CVE-2010-4259 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4259): Stack-based buffer overflow in FontForge 20100501 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long CHARSET_REGISTRY header in a BDF font file. Maintainers, can we go stable with a later version? There're already two newer versions in the tree.
arch teams, please, stabilize media-gfx/fontforge-20110222-r1. TIA.
amd64 ok
Please don't touch the summary.
whoever touched the summary, it's not been changed back. 20100501 failed emerge. The initial 20110222-r1 all ok
(In reply to comment #4) > whoever touched the summary, it's not been changed back. > > 20100501 failed emerge. > > The initial 20110222-r1 all ok The version to test is the _same_ . The probles is how to declare vulnerable version. But I leave the pleasure to declare to other @security staff (if is needed) since I'm not able to do it :p
The version in the summary is the vulnerable version. I thought the fact that it was already stable might have clued you in. Try reading comment #1.
Ryan, thanks for having an eye on that. However, Agostino's change was fine. Security usually wants to have the fixed version in the summary field, so that'd be "<media-gfx/fontforge-20110222-r1". I put in "<=media-gfx/fontforge-20100501" at first because we didn't know yet what version was going to be targeted for stabilization.
x86 stable
amd64 done
Stable for HPPA.
ppc/ppc64 stable
But now it indicates that all versions before 20110222-r1 are vulnerable, which isn't true. Whatever, you guys know what you're doing. I'll stay out of it.
alpha/arm/ia64/s390/sh/sparc stable
Thanks, everyone. GLSA request filed.
This issue was resolved and addressed in GLSA 201201-08 at http://security.gentoo.org/glsa/glsa-201201-08.xml by GLSA coordinator Sean Amoss (ackle).