Re: [SECURITY] [DLA 918-1] freetype security update
Hi, Emilio,
> It was found that an out of bounds write caused by a heap-based buffer
> overflow could be triggered in freetype via a crafted font.
Thank you for the fixed packages and for the patch related. It's very
convenient to have somebody do the patching for me.
> This update also reverts the fix for CVE-2016-10328, as it was
> determined that freetype 2.4.9 is not affected by that issue.
I'm curious to see the version scope/some proof of a particular version not
being affected by CVE-2016-10328.
The reason I'm asking is because I'm maintaining a backport of the jessie
2.5.2-3 to wheezy and it seems that jessie one did not receive any of the
mentioned CVE fixes despite the debian-lts team prepared another patch for
2.4.9 already.
So, I'd like to know if you can point me to some mailing-list thread/whatever
else notes that could shed some more light on this.
Best regards,
Bolesław Tokarski
Reply to: