Hi, Emilio, > It was found that an out of bounds write caused by a heap-based buffer > overflow could be triggered in freetype via a crafted font.
Thank you for the fixed packages and for the patch related. It's very convenient to have somebody do the patching for me. > This update also reverts the fix for CVE-2016-10328, as it was > determined that freetype 2.4.9 is not affected by that issue. I'm curious to see the version scope/some proof of a particular version not being affected by CVE-2016-10328. The reason I'm asking is because I'm maintaining a backport of the jessie 2.5.2-3 to wheezy and it seems that jessie one did not receive any of the mentioned CVE fixes despite the debian-lts team prepared another patch for 2.4.9 already. So, I'd like to know if you can point me to some mailing-list thread/whatever else notes that could shed some more light on this. Best regards, Bolesław Tokarski
