Re: Bug#1010304: bullseye-pu: package freetype/2.10.4+dfsg-1+deb11u1

To: Hugh McMaster <hugh.mcmaster@outlook.com>, 1010304@bugs.debian.org
Cc: kibi@debian.org, debian-boot@lists.debian.org
Subject: Re: Bug#1010304: bullseye-pu: package freetype/2.10.4+dfsg-1+deb11u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 28 May 2022 20:15:38 +0100
Message-id: <[🔎] 11e766a0a86ebfcfe6c4219903cda77d21683caf.camel@adam-barratt.org.uk>
In-reply-to: <165114848073.80744.13771116360175112720.reportbug@debian>
References: <165114848073.80744.13771116360175112720.reportbug@debian>

Control: tags -1 + confirmed d-i

On Thu, 2022-04-28 at 22:21 +1000, Hugh McMaster wrote:
> This update fixes three security vulnerabilities in FreeType
> 2.10.4+dfsg-1.
> 
> - CVE-2022-27404: heap buffer overflow via invalid integer decrement
> in
> sfnt_init_face() and woff2_open_font().
> - CVE-2022-27405: segmentation violation via ft_open_face_internal()
> when
> attempting to read the value of FT_LONG face_index.
> - CVE-2022-27406: segmentation violation via FT_Request_Size() when
> attempting
> to read the value of an unguarded face size handle.
> 
> It would be ideal to get these fixes into Bullseye.

This looks OK to me, but as freetype builds a udeb it will want a KiBi-
ack; CCed and tagging accordingly.

Regards,

Adam

Reply to:

Prev by Date: zipl-installer_0.0.44_source.changes ACCEPTED into unstable
Next by Date: Re: Bug#1009250: bullseye-pu: fribidi/1.0.8-2+deb11u1
Previous by thread: zipl-installer_0.0.44_source.changes ACCEPTED into unstable
Next by thread: Re: Bug#1009250: bullseye-pu: fribidi/1.0.8-2+deb11u1
Index(es):
- Date
- Thread