[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Pkg-fonts-devel] Bug#869614: marked as done (fontforge: CVE-2017-11568 CVE-2017-11569 CVE-2017-11571 CVE-2017-11572 CVE-2017-11574 CVE-2017-11575 CVE-2017-11576 CVE-2017-11577)

Your message dated Thu, 05 Oct 2017 10:00:11 +0000
with message-id <E1e02wt-000FvT-Ms@fasolo.debian.org>
and subject line Bug#869614: fixed in fontforge 1:20170731~dfsg-1
has caused the Debian Bug report #869614,
regarding fontforge: CVE-2017-11568 CVE-2017-11569 CVE-2017-11571 CVE-2017-11572 CVE-2017-11574 CVE-2017-11575 CVE-2017-11576 CVE-2017-11577
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

869614: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869614
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: fontforge
Version: 20120731.b-5
Severity: important
Tags: upstream security


the following vulnerabilities were published for fontforge.

| FontForge 20161012 is vulnerable to a heap-based buffer over-read in
| PSCharStringToSplines (psread.c) resulting in DoS or code execution via
| a crafted otf file.

| FontForge 20161012 is vulnerable to a heap-based buffer over-read in
| readttfcopyrights (parsettf.c) resulting in DoS or code execution via a
| crafted otf file.

| FontForge 20161012 is vulnerable to a buffer over-read in umodenc
| (parsettf.c) resulting in DoS or code execution via a crafted otf file.

| FontForge 20161012 is vulnerable to a stack-based buffer overflow in
| addnibble (parsettf.c) resulting in DoS or code execution via a crafted
| otf file.

| FontForge 20161012 is vulnerable to a heap-based buffer over-read in
| readcfftopdicts (parsettf.c) resulting in DoS or code execution via a
| crafted otf file.

| FontForge 20161012 is vulnerable to a buffer over-read in
| ValidatePostScriptFontName (parsettf.c) resulting in DoS or code
| execution via a crafted otf file.

| FontForge 20161012 is vulnerable to a heap-based buffer overflow in
| readcffset (parsettf.c) resulting in DoS or code execution via a
| crafted otf file.

| FontForge 20161012 is vulnerable to a buffer over-read in strnmatch
| (char.c) resulting in DoS or code execution via a crafted otf file,
| related to a call from the readttfcopyrights function in parsettf.c.

| FontForge 20161012 does not ensure a positive size in a weight vector
| memcpy call in readcfftopdict (parsettf.c) resulting in DoS via a
| crafted otf file.

| FontForge 20161012 is vulnerable to a buffer over-read in getsid
| (parsettf.c) resulting in DoS or code execution via a crafted otf file.

Apart of CVE-2017-11570 and CVE-2017-11575 the issues seem easily
reproducible/shown as well back to 20120731.b-5. But I have not been
able to verify yet that the two mentioned CVE would not affect that
version. Thus I created a collecting bug for all those CVEs. If it
turns out that we need to split the bug a bit up, we can do.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-11568
[1] https://security-tracker.debian.org/tracker/CVE-2017-11569
[2] https://security-tracker.debian.org/tracker/CVE-2017-11570
[3] https://security-tracker.debian.org/tracker/CVE-2017-11571
[4] https://security-tracker.debian.org/tracker/CVE-2017-11572
[5] https://security-tracker.debian.org/tracker/CVE-2017-11573
[6] https://security-tracker.debian.org/tracker/CVE-2017-11574
[7] https://security-tracker.debian.org/tracker/CVE-2017-11575
[8] https://security-tracker.debian.org/tracker/CVE-2017-11576
[9] https://security-tracker.debian.org/tracker/CVE-2017-11577

Please adjust the affected versions in the BTS as needed.


--- End Message ---
--- Begin Message ---
Source: fontforge
Source-Version: 1:20170731~dfsg-1

We believe that the bug you reported is fixed in the latest version of
fontforge, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 869614@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Jonas Smedegaard <dr@jones.dk> (supplier of updated fontforge package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)

Hash: SHA512

Format: 1.8
Date: Sun, 24 Sep 2017 13:21:28 +0200
Source: fontforge
Binary: fontforge fontforge-nox fontforge-common libfontforge-dev libfontforge2 libgdraw5 python-fontforge fontforge-dbg fontforge-doc
Architecture: source all amd64
Version: 1:20170731~dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Fonts Task Force <pkg-fonts-devel@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
 fontforge  - font editor
 fontforge-common - font editor (common files)
 fontforge-dbg - debugging symbols for fontforge
 fontforge-doc - documentation for fontforge
 fontforge-nox - font editor - non-X version
 libfontforge-dev - font editor - runtime library (development files)
 libfontforge2 - font editor - runtime library
 libgdraw5  - font editor - runtime graphics and widget library
 python-fontforge - font editor - Python bindings
Closes: 853040 855710 865601 869614
 fontforge (1:20170731~dfsg-1) unstable; urgency=high
   * New release with number of adjustments and fixes.
     + Fixes multiple CVE's listed below.
      CVE-2017-11577, CVE-2017-11576, CVE-2017-11575, CVE-2017-11574,
      CVE-2017-11572, CVE-2017-11571, CVE-2017-11569, CVE-2017-11568.
      Closes: bug#869614. Thanks to Salvatore Bonaccorso.
   [ Vasudev Kamath ]
   * Add fontforge-doc package to fontforge source.
     Closes: bug#855710, bug#853040. Thanks to Hideki Yamane.
   * Simplify d-shlibs handling. Tighten to build-depend on recent d-hlibs.
   * debian/patches:
     + Drop patch 1001, merged upstream.
     + Refresh patch 2002 with new upstream files.
     + Add patch 2003 for removing SourceForge logo from documentation.
   * Update libfontforge2.symbols file for new release.
     There a lot of refactoring done by upstream without bumping major
   * Drop unused lintian-override from debian/source/lintian-override.
   * Drop wild card debian-old/* from debian/copyright. It is no longer
     available in upstream source.
   * Do not disable PIE.
     Closes: bug#865601. Thanks to Adrian Bunk.
   [ Jonas Smedegaard ]
   * Add myself as uploader.
   * Update watch file: Use substitution strings.
   * Drop superfluous dh_installdirs hint files.
   * Advertise DEP-3 format in patch headers.
   * Tighten lintian overrides regarding License-Reference.
   * Tighten lintian overrides regarding long code lines.
   * Add lintian override for obsolete-url-in-packaging false positive.
   * Drop obsolete maintainer script make-clean-tarball.
   * Avoid mentioning Debian in doc-base title.
   * Update homepage.
   * Modernize Vcs-* fields:
     + Consistently use git (not cgit) in path.
     + Consistently include .git suffix in path.
   * Update copyright info:
     + Extend coverage for myself. Relince packaging to GPL-3+.
     + Merge same-licensed Files sections.
     + List graphicore code, licensed as BSD-2-clause.
     + Fix drop duplicate entries.
     + Fix list fontforge/fvimportbdf.c (same as gdraw/fontP.h) as
       licensed BSD-3-clause and X11~TOG (not BSD-3-clause).
     + Fix list files licensed BSD-3-clause in initial wildcard section.
     + Fix list files by a non-main copyright holder licensed GPL-3+.
     + Fix list files by a non-main copyright holders licensed GPL-3+
       with font exception.
     + Fix list font files.
     + Fix list files licensed GPL-2+.
     + Fix add License section for LGPL-2.1+.
     + Exclude non-DFSG free fonts from repackaged tarball.
   * Update package relations:
     + Stop conflict with defoma: Dropped before oldstable.
   * Drop breaks+replaces unneeded since oldstable.
   * Generalize and extend patch 2003 to cover more potential breaches.
 0833eded6a7250e299537e50f9bd53ea1ae10f1a 3122 fontforge_20170731~dfsg-1.dsc
 2062bafa78013d87509cebffc8b412b4a6786f72 17896802 fontforge_20170731~dfsg.orig.tar.gz
 03c6d7d87457853c3aefb9cab3b7e0eed350482b 54400 fontforge_20170731~dfsg-1.debian.tar.xz
 c76f687470083b657671c982d909dda8b869287a 1379266 fontforge-common_20170731~dfsg-1_all.deb
 9efd21e0444e89746c398960bd78b9bd1744854f 9366850 fontforge-dbg_20170731~dfsg-1_amd64.deb
 3e9d1f01f91bb674bb127f9e743e32108d9d1133 3412718 fontforge-doc_20170731~dfsg-1_all.deb
 8bef8064867a83f7559b538bdf0b717f7da48a7b 37678 fontforge-nox_20170731~dfsg-1_amd64.deb
 249225ac9547941433758aad4a20ae6396f404a8 12597 fontforge_20170731~dfsg-1_amd64.buildinfo
 19b6bef4d5f639207c21562d0cf2b25ab08933b9 38120 fontforge_20170731~dfsg-1_amd64.deb
 da89cac616e097d5dc8b358fb295c4d428b06db3 2141806 libfontforge-dev_20170731~dfsg-1_amd64.deb
 b0d9fb8396f975762bfdfeb7b7a79bf85dadae13 1949526 libfontforge2_20170731~dfsg-1_amd64.deb
 47f497afc8f38bec09f84eed05fc2494bacd30f8 1312312 libgdraw5_20170731~dfsg-1_amd64.deb
 6592aaae31e42eb93c10883aec399f67ffdd6e7f 41062 python-fontforge_20170731~dfsg-1_amd64.deb
 e870c8db1e5b4243e68c6aa211da90fef59c49b2ba17390365b8d866bf710ccc 3122 fontforge_20170731~dfsg-1.dsc
 642dd957a7e36d68e37c8be9f849a2b2ec2f9e831103d1458660a165fe3e4ae7 17896802 fontforge_20170731~dfsg.orig.tar.gz
 10a5979ebe83de1ad8383f352343212c7d1ec6850343ac9e39864565f5a3cd41 54400 fontforge_20170731~dfsg-1.debian.tar.xz
 109f77b83db3a2919951348bf0eb975a49a7c17fc2966cb649e7544c92316b15 1379266 fontforge-common_20170731~dfsg-1_all.deb
 43077963bf15bc48854b8abb54f3a985f781919355a1765bf5b4ed84d277530d 9366850 fontforge-dbg_20170731~dfsg-1_amd64.deb
 b0c3b0c0c7adfe0c89591ee87df89b4c9ea92dc87e768e8d11fd2c0c1692dd5e 3412718 fontforge-doc_20170731~dfsg-1_all.deb
 edc4000f378bd5d85c11f7a9d87ef41e9bb7ef9fd0596a38927412d8bb758f61 37678 fontforge-nox_20170731~dfsg-1_amd64.deb
 ea8f0b90e4cdfd5884870ea3d95dd87e481bc2daed768f8be42b0a7c8db85868 12597 fontforge_20170731~dfsg-1_amd64.buildinfo
 6d4c130a083bd5bc59925f0a423bd50090d6880313964ad67a388a3718d1e495 38120 fontforge_20170731~dfsg-1_amd64.deb
 f127e8fa8bffbaabf70a76fc8318755b08d3a96e09ad67763444f557bc708be9 2141806 libfontforge-dev_20170731~dfsg-1_amd64.deb
 557720d3d1df336e5e5f8cd538f54b003a633d909cb65dfab24da5d186f7866c 1949526 libfontforge2_20170731~dfsg-1_amd64.deb
 f5d19fe4feef3adeac9f04b6124e05173639ebd08a81b779343f540b9aaeb951 1312312 libgdraw5_20170731~dfsg-1_amd64.deb
 e57529737c78736bc66b09792cf68ff95e46cb64c17ec1a85948de2b9ce43c27 41062 python-fontforge_20170731~dfsg-1_amd64.deb
 15680c02a2080fb3286279ba2f9abf71 3122 fonts optional fontforge_20170731~dfsg-1.dsc
 127bbd78bb24624b8d4d2965ef4ad3cf 17896802 fonts optional fontforge_20170731~dfsg.orig.tar.gz
 74baf486aaf5b67d257b1373ac71aba4 54400 fonts optional fontforge_20170731~dfsg-1.debian.tar.xz
 a267080d2663add235214999291b87e5 1379266 fonts optional fontforge-common_20170731~dfsg-1_all.deb
 8b729a3fdc4e6aa9b976ae00850bb415 9366850 debug extra fontforge-dbg_20170731~dfsg-1_amd64.deb
 7195c3c2c55a7366977cb2ccd4a8d0f6 3412718 doc optional fontforge-doc_20170731~dfsg-1_all.deb
 b194a3d9dafa4b2333207d1ac5c94005 37678 fonts optional fontforge-nox_20170731~dfsg-1_amd64.deb
 b09aa3af77934ae9b0402f93473aaec6 12597 fonts optional fontforge_20170731~dfsg-1_amd64.buildinfo
 b93ef88ade30e122912a35eb70673f12 38120 fonts optional fontforge_20170731~dfsg-1_amd64.deb
 c36a21714b2a1b5935421a8553d051ec 2141806 libdevel optional libfontforge-dev_20170731~dfsg-1_amd64.deb
 5670b1778167b00edbb45e54a64d5ff5 1949526 libs optional libfontforge2_20170731~dfsg-1_amd64.deb
 e536c940378e83af2c9ca37f6c012505 1312312 libs optional libgdraw5_20170731~dfsg-1_amd64.deb
 b66a7165a6d7e8b62b909f2a4dcbe903 41062 python optional python-fontforge_20170731~dfsg-1_amd64.deb



--- End Message ---

Reply to: