Summary: | <media-gfx/fontforge-20110222-r1: Execution of arbitrary code (CVE-2010-4259) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | fonts |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2011-10-08 13:38:48 UTC
arch teams, please, stabilize media-gfx/fontforge-20110222-r1. TIA. amd64 ok Please don't touch the summary. whoever touched the summary, it's not been changed back. 20100501 failed emerge. The initial 20110222-r1 all ok (In reply to comment #4) > whoever touched the summary, it's not been changed back. > > 20100501 failed emerge. > > The initial 20110222-r1 all ok The version to test is the _same_ . The probles is how to declare vulnerable version. But I leave the pleasure to declare to other @security staff (if is needed) since I'm not able to do it :p The version in the summary is the vulnerable version. I thought the fact that it was already stable might have clued you in. Try reading comment #1. Ryan, thanks for having an eye on that. However, Agostino's change was fine. Security usually wants to have the fixed version in the summary field, so that'd be "<media-gfx/fontforge-20110222-r1". I put in "<=media-gfx/fontforge-20100501" at first because we didn't know yet what version was going to be targeted for stabilization. x86 stable amd64 done Stable for HPPA. ppc/ppc64 stable But now it indicates that all versions before 20110222-r1 are vulnerable, which isn't true. Whatever, you guys know what you're doing. I'll stay out of it. alpha/arm/ia64/s390/sh/sparc stable Thanks, everyone. GLSA request filed. This issue was resolved and addressed in GLSA 201201-08 at http://security.gentoo.org/glsa/glsa-201201-08.xml by GLSA coordinator Sean Amoss (ackle). |