On Sun, Aug 20, 2006 at 07:45:49PM +1000, Drew Parsons wrote: > On Sun, 2006-08-20 at 09:18 +1000, Drew Parsons wrote: > > On Sun, 2006-08-20 at 00:11 +0200, Frans Pop wrote: > > > - any way to test if the vulnerabilities are actually fixed? > > > > The upstream bug report at > > https://bugs.freedesktop.org/show_bug.cgi?id=7535 contains a broken font > > attached at https://bugs.freedesktop.org/attachment.cgi?id=6230 . This > > font is supposed to trigger the bug, although I did not test it > > explicitly for the version in unstable, I simply applied the patch. The > > procedure for testing, after placing the font in ~/badfont, is > > .... (use mkfontdir after placing the bad font in a ~/badfont/ directoy > > xset +fp ~/badfont/ > > xfontsel > > which triggers a SIGSEGV in strlen(). > > I've now taken the time to test with the badfont. At the moment, > following the above procedure, xfontsel still crashes, with > > X Error of failed request: BadAlloc (insufficient resources for > operation) > Major opcode of failed request: 45 (X_OpenFont) > Serial number of failed request: 1392 > Current serial number in output stream: 1393 > > CVE-2006-3467 refers in fact to freetype2.2, not libxfont. So while > libxfont needs the patch, the bug is not fully solved until freetype's > patch is also applied (reported in Debian bug > #379920) That would seem to me to be the desired behaviour: the server is staying alive, and it's refusing to let you open an invalid font.
Description: Digital signature