Dear Freetype Development Team,
We're a group of researchers from University of California Riverside. We recently discovered that the outline processing (font translation/decomposition) subroutine in the Freetype version 2.9.1 takes variable amount of time depending on which character is to be rendered. As a result, an unprivileged attacker could potentially utilize flush+reload cache side-channel attack to measure the execution time of said subroutine to infer user input. Although in most applications, this subroutine is performed only once for each character of the same font type, we found that for some applications this is enough for an attacker to extract sensitive information.
For detailed information please refer to our paper in the link below. We would be very happy to work with you to address this issue. Please let us know what you think.
Sincerely,
Daimeng Wang
--
Daimeng Wang
Department of Computer Science & Engineering
University of California, Riverside