diff --git a/.gitignore b/.gitignore
index e1f5eb2..15d9d9f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,3 +22,6 @@ ft2demos-2.4.2.tar.bz2
 /freetype-2.4.8.tar.bz2
 /freetype-doc-2.4.8.tar.bz2
 /ft2demos-2.4.8.tar.bz2
+/freetype-2.4.9.tar.bz2
+/freetype-doc-2.4.9.tar.bz2
+/ft2demos-2.4.9.tar.bz2
diff --git a/freetype-2.4.9-CVE-2012-1139.patch b/freetype-2.4.9-CVE-2012-1139.patch
new file mode 100644
index 0000000..380b3da
--- /dev/null
+++ b/freetype-2.4.9-CVE-2012-1139.patch
@@ -0,0 +1,11 @@
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -842,7 +842,7 @@
+   };
+ 
+ 
+-#define isdigok( m, d )  (m[(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
++#define isdigok( m, d )  (m[(unsigned char)(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
+ 
+ 
+   /* Routine to convert an ASCII string into an unsigned long integer. */
diff --git a/freetype-2.4.9-CVE-2012-1141.patch b/freetype-2.4.9-CVE-2012-1141.patch
new file mode 100644
index 0000000..71ac06b
--- /dev/null
+++ b/freetype-2.4.9-CVE-2012-1141.patch
@@ -0,0 +1,10 @@
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -569,6 +569,7 @@
+       list->field[1] = (char*)empty;
+       list->field[2] = (char*)empty;
+       list->field[3] = (char*)empty;
++      list->field[4] = (char*)empty;
+     }
+ 
+     /* If the line is empty, then simply return. */
diff --git a/freetype-2.4.9-incremental-interface.patch b/freetype-2.4.9-incremental-interface.patch
new file mode 100644
index 0000000..4dc741d
--- /dev/null
+++ b/freetype-2.4.9-incremental-interface.patch
@@ -0,0 +1,88 @@
+--- a/src/type1/t1load.c
++++ b/src/type1/t1load.c
+@@ -71,6 +71,13 @@
+ #include "t1errors.h"
+ 
+ 
++#ifdef FT_CONFIG_OPTION_INCREMENTAL
++#define IS_INCREMENTAL  ( face->root.internal->incremental_interface != 0 )
++#else
++#define IS_INCREMENTAL  0
++#endif
++
++
+   /*************************************************************************/
+   /*                                                                       */
+   /* The macro FT_COMPONENT is used in trace mode.  It is an implicit      */
+@@ -1030,7 +1037,8 @@
+   static int
+   read_binary_data( T1_Parser  parser,
+                     FT_Long*   size,
+-                    FT_Byte**  base )
++                    FT_Byte**  base,
++                    FT_Bool    incremental )
+   {
+     FT_Byte*  cur;
+     FT_Byte*  limit = parser->root.limit;
+@@ -1065,8 +1073,12 @@
+       }
+     }
+ 
+-    FT_ERROR(( "read_binary_data: invalid size field\n" ));
+-    parser->root.error = T1_Err_Invalid_File_Format;
++    if( !incremental )
++    {
++      FT_ERROR(( "read_binary_data: invalid size field\n" ));
++      parser->root.error = T1_Err_Invalid_File_Format;
++    }
++
+     return 0;
+   }
+ 
+@@ -1396,7 +1408,7 @@
+ 
+       idx = T1_ToInt( parser );
+ 
+-      if ( !read_binary_data( parser, &size, &base ) )
++      if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
+         return;
+ 
+       /* The binary string is followed by one token, e.g. `NP' */
+@@ -1582,7 +1594,7 @@
+         cur++;                              /* skip `/' */
+         len = parser->root.cursor - cur;
+ 
+-        if ( !read_binary_data( parser, &size, &base ) )
++        if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
+           return;
+ 
+         /* for some non-standard fonts like `Optima' which provides */
+@@ -1871,7 +1883,7 @@
+ 
+ 
+         parser->root.cursor = start_binary;
+-        if ( !read_binary_data( parser, &s, &b ) )
++        if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
+           return T1_Err_Invalid_File_Format;
+         have_integer = 0;
+       }
+@@ -1884,7 +1896,7 @@
+ 
+ 
+         parser->root.cursor = start_binary;
+-        if ( !read_binary_data( parser, &s, &b ) )
++        if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
+           return T1_Err_Invalid_File_Format;
+         have_integer = 0;
+       }
+@@ -2160,9 +2172,7 @@
+       type1->subrs_len   = loader.subrs.lengths;
+     }
+ 
+-#ifdef FT_CONFIG_OPTION_INCREMENTAL
+-    if ( !face->root.internal->incremental_interface )
+-#endif
++    if ( !IS_INCREMENTAL )
+       if ( !loader.charstrings.init )
+       {
+         FT_ERROR(( "T1_Open_Face: no `/CharStrings' array in face\n" ));
diff --git a/freetype-2.4.9-loop-exit-condition.patch b/freetype-2.4.9-loop-exit-condition.patch
new file mode 100644
index 0000000..9edd4e8
--- /dev/null
+++ b/freetype-2.4.9-loop-exit-condition.patch
@@ -0,0 +1,16 @@
+--- a/src/type1/t1load.c
++++ b/src/type1/t1load.c
+@@ -1399,9 +1399,10 @@
+       FT_Byte*  base;
+ 
+ 
+-      /* If the next token isn't `dup' we are done. */
+-      if ( parser->root.cursor + 4 < parser->root.limit            &&
+-           ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
++      /* If we are out of data, or if the next token isn't `dup', */
++      /* we are done.                                             */
++      if ( parser->root.cursor + 4 >= parser->root.limit          ||
++          ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
+         break;
+ 
+       T1_Skip_PS_Token( parser );       /* `dup' */
diff --git a/freetype.spec b/freetype.spec
index 8435547..83f9394 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -6,8 +6,8 @@
 
 Summary: A free and portable font rendering engine
 Name: freetype
-Version: 2.4.8
-Release: 2%{?dist}
+Version: 2.4.9
+Release: 1%{?dist}
 License: FTL or GPLv2+
 Group: System Environment/Libraries
 URL: http://www.freetype.org
@@ -25,6 +25,15 @@ Patch47:  freetype-2.3.11-more-demos.patch
 # Fix multilib conflicts
 Patch88:  freetype-multilib.patch
 
+Patch89:  freetype-2.4.9-CVE-2012-1139.patch
+Patch90:  freetype-2.4.9-CVE-2012-1141.patch
+
+# https://savannah.nongnu.org/bugs/?35833
+Patch91:  freetype-2.4.9-loop-exit-condition.patch
+
+#https://savannah.nongnu.org/bugs/?35847
+Patch92:  freetype-2.4.9-incremental-interface.patch
+
 Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
 
 BuildRequires: libX11-devel
@@ -84,6 +93,10 @@ pushd ft2demos-%{version}
 popd
 
 %patch88 -p1 -b .multilib
+%patch89 -p1 -b .CVE-2012-1139
+%patch90 -p1 -b .CVE-2012-1141
+%patch91 -p1 -b .loop-exit-condition
+%patch92 -p1 -b .incremental-interface
 
 %build
 
@@ -216,6 +229,11 @@ rm -rf $RPM_BUILD_ROOT
 %doc docs/tutorial
 
 %changelog
+* Fri Mar 30 2012 Marek Kasik <mkasik@redhat.com> 2.4.9-1
+- Update to 2.4.9
+- Fixes various CVEs
+- Resolves: #806270
+
 * Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.8-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
 
diff --git a/sources b/sources
index 0d9f9c5..5cdc1d9 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-dbf2caca1d3afd410a29217a9809d397  freetype-2.4.8.tar.bz2
-538c925059e90be23928b454c14df728  freetype-doc-2.4.8.tar.bz2
-f44562cf0b434b6dc3488751f82d99ec  ft2demos-2.4.8.tar.bz2
+77a893dae81fd5b896632715ca041179  freetype-2.4.9.tar.bz2
+39c0881d426db837aa6ff1856e44af86  freetype-doc-2.4.9.tar.bz2
+52e6a7e7ba4fecd39562199baac6a7d2  ft2demos-2.4.9.tar.bz2