Debian Bug report logs -
#662864
freetype: multiple vulnerabilities in freetype before 2.4.9
Reported by: Yves-Alexis Perez <corsac@debian.org>
Date: Tue, 6 Mar 2012 21:13:14 UTC
Severity: grave
Tags: security
Fixed in versions freetype/2.4.2-2.1+squeeze4, freetype/2.4.9-1
Done: Steve Langasek <vorlon@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#662864; Package src:freetype.
(Tue, 06 Mar 2012 21:13:21 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Steve Langasek <vorlon@debian.org>.
(Tue, 06 Mar 2012 21:13:24 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: freetype
Severity: grave
Tags: security
Justification: user security hole
Hi,
several vulnerabilities were found in freetype and were fixed in 2.4.9.
A summary can be found in the oss-sec thread starting at
http://www.openwall.com/lists/oss-security/2012/03/06/13 and followups.
Could you prepare an update for the various affected suites?
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#662864; Package src:freetype.
(Wed, 07 Mar 2012 15:02:19 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>.
(Wed, 07 Mar 2012 15:02:20 GMT) (full text, mbox, link).
Message #10 received at 662864@bugs.debian.org (full text, mbox, reply):
On Tue, Mar 06, 2012 at 10:12:35PM +0100, Yves-Alexis Perez wrote:
> Source: freetype
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
>
> several vulnerabilities were found in freetype and were fixed in 2.4.9.
>
> A summary can be found in the oss-sec thread starting at
> http://www.openwall.com/lists/oss-security/2012/03/06/13 and followups.
>
> Could you prepare an update for the various affected suites?
Only CVE-2012-1133, CVE-2012-1136, CVE-2012-1134, CVE-2012-1142 and
CVE-2012-1144 can be used for code injection. The rest can be fixed
along (or later in some point update) or left unfixed in stable.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#662864; Package src:freetype.
(Wed, 07 Mar 2012 16:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>.
(Wed, 07 Mar 2012 16:51:03 GMT) (full text, mbox, link).
Message #15 received at 662864@bugs.debian.org (full text, mbox, reply):
On Wed, Mar 07, 2012 at 03:57:33PM +0100, Moritz Muehlenhoff wrote:
> On Tue, Mar 06, 2012 at 10:12:35PM +0100, Yves-Alexis Perez wrote:
> > Source: freetype
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > Hi,
> >
> > several vulnerabilities were found in freetype and were fixed in 2.4.9.
> >
> > A summary can be found in the oss-sec thread starting at
> > http://www.openwall.com/lists/oss-security/2012/03/06/13 and followups.
> >
> > Could you prepare an update for the various affected suites?
>
> Only CVE-2012-1133, CVE-2012-1136, CVE-2012-1134, CVE-2012-1142 and
> CVE-2012-1144 can be used for code injection. The rest can be fixed
> along (or later in some point update) or left unfixed in stable.
I'm now working on an update for stable-security.
Cheers,
Moritz
Marked as fixed in versions freetype/2.4.2-2.1+squeeze4.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(Sat, 24 Mar 2012 19:15:41 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(Sat, 24 Mar 2012 23:39:05 GMT) (full text, mbox, link).
Reply sent
to Steve Langasek <vorlon@debian.org>:
You have taken responsibility.
(Sat, 24 Mar 2012 23:51:20 GMT) (full text, mbox, link).
Notification sent
to Yves-Alexis Perez <corsac@debian.org>:
Bug acknowledged by developer.
(Sat, 24 Mar 2012 23:51:20 GMT) (full text, mbox, link).
Message #24 received at 662864-close@bugs.debian.org (full text, mbox, reply):
Source: freetype
Source-Version: 2.4.9-1
We believe that the bug you reported is fixed in the latest version of
freetype, which is due to be installed in the Debian FTP archive:
freetype2-demos_2.4.9-1_amd64.deb
to main/f/freetype/freetype2-demos_2.4.9-1_amd64.deb
freetype_2.4.9-1.diff.gz
to main/f/freetype/freetype_2.4.9-1.diff.gz
freetype_2.4.9-1.dsc
to main/f/freetype/freetype_2.4.9-1.dsc
freetype_2.4.9.orig.tar.gz
to main/f/freetype/freetype_2.4.9.orig.tar.gz
libfreetype6-dev_2.4.9-1_amd64.deb
to main/f/freetype/libfreetype6-dev_2.4.9-1_amd64.deb
libfreetype6-udeb_2.4.9-1_amd64.udeb
to main/f/freetype/libfreetype6-udeb_2.4.9-1_amd64.udeb
libfreetype6_2.4.9-1_amd64.deb
to main/f/freetype/libfreetype6_2.4.9-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 662864@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated freetype package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 24 Mar 2012 23:35:16 +0000
Source: freetype
Binary: libfreetype6 libfreetype6-dev freetype2-demos libfreetype6-udeb
Architecture: source amd64
Version: 2.4.9-1
Distribution: unstable
Urgency: low
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description:
freetype2-demos - FreeType 2 demonstration programs
libfreetype6 - FreeType 2 font engine, shared library files
libfreetype6-dev - FreeType 2 font engine, development files
libfreetype6-udeb - FreeType 2 font engine for the debian-installer (udeb)
Closes: 617217 642059 662864 663613
Changes:
freetype (2.4.9-1) unstable; urgency=low
.
* New upstream release
- upstream fix for multiple vulnerabilities: CVE-2012-1126,
CVE-2012-1133, CVE-2012-1134, CVE-2012-1136, CVE-2012-1142,
CVE-2012-1144. and others. Closes: #662864.
- update symbols file for a new symbol, ft_raccess_guess_table
* debian/patches-freetype/savannah-bug-35847.patch,
debian/patches-freetype/savannah-bug-35833.patch: pull two bugfixes from
upstream git on top of 2.4.9, to address regressions affecting
ghostscript. Thanks to Till Kamppeter for pointing this out.
* push CPPFLAGS into CFLAGS for ft2demos, so our demos will be secure.
Closes: #663613.
* don't let a quiltrc override our QUILT_PATCHES settings in debian/rules.
Closes: #617217.
* Migrate debian/copyright to copyright-format 1.0, and fix up the upstream
URL. Closes: #642059.
Checksums-Sha1:
7e6bd6c89830a01a0e114dc12593f2cb218fd66a 2026 freetype_2.4.9-1.dsc
686608efbc9c71607af7454b0d81966a47cac74e 1774386 freetype_2.4.9.orig.tar.gz
1e51190bd4bab89bdc64ee287ec962405ddd7ef3 37568 freetype_2.4.9-1.diff.gz
c6b68ca140fe70e5a2dd49ec6259c7f74bd63318 449878 libfreetype6_2.4.9-1_amd64.deb
ff31221ce8e5bc4e9edfb567c44685110c298a6b 802742 libfreetype6-dev_2.4.9-1_amd64.deb
02541ae346d33d5a1560061416385d08c621188e 218696 freetype2-demos_2.4.9-1_amd64.deb
673c486c923d30fc12d47489670a33431deb3038 323546 libfreetype6-udeb_2.4.9-1_amd64.udeb
Checksums-Sha256:
5d850bdec1ab8368f9d8126387d9173e3f12d10175575fe41a7a735db9895004 2026 freetype_2.4.9-1.dsc
add4dc9058bfd0d52e8b90280de9dddf79e3d8029fd4da0bd4fa94cbe9c3e7c4 1774386 freetype_2.4.9.orig.tar.gz
321684ec1c3405fb982f09680b650df750c698c601b40a406bf039123faef031 37568 freetype_2.4.9-1.diff.gz
7fd92018ff6d9172d6a08079e049b2f68ebd7abe208331d7c14e8406395c8fff 449878 libfreetype6_2.4.9-1_amd64.deb
35c963d6d15477e33a73bcfde7ab1d79185e7468125fe7a2ee0cf787396a4bd9 802742 libfreetype6-dev_2.4.9-1_amd64.deb
ee4b79c1d52fa61b0830806de6701d112ae76e99edd906c4d29f3dcfc44bf44f 218696 freetype2-demos_2.4.9-1_amd64.deb
b84f3ff38fbb3f1b18ae38310a6a3713df322b9fd6d58459d9c35023eeb47f01 323546 libfreetype6-udeb_2.4.9-1_amd64.udeb
Files:
62c2b3a1f11cd58bfcf6ea2d6602930c 2026 libs optional freetype_2.4.9-1.dsc
d59215a7c9616c752ec3a4c859af240b 1774386 libs optional freetype_2.4.9.orig.tar.gz
cdc6e34be2dbd10cc63e75e696b70773 37568 libs optional freetype_2.4.9-1.diff.gz
fd9bd2e9c2c5d671d2c625e101f938ce 449878 libs optional libfreetype6_2.4.9-1_amd64.deb
75846a249b9af478bf94ed35bca29fb4 802742 libdevel optional libfreetype6-dev_2.4.9-1_amd64.deb
b7ccdf1118f73f15f104ba0cec710187 218696 utils optional freetype2-demos_2.4.9-1_amd64.deb
6780dda2a14a8b1ac82e33493cca8a8a 323546 debian-installer extra libfreetype6-udeb_2.4.9-1_amd64.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIVAwUBT25avVaNMPMhshM9AQhybxAAxU5WDbQsRiom9Col0hxABvOPACQ1OzwP
S8p8ahWOtdZiBHRBiyFT73WGgJHFjVqawcHDuhirhNvSZkWjkG2NZVYNF8+TRurc
JngoWYh/RWQzU56p8DOxSGkJD/1CeBjSq25UVCS1E/zYcjqO6I6oV48s2bgpqyZN
EUKzIIVLCurLN6kI+XlagzoHYtTCPNI3SMDNzqw6r2093UDtZemivkMQkCbs2Khh
AwJQKydhmdHDZJdUMrVkmVSnmwiMOolCyuhQpQ4SkmhoJUntXP1743KZppnmooIU
kCiMwKco0y1KO3G/XZFpC54qTYF4BqfwqvDOk6ltoQcbO6+G/wPWEoFnnFiofSm9
GjoXUgtCwLcjq6VNe7cm+PgG47Tv3G/NLhlYWCQ7KJhxjoyQOhXYBKTASxPytAQI
l5akZqe5anYoY2nwTVXbPGiaKWrI3m7E1mY6B3NvhdHfmITAlXRANVw+mWNGVmA1
ZN7cMXBz3ttAQzM1HJxrIczr8CnM/IT2IZPZuRFw3Q+9e6W7L67k9JgSQNNRiy6P
Dlnq7n88Nb8OWYdR4BiWH06t9Pa1LxmKfH74AnJbPOx/Q6Qcz1fMBvuqFUxpxu5V
/zwu/TkV1mnDZjALcTdBj1k/DH7VspggebU1UPVh/+eNEOvfKTjguW3bi5K63io+
OkH0pNPnodQ=
=EqV9
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 13 May 2012 07:45:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:19:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon