Freetype is also affected by IDEF739. See bug #172575.
Planned public release sometime next week but the patches are already available in upstream CVS so release might be sooner. CC'ing Chris to keep him up to speed. Foser please advise.
If the patches are already in upstream CVS, can we just pull them and *silently* add them to the release snapshot? Users will still be upgrading to the latest version some time after install, but their initial install won't be vulnerable to this, either.
Chris I would suppose so. Either way I think this will go full public before 2007.0 release date so just go ahead. If you have a fixed ebuild before foser posts here, please attach it here.
Adding Ryan as he seems to have made the last bumps.
Apologies for my afkish-ness . Just added freetype-2.1.10-r3 and freetype-2.3.2-r3 with the fix for testing. The one to push for stable is the 2.1 series . The patch applied to 2.1.10 without problems and I couldn't find any obvious differences in the patched code that would make it unreliable, but a double check wouldn't hurt.
public: http://secunia.com/advisories/24768/ also bug #173438
*** Bug 173438 has been marked as a duplicate of this bug. ***
Thx foser/Ryan. Opening since this is now public. Arches please test and mark stable. Target keywords are: freetype-2.1.10-r3.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
ia64 + x86 stable
Stable on amd64
ppc64 stable
sparc stable.
ppc stable
Stable for HPPA.
alpha done
This one is ready for GLSA.
GLSA 200705-02, thanks everybody