Hi, On Thu, Apr 27, 2017 at 10:55:51AM +0200, Bolesław Tokarski wrote: > Hi, Emilio, > > > It was found that an out of bounds write caused by a heap-based buffer > > overflow could be triggered in freetype via a crafted font. > > Thank you for the fixed packages and for the patch related. It's very > convenient to have somebody do the patching for me. > > > This update also reverts the fix for CVE-2016-10328, as it was > > determined that freetype 2.4.9 is not affected by that issue. > > I'm curious to see the version scope/some proof of a particular version not > being affected by CVE-2016-10328.
The particular issue was introduced in https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=010e0614f2effe058855aacfc3e61c71e1cb5739 and fixed in http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=beecf80a6deecbaf5d264d4f864451bde4fe98b8 . Cf. as well https://bugs.debian.org/860303#36 Hope this helps, Regards, Salvatore
