Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2008-1808 FreeType off-by-one flaws Alias: CVE-2008-1808 https://bugzilla.redhat.com/show_bug.cgi?id=450774 Bug 450774 depends on bug 451212, which changed state. Bug 451212 Summary: CVE-2008-1806 CVE-2008-1807 CVE-2008-1808 Multiple freetype vulnerabilities [Fedora 8] https://bugzilla.redhat.com/show_bug.cgi?id=451212 What |Old Value |New Value ---------------------------------------------------------------------------- Status|MODIFIED |CLOSED Resolution| |CURRENTRELEASE ------- Additional Comments From [EMAIL PROTECTED] 2008-06-18 03:19 EST ------- In reply to https://bugzilla.redhat.com/show_bug.cgi?id=450773#c12 : The only part of the upstream patch that should be related to .ttf issue covered by this CVE id is: - if ( last_point > CUR.zp2.n_points ) + if ( BOUNDS ( last_point , CUR.zp2.n_points ) ) maxTwilightPoints check does not seem directly related and was probably added as additional sanity check. As the .pfb is not supported by freetype1 we should ideally try to avoid mentioning CVE-2008-1806 and CVE-2008-1807 in the freetype1 RPM changelog. As for bodhi update request, we do not need to submit updated freetype1 packages as security update, as (binary) Fedora packages were not affected by this problem. But I'm ok with pushing it as security update anyway, provided that we clearly mention in the notes that only users rebuilding freetype1 with bci were affected by the problem. Update request should only refer to this bug, not to the bugs for other CVEs. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. _______________________________________________ Fedora-fonts-bugs-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-fonts-bugs-list
