From ${URL} : The 1.39 release of t1utils fixed a buffer overflow flaw: https://github.com/kohler/t1utils/blob/master/NEWS Additional details (including a reproducer): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
(In reply to Agostino Sarubbo from comment #0) > @maintainer(s): since the fixed package is already in the tree, please let > us know if it is ready for the stabilization or not. yes
Do what?
(In reply to Jeroen Roovers from comment #2) > Do what? Arches, please test and mark stable: =app-text/t1utils-1.39 Target keywords : "alpha amd64 arm hppa ia64 ppc64 x86"
amd64 stable
Stable for PPC64.
Stable for HPPA.
ia64 stable
ppc stable
x86 stable
arm stable
CVE-2015-3905 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3905): Buffer overflow in the set_cs_start function in t1disasm.c in t1utils before 1.39 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
sparc stable
Ping for alpha.
alpha stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work. Maintainer(s), please drop the vulnerable version(s). New GLSA Request filed.
(In reply to Yury German from comment #15) > Maintainer(s), please drop the vulnerable version(s). Done: + 07 Jul 2015; Ben de Groot <yngwin@gentoo.org> -t1utils-1.38.ebuild: + Remove vulnerable version (bug #548638)
This issue was resolved and addressed in GLSA 201507-10 at https://security.gentoo.org/glsa/201507-10 by GLSA coordinator Mikle Kolyada (Zlogene).