Stack-based buffer overflow in FontForge 20100501 allows remote attackers to
cause a denial of service (application crash) or possibly execute arbitrary
code via a long CHARSET_REGISTRY header in a BDF font file.
Maintainers, can we go stable with a later version? There're already two newer versions in the tree.
arch teams, please, stabilize media-gfx/fontforge-20110222-r1. TIA.
Please don't touch the summary.
whoever touched the summary, it's not been changed back.
20100501 failed emerge.
The initial 20110222-r1 all ok
(In reply to comment #4)
> whoever touched the summary, it's not been changed back.
> 20100501 failed emerge.
> The initial 20110222-r1 all ok
The version to test is the _same_ . The probles is how to declare vulnerable version. But I leave the pleasure to declare to other @security staff (if is needed) since I'm not able to do it :p
The version in the summary is the vulnerable version. I thought the fact that it was already stable might have clued you in. Try reading comment #1.
Ryan, thanks for having an eye on that. However, Agostino's change was fine. Security usually wants to have the fixed version in the summary field, so that'd be "<media-gfx/fontforge-20110222-r1". I put in "<=media-gfx/fontforge-20100501" at first because we didn't know yet what version was going to be targeted for stabilization.
Stable for HPPA.
But now it indicates that all versions before 20110222-r1 are vulnerable, which isn't true.
Whatever, you guys know what you're doing. I'll stay out of it.
Thanks, everyone. GLSA request filed.
This issue was resolved and addressed in
GLSA 201201-08 at http://security.gentoo.org/glsa/glsa-201201-08.xml
by GLSA coordinator Sean Amoss (ackle).