Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 386293 (CVE-2010-4259) - <media-gfx/fontforge-20110222-r1: Execution of arbitrary code (CVE-2010-4259)
Summary: <media-gfx/fontforge-20110222-r1: Execution of arbitrary code (CVE-2010-4259)
Status: RESOLVED FIXED
Alias: CVE-2010-4259
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-08 13:38 UTC by GLSAMaker/CVETool Bot
Modified: 2012-01-23 12:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 13:38:48 UTC
CVE-2010-4259 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4259):
  Stack-based buffer overflow in FontForge 20100501 allows remote attackers to
  cause a denial of service (application crash) or possibly execute arbitrary
  code via a long CHARSET_REGISTRY header in a BDF font file.


Maintainers, can we go stable with a later version? There're already two newer versions in the tree.
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2011-10-08 15:28:08 UTC
arch teams, please, stabilize media-gfx/fontforge-20110222-r1. TIA.
Comment 2 Agostino Sarubbo gentoo-dev 2011-10-08 16:51:57 UTC
amd64 ok
Comment 3 Ryan Hill (RETIRED) gentoo-dev 2011-10-08 17:57:43 UTC
Please don't touch the summary.
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2011-10-08 18:21:17 UTC
whoever touched the summary, it's not been changed back.

20100501 failed emerge.

The initial 20110222-r1 all ok
Comment 5 Agostino Sarubbo gentoo-dev 2011-10-08 18:26:27 UTC
(In reply to comment #4)
> whoever touched the summary, it's not been changed back.
> 
> 20100501 failed emerge.
> 
> The initial 20110222-r1 all ok

The version to test is the _same_ . The probles is how to declare vulnerable version. But I leave the pleasure to declare to other @security staff (if is needed) since I'm not able to do it :p
Comment 6 Ryan Hill (RETIRED) gentoo-dev 2011-10-08 18:43:00 UTC
The version in the summary is the vulnerable version.  I thought the fact that it was already stable might have clued you in.  Try reading comment #1.
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-08 18:51:36 UTC
Ryan, thanks for having an eye on that. However, Agostino's change was fine. Security usually wants to have the fixed version in the summary field, so that'd be "<media-gfx/fontforge-20110222-r1". I put in "<=media-gfx/fontforge-20100501" at first because we didn't know yet what version was going to be targeted for stabilization.
Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-08 19:37:29 UTC
x86 stable
Comment 9 Markos Chandras (RETIRED) gentoo-dev 2011-10-09 15:09:27 UTC
amd64 done
Comment 10 Jeroen Roovers gentoo-dev 2011-10-09 17:11:39 UTC
Stable for HPPA.
Comment 11 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-10-09 18:31:59 UTC
ppc/ppc64 stable
Comment 12 Ryan Hill (RETIRED) gentoo-dev 2011-10-10 03:07:34 UTC
But now it indicates that all versions before 20110222-r1 are vulnerable, which isn't true.

Whatever, you guys know what you're doing.  I'll stay out of it.
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2011-10-12 15:21:50 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2011-10-12 15:24:44 UTC
Thanks, everyone. GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 12:18:47 UTC
This issue was resolved and addressed in
 GLSA 201201-08 at http://security.gentoo.org/glsa/glsa-201201-08.xml
by GLSA coordinator Sean Amoss (ackle).