Your message dated Tue, 04 Apr 2017 17:49:12 +0000
with message-id <[email protected]>
and subject line Bug#856971: fixed in freetype 2.6.3-3.1
has caused the Debian Bug report #856971,
regarding freetype: CVE-2016-10244
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
856971: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856971
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: freetype
Version: 2.5.2-3
Severity: important
Tags: security patch upstream
Hi,
the following vulnerability was published for freetype.
CVE-2016-10244[0]:
| The parse_charstrings function in type1/t1load.c in FreeType 2 before
| 2.7 does not ensure that a font contains a glyph name, which allows
| remote attackers to cause a denial of service (heap-based buffer
| over-read) or possibly have unspecified other impact via a crafted
| file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-10244
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10244
[1]
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a660e3de422731b94d4a134d27555430cbb6fb39
(VER-2-7)
[2] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: freetype
Source-Version: 2.6.3-3.1
We believe that the bug you reported is fixed in the latest version of
freetype, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated freetype package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 30 Mar 2017 19:16:33 +0200
Source: freetype
Binary: libfreetype6 libfreetype6-dev freetype2-demos libfreetype6-udeb
Architecture: source
Version: 2.6.3-3.1
Distribution: unstable
Urgency: medium
Maintainer: Steve Langasek <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 856971
Description:
freetype2-demos - FreeType 2 demonstration programs
libfreetype6 - FreeType 2 font engine, shared library files
libfreetype6-dev - FreeType 2 font engine, development files
libfreetype6-udeb - FreeType 2 font engine for the debian-installer (udeb)
Changes:
freetype (2.6.3-3.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2016-10244: Heap-buffer-overflow
src/type1/t1load.c (parse_charstrings): Reject fonts that don't contain
glyph names. (Closes: #856971)
Package-Type: udeb
Checksums-Sha1:
40c2280c964f16bdff145c40d5166349e08ce2fd 2292 freetype_2.6.3-3.1.dsc
b2676d0808ad55076ec4b33ce0ec7b2815569a98 38955 freetype_2.6.3-3.1.diff.gz
Checksums-Sha256:
68fe770dd2f3e9cb5cfe9d81ee3c14da5bd1d0ae4664cfe85f553ce21793e406 2292
freetype_2.6.3-3.1.dsc
26b01410c4a9a41e8f35d85cc1bbd175338a0963ad1a2b9a48ad875ba0d4a994 38955
freetype_2.6.3-3.1.diff.gz
Files:
2ef7f67c787c004476a92fc5ade81e49 2292 libs optional freetype_2.6.3-3.1.dsc
4dd631e8ef4065ca0a2bff8044a04cf9 38955 libs optional freetype_2.6.3-3.1.diff.gz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAljdPyFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EukYQAI6zxtWoeSpz+yKOojcLWD6fobrTX5ix
lWdAHuo7H+EmGDMzQkKjLjgNaKPe6kx0jPPv8uVX6NmsThWnrVodyb4swIVOheJk
Fwp+ALXhxEaN8HqBXhdYixyXJHTNyB3xTV1N38fVig12KpelEG5vV46P7CAyV2Aj
8ii1xs90j1skmN/zWhwBI889hDLvmQzpn4T0GC3+i5zX8P0rNfUKwVZw4Wd98+PU
QMvdZhcewiDNDOJtvzwCQInJTHX4g4jkxb9D58wphX+NeXAjxVo7mNMLPVXDk5mF
qIGF05ISpjGcieiwDgqzrV9SXCS3wHNjJwgDGPU/8ZrlJBXTLx67ahEWGR0PVYJr
dd8W9l1JtGgMPXNYtJz/3RfvbBwo18cB5FGMfIieO7cSZLVWzJ+j6yMzwdCwQraD
Isa0qmQW5TnQwuXxzioOgJ94CIsgqumdbXXRSf8UyBnO3RwedP1eWryBMTO0TbB1
ud7zMBorpNaDQV02VfqDZk58OlN3MpzJ7qHcKkb+5O7g7ZtBhV/EenwqMCHhMzWk
3b0VptIGSqXR+EH7QW/UWPCkTdlk6zShZ6VMVCD5KgzKJ7aisM6KZQvwpZFJguK8
RRh8Lk2ckYgOAQ4i6Na3EZoFT+X0ity9FOD9LxWvE+DA+zBSAF2wQJSxhyHgen/O
vDhySMI6pZD0
=yRBZ
-----END PGP SIGNATURE-----
--- End Message ---
