Debian Bug report logs -
#426771
CVE-2007-1351 bdf font overflows
Reported by: Kees Cook <kees@outflux.net>
Date: Wed, 30 May 2007 20:12:01 UTC
Severity: important
Tags: patch, security
Found in versions 2.2.1-6, 2.2.1-5
Fixed in version 2.3.5-1
Done: Steve Langasek <vorlon@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>
:
Bug#426771
; Package freetype
.
(full text, mbox, link).
Acknowledgement sent to Kees Cook <kees@outflux.net>
:
New Bug report received and forwarded. Copy sent to Steve Langasek <vorlon@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: freetype
Version: 2.2.1-6
Severity: important
Tags: patch, security
As I understand it, freetype was impacted by CVE-2007-1351 as well as
libxfont (which was updated). Attached in the patch for fixing bdf
overflows in freetype.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351
http://packages.debian.org/changelogs/pool/main/libx/libxfont/current/changelog
--
Kees Cook @outflux.net
[CVE-2007-1351_bdf_integer.patch (text/x-diff, attachment)]
Bug marked as found in version 2.2.1-5 and reopened.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(Tue, 10 Jul 2007 01:15:02 GMT) (full text, mbox, link).
Reply sent to Steve Langasek <vorlon@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Kees Cook <kees@outflux.net>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #12 received at 426771-done@bugs.debian.org (full text, mbox, reply):
Version: 2.3.5-1
found 426771 2.2.1-5
thanks
On Wed, May 30, 2007 at 01:10:44PM -0700, Kees Cook wrote:
> Package: freetype
> Version: 2.2.1-6
> Severity: important
> Tags: patch, security
> As I understand it, freetype was impacted by CVE-2007-1351 as well as
> libxfont (which was updated). Attached in the patch for fixing bdf
> overflows in freetype.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351
> http://packages.debian.org/changelogs/pool/main/libx/libxfont/current/changelog
This bug is fixed in 2.3.5-1 which has just been uploaded to unstable, but
is present in 2.2.1-5 in stable.
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#426771
; Package freetype
.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #17 received at 426771@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, May 30, 2007 at 01:10:44PM -0700, Kees Cook wrote:
> Package: freetype
> Version: 2.2.1-6
> Severity: important
> Tags: patch, security
> As I understand it, freetype was impacted by CVE-2007-1351 as well as
> libxfont (which was updated). Attached in the patch for fixing bdf
> overflows in freetype.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351
> http://packages.debian.org/changelogs/pool/main/libx/libxfont/current/changelog
I've prepared a freetype 2.2.1-5+etch4 package which addresses this security
bug, and uploaded it to <http://people.debian.org/~vorlon/freetype/>.
Security Team, please advise whether I should upload this to security.d.o.
AIUI, uploading this package should not interfere with the pending oldstable
security update for the previous security hole.
The diff for the etch upload, taken from upstream, is attached to this mail.
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
[freetype-426771.diff (text/x-diff, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 18 Aug 2007 07:31:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:50:15 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.