Your message dated Wed, 15 Aug 2007 22:32:16 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#425625: fixed in freetype 2.2.1-5+etch1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libfreetype6
Version: 2.2.1-5
Severity: grave
Tags: security patch
Justification: user security hole
A vulnerability has been found in freetype. CVE-2007-2754:
"Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier
might allow remote attackers to execute arbitrary code via a crafted TTF image
with a negative n_points value, which leads to an integer overflow and
heap-based buffer overflow."
A patch is at [1].
Please mention the CVE id in the changelog.
[1]
http://cvs.savannah.nongnu.org/viewvc/freetype2/src/truetype/ttgload.c?root=freetype&r1=1.177&r2=1.178
--- End Message ---
--- Begin Message ---
Source: freetype
Source-Version: 2.2.1-5+etch1
We believe that the bug you reported is fixed in the latest version of
freetype, which is due to be installed in the Debian FTP archive:
freetype2-demos_2.2.1-5+etch1_i386.deb
to pool/main/f/freetype/freetype2-demos_2.2.1-5+etch1_i386.deb
freetype_2.2.1-5+etch1.diff.gz
to pool/main/f/freetype/freetype_2.2.1-5+etch1.diff.gz
freetype_2.2.1-5+etch1.dsc
to pool/main/f/freetype/freetype_2.2.1-5+etch1.dsc
libfreetype6-dev_2.2.1-5+etch1_i386.deb
to pool/main/f/freetype/libfreetype6-dev_2.2.1-5+etch1_i386.deb
libfreetype6-udeb_2.2.1-5+etch1_i386.udeb
to pool/main/f/freetype/libfreetype6-udeb_2.2.1-5+etch1_i386.udeb
libfreetype6_2.2.1-5+etch1_i386.deb
to pool/main/f/freetype/libfreetype6_2.2.1-5+etch1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve Langasek <[EMAIL PROTECTED]> (supplier of updated freetype package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 23 May 2007 03:26:25 -0700
Source: freetype
Binary: freetype2-demos libfreetype6-udeb libfreetype6 libfreetype6-dev
Architecture: source i386
Version: 2.2.1-5+etch1
Distribution: stable-security
Urgency: high
Maintainer: Steve Langasek <[EMAIL PROTECTED]>
Changed-By: Steve Langasek <[EMAIL PROTECTED]>
Description:
freetype2-demos - FreeType 2 demonstration programs
libfreetype6 - FreeType 2 font engine, shared library files
libfreetype6-dev - FreeType 2 font engine, development files
libfreetype6-udeb - FreeType 2 font engine for the debian-installer (udeb)
Closes: 425625
Changes:
freetype (2.2.1-5+etch1) stable-security; urgency=high
.
* debian/patches-freetype/CVE-2007-2754_ttgfload: address CVE-2007-2754,
a bug allowing execution of arbitrary code via a crafted TTF image by
way of an integer overflow. Closes: #425625.
Files:
187a09fa137f44644a826cc561851023 798 libs optional freetype_2.2.1-5+etch1.dsc
a584e84d617c6e7919b4aef9b5106cf4 1451392 libs optional
freetype_2.2.1.orig.tar.gz
83f454db44bdb8929e0f0381143dc5db 30963 libs optional
freetype_2.2.1-5+etch1.diff.gz
f800ba2ee94137591a764136ec71cbd9 341778 libs optional
libfreetype6_2.2.1-5+etch1_i386.deb
d15f9a17fe9b5756026779a9e6639305 641566 libdevel optional
libfreetype6-dev_2.2.1-5+etch1_i386.deb
7fb03ee21e372b7a4602debe961f764a 135254 utils optional
freetype2-demos_2.2.1-5+etch1_i386.deb
9c5125cd256d1e645470d08d7c73bba5 235858 debian-installer extra
libfreetype6-udeb_2.2.1-5+etch1_i386.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGXXjVKN6ufymYLloRAt8hAJ9iLOWxocSuzZWXTtVDzfV7uoNuQACgxaWo
eZzJueCco4gtT6o/k1A8HqA=
=iqkx
-----END PGP SIGNATURE-----
--- End Message ---
