Hi, latest glsa-check on my system results to GLSA 201201-09: FreeType: Multiple vulnerabilities ============================================================================ Synopsis: Multiple vulnerabilities have been found in FreeType, allowing remote attackers to possibly execute arbitrary code or cause a Denial of Service. Announced on: January 23, 2012 Last revised on: January 23, 2012 : 01 Affected package: media-libs/freetype Affected archs: All Vulnerable: <2.4.8 Unaffected: >=2.4.8 [....] So I checked which version are installed: # eix freetype [D] media-libs/freetype Available versions: (1) 1.4_pre20080316-r2 (2) 2.4.6 [...] To see who's using the older release I used emerge -pv --depclean media-libs/freetype an this results in: media-libs/freetype-1.4_pre20080316-r2 pulled in by: app-text/texlive-2011 So I'm not sure if this is a real problem, but I'm also not sure if this is supposed to be as it is. Thanks for checking. If you need more information, please let me know. Cheers Heinrich Reproducible: Always
(In reply to comment #0) > # eix freetype > > [D] media-libs/freetype > Available versions: > (1) 1.4_pre20080316-r2 > (2) 2.4.6 eix output is only reliable if you care to run eix-update once in a while. :) I wonder if the GLSA is accurate in this respect - it appears to say <2.4.8 is affected but that doesn't mean the older SLOT is as well. Please take that up on the other bug. *** This bug has been marked as a duplicate of bug 390623 ***
ok, my mistake, after running eix-update I get: # eix freetype [I] media-libs/freetype Available versions: (1) 1.4_pre20080316-r2 (2) 2.4.7 2.4.8 [...] The main issue remains, app-text/texlive-2011 depends on media-libs/freetype-1.4_pre20080316-r2 and this might be affected by GLSA 201201-09. But I can't say for sure, of course. Thanks.