Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 612192 (CVE-2016-10244) - <media-libs/freetype-2.7.1-r2: parse_charstrings function in type1/t1load.c does not ensure that a font contains a glyph name
Summary: <media-libs/freetype-2.7.1-r2: parse_charstrings function in type1/t1load.c d...
Alias: CVE-2016-10244
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa cve]
Depends on:
Reported: 2017-03-10 11:24 UTC by Agostino Sarubbo
Modified: 2017-06-06 20:10 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-03-10 11:24:50 UTC
From ${URL} :

The parse_charstrings function in type1/t1load.c in FreeType 2 does not ensure that a font contains a glyph name, which allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have 
unspecified other impact via a crafted file.


Upstream patch:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-03-10 11:42:49 UTC
commit b718d16b1e7331ab125b9803d1add14b2617e0b0
Author: Lars Wendler <>
Date:   Fri Mar 10 12:40:30 2017

    media-libs/freetype: Security revbump for bug #612192.

    Package-Manager: Portage-2.3.4, Repoman-2.3.2

Arches please test and mark stable =media-libs/freetype-2.7.1-r2 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt
Comment 2 Agostino Sarubbo gentoo-dev 2017-03-10 13:09:26 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-03-10 13:10:05 UTC
x86 stable
Comment 4 Michael Weber (RETIRED) gentoo-dev 2017-03-10 13:43:56 UTC
arm ppc ppc64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-11 08:31:23 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2017-03-11 17:21:36 UTC
ia64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-03-17 10:43:25 UTC
sparc stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2017-04-04 19:30:44 UTC
Stable on alpha.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2017-04-11 06:21:41 UTC
Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2017-06-06 20:10:25 UTC
This issue was resolved and addressed in
 GLSA 201706-14 at
by GLSA coordinator Kristian Fiskerstrand (K_F).