[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA-2116-1] New freetype packages integer overflow

Hash: SHA1

Il 04/10/2010 23:03, Stefan Fritsch ha scritto:
> ------------------------------------------------------------------------
> Debian Security Advisory DSA-2116-1                  security@debian.org
> http://www.debian.org/security/                           Stefan Fritsch
> October 4, 2010                       http://www.debian.org/security/faq
> ------------------------------------------------------------------------
> Package        : freetype
> Vulnerability  : integer overflow
> Problem type   : local (remote)
> Debian-specific: no
> CVE Id(s)      : CVE-2010-3311
> Marc Schoenefeld has found an input stream position error in the
> way the FreeType font rendering engine processed input file streams.
> If a user loaded a specially-crafted font file with an application
> linked against FreeType and relevant font glyphs were subsequently
> rendered with the X FreeType library (libXft), it could cause the
> application to crash or, possibly execute arbitrary code.
> After the upgrade, all running applications and services that use
> libfreetype6 should be restarted. In most cases, logging out and
> in again should be enough. The script checkrestart from the
> debian-goodies package or lsof may help to find out which
> processes are still using the old version of libfreetype6.
> For the stable distribution (lenny), these problems have been fixed in
> version 2.3.7-2+lenny4.
> The testing distribution (squeeze) and the unstable distribution (sid)
> are not affected by this problem.
> We recommend that you upgrade your freetype packages.

Hello, i just ran the update via aptitude, and apt-listbug reported the
package as affected by bug #592399 [1]. Aptitude installed
2.3.7-2+lenny4, and that version is not marked as bug-free in the bug
report page.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=592399

- -- 
Davide Mirtillo
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


Reply to: