Two glsas refer to a currently-stable package version: 2012-01-09 2012-04-04 (just released) In both cases the glsa refers to slot 1 of media-libs/freetype, which isn't masked. So, either that package is vulnerable and should be fixed/masked, or the glsas are wrong and need to make an exception for slot 1.
(In reply to comment #0) > > So, either that package is vulnerable and should be fixed/masked, or the > glsas are wrong and need to make an exception for slot 1. Thanks for the bug. We started this conversation in https://bugs.gentoo.org/show_bug.cgi?id=390623#c14. It is likely vulnerable and is certainly not supported upstream. @fonts, can we move forward and mask freetype:1, please? @tex, it looks like texlive (and games-action/heavygear2) is the only package requiring freetype:1. Can it be updated?
(In reply to comment #1) > @tex, it looks like texlive (and games-action/heavygear2) is the only > package requiring freetype:1. Can it be updated? as of texlive, it's required for ttf2pk :( there's a ttf2pk2, based on freetype-2 in texlive source, but it's not 100% feature equivalent and it doesnt install properly with texlive 2011. Since the one from texlive svn installs properly, I'll make it use ttf2pk2 regardless of the small feature loss with texlive 2012 I suppose.
(In reply to comment #2) > as of texlive, it's required for ttf2pk :( > there's a ttf2pk2, based on freetype-2 in texlive source, but it's not 100% > feature equivalent and it doesnt install properly with texlive 2011. > Since the one from texlive svn installs properly, I'll make it use ttf2pk2 > regardless of the small feature loss with texlive 2012 I suppose. Thanks, Alexis. @fonts, if we overcome texlive's dependence on freetype:1, can we mask freetype:1?
Please do.
Alright, @tex, ball is in your court. ;)
just added app-text/ttf2pk2, lemme add a || dep to texlive and fill the kwreq bug
ok, keywording goes on in bug #417685
There is no upgrade path for media-libs/freetype-1.4_pre20080316-r2 Many packages now use freetype version 2 (there are two branches of versions). When packages use the upgraded version depclean does not get rid of version 1 probably because they are branched. The obvious workaround is to unmerge it. I tried it and revdep-rebuild didn't require I build it again. Perhaps the glsa fix is to emerge --unmerge media-libs/freetype:1
(In reply to comment #7) > ok, keywording goes on in bug #417685 Keywording of ttf2pk2 is done. What next? ;)
(In reply to comment #9) > (In reply to comment #7) > > ok, keywording goes on in bug #417685 > > Keywording of ttf2pk2 is done. What next? ;) wait for texlive 2012 to go stable i'd say :)
*** Bug 448666 has been marked as a duplicate of this bug. ***
# Ben de Groot <yngwin@gentoo.org> (25 Apr 2013) # freetype:1 has multiple issues, including security vulnerabilities, # see bugs 412499, 430530, 406891, 448550, 466308. # No longer supported upstream, nor in practice by us. # Masked for removal in 30 days, unless someone steps up to maintain this # and address all issues; (possible candidate for graveyard overlay). =media-libs/freetype-1.4* games-action/heavygear2
originally a GLSA error. Packages removed years a go to mitigate the originally reported vulnerability.
