Re: [SECURITY] [DSA-2116-1] New freetype packages integer overflow
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Il 04/10/2010 23:03, Stefan Fritsch ha scritto:
> ------------------------------------------------------------------------
> Debian Security Advisory DSA-2116-1 security@debian.org
> http://www.debian.org/security/ Stefan Fritsch
> October 4, 2010 http://www.debian.org/security/faq
> ------------------------------------------------------------------------
>
> Package : freetype
> Vulnerability : integer overflow
> Problem type : local (remote)
> Debian-specific: no
> CVE Id(s) : CVE-2010-3311
>
> Marc Schoenefeld has found an input stream position error in the
> way the FreeType font rendering engine processed input file streams.
> If a user loaded a specially-crafted font file with an application
> linked against FreeType and relevant font glyphs were subsequently
> rendered with the X FreeType library (libXft), it could cause the
> application to crash or, possibly execute arbitrary code.
>
> After the upgrade, all running applications and services that use
> libfreetype6 should be restarted. In most cases, logging out and
> in again should be enough. The script checkrestart from the
> debian-goodies package or lsof may help to find out which
> processes are still using the old version of libfreetype6.
>
> For the stable distribution (lenny), these problems have been fixed in
> version 2.3.7-2+lenny4.
>
> The testing distribution (squeeze) and the unstable distribution (sid)
> are not affected by this problem.
>
> We recommend that you upgrade your freetype packages.
Hello, i just ran the update via aptitude, and apt-listbug reported the
package as affected by bug #592399 [1]. Aptitude installed
2.3.7-2+lenny4, and that version is not marked as bug-free in the bug
report page.
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=592399
- --
Davide Mirtillo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkyqzkoACgkQKhoNWaTioeYUrwCeMl8KWyrfw7uV1P2pPGVv62L7
WaQAn2+2JuyBgbGG3tgyoD6ywos4p4TW
=eOvX
-----END PGP SIGNATURE-----
Reply to: