Bug#383353: marked as done (libxfont1: PCF Integer Overflow Vulnerability)
Your message dated Wed, 16 Aug 2006 15:32:15 -0700
with message-id <E1GDTvr-0001vu-Kw@spohr.debian.org>
and subject line Bug#383353: fixed in libxfont 1:1.2.0-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libxfont1
Version: 1:1.0.0-4
Severity: grave
Tags: security patch
Justification: user security hole
>From http://secunia.com/advisories/20100/:
A vulnerability has been reported in libXfont, which can be exploited by
malicious people to cause a DoS (Denial of Service) and potentially compromise
an application using the library.
The vulnerability is caused due to integer overflows within the PCF font file
parser. This can potentially be exploited to cause a heap-based buffer overflow
via a specially crafted font file.
See
https://bugs.freedesktop.org/show_bug.cgi?id=7535
Patch is at
http://bugs.freedesktop.org/attachment.cgi?id=6231
--- End Message ---
--- Begin Message ---
Source: libxfont
Source-Version: 1:1.2.0-2
We believe that the bug you reported is fixed in the latest version of
libxfont, which is due to be installed in the Debian FTP archive:
libxfont-dev_1.2.0-2_i386.deb
to pool/main/libx/libxfont/libxfont-dev_1.2.0-2_i386.deb
libxfont1-dbg_1.2.0-2_i386.deb
to pool/main/libx/libxfont/libxfont1-dbg_1.2.0-2_i386.deb
libxfont1_1.2.0-2_i386.deb
to pool/main/libx/libxfont/libxfont1_1.2.0-2_i386.deb
libxfont_1.2.0-2.diff.gz
to pool/main/libx/libxfont/libxfont_1.2.0-2.diff.gz
libxfont_1.2.0-2.dsc
to pool/main/libx/libxfont/libxfont_1.2.0-2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 383353@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Drew Parsons <dparsons@debian.org> (supplier of updated libxfont package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 17 Aug 2006 07:45:40 +1000
Source: libxfont
Binary: libxfont1-dbg libxfont1 libxfont-dev
Architecture: source i386
Version: 1:1.2.0-2
Distribution: unstable
Urgency: high
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Drew Parsons <dparsons@debian.org>
Description:
libxfont-dev - X11 font rasterisation library (development headers)
libxfont1 - X11 font rasterisation library
libxfont1-dbg - X11 font rasterisation library (debug package)
Closes: 383353
Changes:
libxfont (1:1.2.0-2) unstable; urgency=high
.
* Apply upstream patch 10_pcf_font.patch (security vulnerability
CVE-2006-3467). Closes: #383353.
* Upload to unstable to ensure patch is propagated quickly.
* Apply patch 10_freetype_buffer_overflow.patch while we're at it
(no known exploits).
Files:
4957defffd1fa11e323045ead76126eb 903 x11 optional libxfont_1.2.0-2.dsc
eae8a3d5278526d0a589025c8f41370d 21322 x11 optional libxfont_1.2.0-2.diff.gz
97778c831bf5182fc3007e3ad81a74c3 226540 x11 optional libxfont1_1.2.0-2_i386.deb
89ac0951f1a1b44c5e91c84738746704 340462 x11 optional libxfont1-dbg_1.2.0-2_i386.deb
5a7f7922d5abd3979ceb5631b573c65c 292720 x11 optional libxfont-dev_1.2.0-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFE45fdts5wQWQSTkoRAuU0AKCFUE6VNglX0M+7IrG9dKfknqIjdgCdG4hY
/NY6SxoOGGq8FPHAYngIZy8=
=ddm3
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: