Debian Bug report logs -
#635871
CVE-2011-0226: Vulnerability in parsing Type 1 fonts
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 29 Jul 2011 09:27:41 UTC
Severity: grave
Tags: security
Fixed in version freetype/2.4.6-1
Done: Steve Langasek <vorlon@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#635871; Package freetype.
(Fri, 29 Jul 2011 09:27:44 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Steve Langasek <vorlon@debian.org>.
(Fri, 29 Jul 2011 09:27:44 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: freetype
Severity: grave
Tags: security
This was used in the recent iOS jail breaks. Please see
https://bugzilla.redhat.com/show_bug.cgi?id=722701 for
references to the relevant upstream commits.
Cheers,
Moritz
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#635871; Package freetype.
(Tue, 02 Aug 2011 17:24:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Kan-Ru Chen <koster@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>.
(Tue, 02 Aug 2011 17:24:05 GMT) (full text, mbox, link).
Message #10 received at 635871@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: freetype
Followup-For: Bug #635871
Proposed security updates.
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-rc6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
[CVE-2011-0226.debdiff (text/x-diff, attachment)]
Reply sent
to Steve Langasek <vorlon@debian.org>:
You have taken responsibility.
(Thu, 04 Aug 2011 06:06:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Thu, 04 Aug 2011 06:06:07 GMT) (full text, mbox, link).
Message #15 received at 635871-close@bugs.debian.org (full text, mbox, reply):
Source: freetype
Source-Version: 2.4.6-1
We believe that the bug you reported is fixed in the latest version of
freetype, which is due to be installed in the Debian FTP archive:
freetype2-demos_2.4.6-1_amd64.deb
to main/f/freetype/freetype2-demos_2.4.6-1_amd64.deb
freetype_2.4.6-1.diff.gz
to main/f/freetype/freetype_2.4.6-1.diff.gz
freetype_2.4.6-1.dsc
to main/f/freetype/freetype_2.4.6-1.dsc
freetype_2.4.6.orig.tar.gz
to main/f/freetype/freetype_2.4.6.orig.tar.gz
libfreetype6-dev_2.4.6-1_amd64.deb
to main/f/freetype/libfreetype6-dev_2.4.6-1_amd64.deb
libfreetype6-udeb_2.4.6-1_amd64.udeb
to main/f/freetype/libfreetype6-udeb_2.4.6-1_amd64.udeb
libfreetype6_2.4.6-1_amd64.deb
to main/f/freetype/libfreetype6_2.4.6-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 635871@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated freetype package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 04 Aug 2011 05:49:09 +0000
Source: freetype
Binary: libfreetype6 libfreetype6-dev freetype2-demos libfreetype6-udeb
Architecture: source amd64
Version: 2.4.6-1
Distribution: unstable
Urgency: low
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description:
freetype2-demos - FreeType 2 demonstration programs
libfreetype6 - FreeType 2 font engine, shared library files
libfreetype6-dev - FreeType 2 font engine, development files
libfreetype6-udeb - FreeType 2 font engine for the debian-installer (udeb)
Closes: 625328 635871
Changes:
freetype (2.4.6-1) unstable; urgency=low
.
* New upstream release
- fixes CVE-2011-0226, a vulnerability in parsing of Type 1 fonts.
Closes: #635871.
- upstream now builds cleanly with -Werror and the new gcc-4.6 upstream
warnings. Closes: #625328.
Checksums-Sha1:
e0ef6273e9b0f20929ab9e5984a8cdf774ef0fc6 1856 freetype_2.4.6-1.dsc
1eae6c4b103b7920ac39ad9fd1a8b16e23eb62ed 1756679 freetype_2.4.6.orig.tar.gz
0eef46691ae9d151960d1034ab8915f208bee4e8 34057 freetype_2.4.6-1.diff.gz
c96710e14bc348baeee24ab05b29b7731ecfe068 434870 libfreetype6_2.4.6-1_amd64.deb
a3bd53649ca90649b29c739db4890b3b93e5c314 796390 libfreetype6-dev_2.4.6-1_amd64.deb
e5757e1e5e104e792179989916cc00a65f7373f1 215970 freetype2-demos_2.4.6-1_amd64.deb
8a47be367d447c6eebec836bd86a537b8c25ad86 320222 libfreetype6-udeb_2.4.6-1_amd64.udeb
Checksums-Sha256:
8052b48854c073474ef3098539a7186d857871ad305bb28b0f1b343e81d3fdf4 1856 freetype_2.4.6-1.dsc
af85884f78eca63d26ee1e699b8abbf839dc749f76dcd47df6559ba3ba62c0e8 1756679 freetype_2.4.6.orig.tar.gz
80b0b6f8f40951139d240301f07bae3e81b8aedb16bf42e51241dbdae7d04f95 34057 freetype_2.4.6-1.diff.gz
0ca06183ca3fdd63afdfcfe0d350c25ef1a906fc274b7731c4fca46b5014003e 434870 libfreetype6_2.4.6-1_amd64.deb
beadaa05195e243fe899a9ac28eea4b07fadc048648ced202dde4c00dac1e3b7 796390 libfreetype6-dev_2.4.6-1_amd64.deb
92b46e8ed0fe76e2c56a7f88a02986981121fc998165331af621d61f08d0e905 215970 freetype2-demos_2.4.6-1_amd64.deb
8397b3243c66b9a1546d26bd5f9daeb801208da937abde55c1ccc78af89b561a 320222 libfreetype6-udeb_2.4.6-1_amd64.udeb
Files:
984d73b0c76f046bca26ac96ae83bf98 1856 libs optional freetype_2.4.6-1.dsc
a0951433b026f9bf301d65b86bd111ca 1756679 libs optional freetype_2.4.6.orig.tar.gz
c4280f5b8c8f445bdab2de69605896de 34057 libs optional freetype_2.4.6-1.diff.gz
221db12c70cc5566b7301bbb47b742c5 434870 libs optional libfreetype6_2.4.6-1_amd64.deb
6f2e083f0ca8314eacdee191150a41da 796390 libdevel optional libfreetype6-dev_2.4.6-1_amd64.deb
fb18e5b9f8834bc1322afddcb4e92d05 215970 utils optional freetype2-demos_2.4.6-1_amd64.deb
a67730b64a4675462780a06400b2c3e8 320222 debian-installer extra libfreetype6-udeb_2.4.6-1_amd64.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIVAwUBTjozWlaNMPMhshM9AQh9kg//bketwp4tXUnMlnnLsXjCd7peqSsjf40C
Z9hJ9qy+YOn8Wt2L5MsxDQDlMI1KkmO1ppJywcpXvFImdj0qDTU/mxV+Py5ss5Uh
G5m3DvYG5owqoTxXXsylX5MR35fBBH8l9+U3YelSQy2EkoPpspKKNLs0bECyPQ4Q
DawgtkmVlIBaG9+TbA1vpCuJyWZN/8ggZvtDiVSW5z6syZWOYFXxt1hk39owlY46
06YcEUtQFgN6goRt8xsbfoYrdvlIHbtTp2LDc9t3aIjvnWc9fPhhSAFYrIGr+KaE
FpkakdEiXbv6lBSOdgj3GkmV8QK2t+VB6snhJMw+hyVrm175B5bHKkj36ZU0fr6g
JNx36P+98Bv8pzVdXRrbRWVX2JOmOsZelnjetARJ5YjpodnSByahm2tPPTpFtZzw
0tFSkQjZvyv94NesXbtjOSX02eRsXPXfcl4kp4o6ZCftLA9BBtuVHzafOq4/j4HE
wLf6YEhF1SWftPcCY6lRMED/dI7vo7c6aLarsj6xpV9CaPytWuggdY7x6BX0+oly
pGB97NfNQ1MRnyIxFEWrieh5xkjDXr4JrVCaQNlTymUKj4C965cIdirOnZjifhKc
kbXGDmkEUacFIVPa31EopbKmhtGpd9YfBto/wE5AYC9hKO2M/Y7a9tqznM0dpLtd
QMZyTo1mE/0=
=KSB7
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 09 Oct 2011 07:36:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 12:59:36 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon