172577 – media-libs/freetype BDF Font Parsing Integer Overflow (CVE-2007-1351)

Bug 172577 - media-libs/freetype BDF Font Parsing Integer Overflow (CVE-2007-1351)

Summary: media-libs/freetype BDF Font Parsing Integer Overflow (CVE-2007-1351)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/24768/
Whiteboard:	A? [glsa] jaervosz
Keywords:

Duplicates (1):	173438 (view as bug list)
Depends on:
Blocks:

Reported:	2007-03-28 17:33 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2020-03-28 22:35 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-03-28 17:33:41 UTC

Freetype is also affected by IDEF739. See bug #172575.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-03-28 17:36:12 UTC

Planned public release sometime next week but the patches are already available in upstream CVS so release might be sooner.

CC'ing Chris to keep him up to speed.

Foser please advise.

Comment 2 Chris Gianelloni (RETIRED) gentoo-dev

2007-03-28 22:58:45 UTC

If the patches are already in upstream CVS, can we just pull them and *silently* add them to the release snapshot?  Users will still be upgrading to the latest version some time after install, but their initial install won't be vulnerable to this, either.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-03-29 14:16:37 UTC

Chris I would suppose so. Either way I think this will go full public before 2007.0 release date so just go ahead.

If you have a fixed ebuild before foser posts here, please attach it here.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-04-04 06:42:45 UTC

Adding Ryan as he seems to have made the last bumps.

Comment 5 foser (RETIRED) gentoo-dev

2007-04-04 14:24:14 UTC

Apologies for my afkish-ness . Just added freetype-2.1.10-r3 and freetype-2.3.2-r3 with the fix for testing.

The one to push for stable is the 2.1 series . The patch applied to 2.1.10 without problems and I couldn't find any obvious differences in the patched code that would make it unreliable, but a double check wouldn't hurt.

Comment 6 Ryan Hill (RETIRED) gentoo-dev

2007-04-06 00:29:08 UTC

public: http://secunia.com/advisories/24768/
also bug #173438

Comment 7 Ryan Hill (RETIRED) gentoo-dev

2007-04-06 21:32:32 UTC

*** Bug 173438 has been marked as a duplicate of this bug. ***

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-04-11 10:15:08 UTC

Thx foser/Ryan.

Opening since this is now public.

Arches please test and mark stable. Target keywords are:

freetype-2.1.10-r3.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"

Comment 9 Raúl Porcel (RETIRED) gentoo-dev

2007-04-11 11:44:54 UTC

ia64 + x86 stable

Comment 10 Peter Weller (RETIRED) gentoo-dev

2007-04-11 13:26:46 UTC

Stable on amd64

Comment 11 Markus Rothe (RETIRED) gentoo-dev

2007-04-11 14:14:52 UTC

ppc64 stable

Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev

2007-04-11 14:39:07 UTC

sparc stable.

Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev

2007-04-11 19:53:21 UTC

ppc stable

Comment 14 Jeroen Roovers (RETIRED) gentoo-dev

2007-04-12 08:14:06 UTC

Stable for HPPA.

Comment 15 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev

2007-04-12 08:56:08 UTC

alpha done

Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-04-12 09:19:51 UTC

This one is ready for GLSA.

Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-05-02 03:03:34 UTC

GLSA 200705-02, thanks everybody