Bug 386293 (CVE-2010-4259)

Summary:	<media-gfx/fontforge-20110222-r1: Execution of arbitrary code (CVE-2010-4259)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	fonts
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [glsa]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2011-10-08 13:38:48 UTC

CVE-2010-4259 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4259):
  Stack-based buffer overflow in FontForge 20100501 allows remote attackers to
  cause a denial of service (application crash) or possibly execute arbitrary
  code via a long CHARSET_REGISTRY header in a BDF font file.


Maintainers, can we go stable with a later version? There're already two newer versions in the tree.

Comment 1 Peter Volkov (RETIRED) gentoo-dev

2011-10-08 15:28:08 UTC

arch teams, please, stabilize media-gfx/fontforge-20110222-r1. TIA.

Comment 2 Agostino Sarubbo gentoo-dev

2011-10-08 16:51:57 UTC

amd64 ok

Comment 3 Ryan Hill (RETIRED) gentoo-dev

2011-10-08 17:57:43 UTC

Please don't touch the summary.

Comment 4 Ian Delaney (RETIRED) gentoo-dev

2011-10-08 18:21:17 UTC

whoever touched the summary, it's not been changed back.

20100501 failed emerge.

The initial 20110222-r1 all ok

Comment 5 Agostino Sarubbo gentoo-dev

2011-10-08 18:26:27 UTC

(In reply to comment #4)
> whoever touched the summary, it's not been changed back.
> 
> 20100501 failed emerge.
> 
> The initial 20110222-r1 all ok

The version to test is the _same_ . The probles is how to declare vulnerable version. But I leave the pleasure to declare to other @security staff (if is needed) since I'm not able to do it :p

Comment 6 Ryan Hill (RETIRED) gentoo-dev

2011-10-08 18:43:00 UTC

The version in the summary is the vulnerable version.  I thought the fact that it was already stable might have clued you in.  Try reading comment #1.

Comment 7 Tobias Heinlein (RETIRED) gentoo-dev

2011-10-08 18:51:36 UTC

Ryan, thanks for having an eye on that. However, Agostino's change was fine. Security usually wants to have the fixed version in the summary field, so that'd be "<media-gfx/fontforge-20110222-r1". I put in "<=media-gfx/fontforge-20100501" at first because we didn't know yet what version was going to be targeted for stabilization.

Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-10-08 19:37:29 UTC

x86 stable

Comment 9 Markos Chandras (RETIRED) gentoo-dev

2011-10-09 15:09:27 UTC

amd64 done

Comment 10 Jeroen Roovers (RETIRED) gentoo-dev

2011-10-09 17:11:39 UTC

Stable for HPPA.

Comment 11 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-10-09 18:31:59 UTC

ppc/ppc64 stable

Comment 12 Ryan Hill (RETIRED) gentoo-dev

2011-10-10 03:07:34 UTC

But now it indicates that all versions before 20110222-r1 are vulnerable, which isn't true.

Whatever, you guys know what you're doing.  I'll stay out of it.

Comment 13 Raúl Porcel (RETIRED) gentoo-dev

2011-10-12 15:21:50 UTC

alpha/arm/ia64/s390/sh/sparc stable

Comment 14 Tim Sammut (RETIRED) gentoo-dev

2011-10-12 15:24:44 UTC

Thanks, everyone. GLSA request filed.

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2012-01-23 12:18:47 UTC

This issue was resolved and addressed in
 GLSA 201201-08 at http://security.gentoo.org/glsa/glsa-201201-08.xml
by GLSA coordinator Sean Amoss (ackle).