Re: [SECURITY] [DLA 918-1] freetype security update

To: debian-lts@lists.debian.org
Subject: Re: [SECURITY] [DLA 918-1] freetype security update
From: Bolesław Tokarski <btokarski@opera.com>
Date: Thu, 27 Apr 2017 10:55:51 +0200
Message-id: <[🔎] 5681174.NNBnHsykpM@btokarski>
In-reply-to: <853dcb16-7b78-fddd-29c0-4bad6bea3c7d@debian.org>
References: <853dcb16-7b78-fddd-29c0-4bad6bea3c7d@debian.org>

Hi, Emilio,

> It was found that an out of bounds write caused by a heap-based buffer
> overflow could be triggered in freetype via a crafted font.

Thank you for the fixed packages and for the patch related. It's very 
convenient to have somebody do the patching for me.

> This update also reverts the fix for CVE-2016-10328, as it was
> determined that freetype 2.4.9 is not affected by that issue.

I'm curious to see the version scope/some proof of a particular version not 
being affected by CVE-2016-10328.

The reason I'm asking is because I'm maintaining a backport of the jessie 
2.5.2-3 to wheezy and it seems that jessie one did not receive any of the 
mentioned CVE fixes despite the debian-lts team prepared another patch for 
2.4.9 already.

So, I'd like to know if you can point me to some mailing-list thread/whatever 
else notes that could shed some more light on this.

Best regards,
Bolesław Tokarski

Reply to:

Follow-Ups:
- Re: [SECURITY] [DLA 918-1] freetype security update
  - From: Moritz Muehlenhoff <jmm@debian.org>
- Re: [SECURITY] [DLA 918-1] freetype security update
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: fop LTS update package ready for testing
Next by Date: Re: [SECURITY] [DLA 918-1] freetype security update
Previous by thread: batik package ready for testing
Next by thread: Re: [SECURITY] [DLA 918-1] freetype security update
Index(es):
- Date
- Thread