Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 172577

Summary: media-libs/freetype BDF Font Parsing Integer Overflow (CVE-2007-1351)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: bernd, chainsaw, foser, rhill
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/24768/
Whiteboard: A? [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-28 17:33:41 UTC 
Freetype is also affected by IDEF739. See bug #172575.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-28 17:36:12 UTC 
Planned public release sometime next week but the patches are already available in upstream CVS so release might be sooner.

CC'ing Chris to keep him up to speed.

Foser please advise.
Comment 2 Chris Gianelloni (RETIRED) gentoo-dev 2007-03-28 22:58:45 UTC 
If the patches are already in upstream CVS, can we just pull them and *silently* add them to the release snapshot?  Users will still be upgrading to the latest version some time after install, but their initial install won't be vulnerable to this, either.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-29 14:16:37 UTC 
Chris I would suppose so. Either way I think this will go full public before 2007.0 release date so just go ahead.

If you have a fixed ebuild before foser posts here, please attach it here.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-04 06:42:45 UTC 
Adding Ryan as he seems to have made the last bumps.
Comment 5 foser (RETIRED) gentoo-dev 2007-04-04 14:24:14 UTC 
Apologies for my afkish-ness . Just added freetype-2.1.10-r3 and freetype-2.3.2-r3 with the fix for testing.

The one to push for stable is the 2.1 series . The patch applied to 2.1.10 without problems and I couldn't find any obvious differences in the patched code that would make it unreliable, but a double check wouldn't hurt.
Comment 6 Ryan Hill (RETIRED) gentoo-dev 2007-04-06 00:29:08 UTC 
public: http://secunia.com/advisories/24768/
also bug #173438
Comment 7 Ryan Hill (RETIRED) gentoo-dev 2007-04-06 21:32:32 UTC 
*** Bug 173438 has been marked as a duplicate of this bug. ***
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-11 10:15:08 UTC 
Thx foser/Ryan.

Opening since this is now public.

Arches please test and mark stable. Target keywords are:

freetype-2.1.10-r3.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2007-04-11 11:44:54 UTC 
ia64 + x86 stable
Comment 10 Peter Weller (RETIRED) gentoo-dev 2007-04-11 13:26:46 UTC 
Stable on amd64
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2007-04-11 14:14:52 UTC 
ppc64 stable
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2007-04-11 14:39:07 UTC 
sparc stable.
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2007-04-11 19:53:21 UTC 
ppc stable
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2007-04-12 08:14:06 UTC 
Stable for HPPA.
Comment 15 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-04-12 08:56:08 UTC 
alpha done
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-12 09:19:51 UTC 
This one is ready for GLSA.
Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-05-02 03:03:34 UTC 
GLSA 200705-02, thanks everybody