An error in the processing of PFB font files can be exploited
to trigger the "free()" of memory areas that are not allocated on
the heap.
- An off-by-one error exists in the processing of PFB font files.
This can be exploited to cause a one-byte heap-based buffer
overflow via a specially crafted PFB file.
- An off-by-one error exists in the implementation of the "SHC"
instruction while processing TTF files. This can be exploited to
cause a one-byte heap-based buffer overflow via a specially crafted
TTF file.
Successful exploitation of the vulnerabilities may allow execution
of arbitrary code.