I think the actual patch is this: 


commit 9b00875093d1d646798a59d8f5793575fee93adf
Author: Werner Lemberg <wl@gnu.org>
Date:   Wed Apr 13 13:37:37 2011 +0200

    Fix Savannah bug #33047.
    
    Patch submitted by anonymous reporter.
    
    * src/psaux/psobjs.c (ps_table_add): Use FT_PtrDist for pointer
    difference.
--- a/src/psaux/psobjs.c
+++ b/src/psaux/psobjs.c
@@ -186,13 +185,13 @@
     /* grow the base block if needed */
     if ( table->cursor + length > table->capacity )
     {
-      FT_Error   error;
-      FT_Offset  new_size = table->capacity;
-      FT_Long    in_offset;
+      FT_Error    error;
+      FT_Offset   new_size = table->capacity;
+      FT_PtrDist  in_offset;
 
 
-      in_offset = (FT_Long)((FT_Byte*)object - table->block);
-      if ( (FT_ULong)in_offset >= table->capacity )
+      in_offset = (FT_Byte*)object - table->block;
+      if ( in_offset < 0 || (FT_Offset)in_offset >= table->capacity )
         in_offset = -1;
 
       while ( new_size < table->cursor + length )

Freetype maintainer just committed this regarding this bug:

diff --git a/ChangeLog b/ChangeLog
index 25fb10c..c58d6bf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2011-07-08  Werner Lemberg  <wl@gnu.org>
+
+       [psaux] Add better argument check for `callothersubr'.
+
+       * src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+       <op_callothersubr>: Reject negative arguments.
+
 2011-07-07  Werner Lemberg  <wl@gnu.org>

       [sfnt] Try harder to find non-zero values for ascender and descender.
diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
index ea31c51..a60ec38 100644
--- a/src/psaux/t1decode.c
+++ b/src/psaux/t1decode.c
@@ -687,6 +686,9 @@
        subr_no = (FT_Int)( top[1] >> 16 );
        arg_cnt = (FT_Int)( top[0] >> 16 );

+        if ( arg_cnt < 0 || subr_no < 0 )
+          goto Unexpected_OtherSubr;
+
        /***********************************************************/
        /*                                                         */
        /* remove all operands to callothersubr from the stack     */

Created attachment 439015 [details]
patch

this patch fixes the crash for me.

also check this thread:

https://lists.nongnu.org/archive/html/freetype-devel/2011-07/msg00014.html

CVE-2011-0226

The SWAMPID for this issue is 42234.
This issue was rated as important.
Please submit fixed packages until 2011-07-25.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Great analysis of the bug here: http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit , will attach the font used.

Created attachment 440862 [details]
The font used in the exploit

Created attachment 440920 [details]
patch for CVE-2011-0226

It seems this is the patch based from that (according to the upstream git commits)

Created attachment 441251 [details]
Modified 440920: patch for CVE-2011-0226

The provided patch (#440920) does not apply cleanly on our version 2.3.7 (9 of 12 hunks fail).  I modified it to make it apply, but this please needs close checking by C experts.

You can see it here: https://build.suse.de/package/show?package=freetype2&project=home%3Akeichwa%3Abranches%3ASUSE%3ASLE-11-SP1%3AUpdate%3ATest

Once approved, I'll change it for SLE10 and SLE9 accordingly.

Created attachment 441360 [details]
Modified 440920: patch for CVE-2011-0226

The provided patch (#440920) does not apply cleanly on our version 2.3.12 coming with opensuse 11.3 (1 of 12 hunks fail).  I modified it to make it apply, but this please needs close checking by C experts.

You can see it here:
https://build.suse.de/package/show?package=freetype2&project=home%3Akeichwa%3Abranches%3AopenSUSE.org%3AopenSUSE%3A11.3%3AUpdate%3ATest

Untested packages submitted. SLE10 doesn't seem to be affected (wild guess, please confirm).

(In reply to comment #15)
> Untested packages submitted. SLE10 doesn't seem to be affected (wild guess,
> please confirm).

On SLE10 we ship 2.1.10 and on SLE9 2.1.7.  I guess they are affected as well (the patch applies at least partially).

Then there the Factory update is still missing.  Can I submit it straight to the OBS?

Note that I used a different patch (bnc704612_othersubr.diff). You may want to use the same one for factory for consistency. Note also that you have to add it to both specfiles.

SLE10: a partially applying patch doesn't mean that SLES10 is affected. The SLES10 freetype2 does neither do those <<16 >>16 shifts, nor does it have that "wish me luck" part.

Ok, thanks a lot.  I now also submitted a SR to factory: #76760.

I consider it done.

please reassign security bugs back to the security team for tracking.

i am not sure what you submitted, let see

https://build.opensuse.org/request/show/76843  forwarded to Factory.

FWIW, Werner pointed me to this description why the fix
is doing the weird casting:


http://lists.gnu.org/archive/html/freetype-devel/2011-07/msg00034.html
http://lists.gnu.org/archive/html/freetype-devel/2011-07/msg00037.html

i am not sure that the patch fixes the issue. :/

and that oS 11.3 and 11.4 are the only ones affected. :(

sle11 sp1 patchinfo submitted too

Update released for: freetype2-devel, libfreetype6
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)

The active part of the patch is the added new test in the default: case.

This default: case is empty and falls through to SyntaxError in SLES 10 and older
distributions, so they are not affected.

Updates were released.