Your message dated Mon, 01 Jun 2009 11:47:05 +0000 with message-id <e1mb5yr-0007ts...@ries.debian.org> and subject line Bug#524925: fixed in freetype 2.3.9-5 has caused the Debian Bug report #524925, regarding freetype: multiple integer overflows to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 524925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=524925 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: freetype Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for freetype. CVE-2009-0946[0]: | Multiple integer overflows in FreeType 2.3.9 and earlier allow remote | attackers to execute arbitrary code via vectors related to large | values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, | and (3) cff/cffload.c. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. The upstream patches for this are: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=79972af4f0485a11dcb19551356c45245749fc5b http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a18788b14db60ae3673f932249cd02d33a227c4e http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0a05ba257b6ddd87dacf8d54b626e4b360e0a596 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0545ec1ca36b27cb928128870a83e5f668980bc5 I can provide test-cases for these bugs in private if you need them. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0946 http://security-tracker.debian.net/tracker/CVE-2009-0946 -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.pgpJ7RG7EJmAq.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: freetype Source-Version: 2.3.9-5 We believe that the bug you reported is fixed in the latest version of freetype, which is due to be installed in the Debian FTP archive: freetype2-demos_2.3.9-5_amd64.deb to pool/main/f/freetype/freetype2-demos_2.3.9-5_amd64.deb freetype_2.3.9-5.diff.gz to pool/main/f/freetype/freetype_2.3.9-5.diff.gz freetype_2.3.9-5.dsc to pool/main/f/freetype/freetype_2.3.9-5.dsc libfreetype6-dev_2.3.9-5_amd64.deb to pool/main/f/freetype/libfreetype6-dev_2.3.9-5_amd64.deb libfreetype6-udeb_2.3.9-5_amd64.udeb to pool/main/f/freetype/libfreetype6-udeb_2.3.9-5_amd64.udeb libfreetype6_2.3.9-5_amd64.deb to pool/main/f/freetype/libfreetype6_2.3.9-5_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 524...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Steve Langasek <vor...@debian.org> (supplier of updated freetype package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 01 Jun 2009 04:37:19 -0700 Source: freetype Binary: libfreetype6 libfreetype6-dev freetype2-demos libfreetype6-udeb Architecture: source amd64 Version: 2.3.9-5 Distribution: unstable Urgency: low Maintainer: Steve Langasek <vor...@debian.org> Changed-By: Steve Langasek <vor...@debian.org> Description: freetype2-demos - FreeType 2 demonstration programs libfreetype6 - FreeType 2 font engine, shared library files libfreetype6-dev - FreeType 2 font engine, development files libfreetype6-udeb - FreeType 2 font engine for the debian-installer (udeb) Closes: 315845 465292 524925 Changes: freetype (2.3.9-5) unstable; urgency=low . * Pass proper --host/--build args to ./configure, to support cross-building. Closes: #465292. * clean up a number of unused variables in debian/rules; maybe someday we'll get this package to converge on debhelper 7... :) * Fix the doc-base section for libfreetype6-dev. Closes: #315845. * Remove one final reference to /usr/X11R6 in debian/rules. * Drop incorrect Replaces: freetype0, freetype1 * Add debian/README.source, documenting the madness that is this source package. * Standards-Version to 3.8.0. * Fix multiple integer overflows leading to arbitrary code execution or DoS (CVE-2009-0946; Closes: #524925). Thanks to Nico Golde for the NMU. Checksums-Sha1: 32f6127b97a2b8ac85989efc72db0766841e28a4 1182 freetype_2.3.9-5.dsc 80f58bdf45ba8f1d796a66cdfd7f39dea2bab05e 35940 freetype_2.3.9-5.diff.gz eb782780fd77c3f1e2a073d80785c24173122da8 408236 libfreetype6_2.3.9-5_amd64.deb e87ba28bf0c67e2fae1bf7eef8e3fa70d2d05e57 730166 libfreetype6-dev_2.3.9-5_amd64.deb ed2281f5e3be4eefc463f9886ab24e7ca544c3fe 223036 freetype2-demos_2.3.9-5_amd64.deb c42a3d0fbc18642109d3359566dc6c7665d9aa1a 274926 libfreetype6-udeb_2.3.9-5_amd64.udeb Checksums-Sha256: 6ba3be92fd5fb9d23db9ad73fd23c3122faa832023da263610e9ed39e8123944 1182 freetype_2.3.9-5.dsc 7a8feaebdf31d15af4288a31ae2b40295682dd13554c21714698cf0875515c48 35940 freetype_2.3.9-5.diff.gz 8a75cc0327e3a97b00e64df0bbf2ed09b5018c6c3c57b9933a0593d741a63131 408236 libfreetype6_2.3.9-5_amd64.deb d7a559b80bf910936c6056b1533ef74ec2cc88a01e7e5aa9816a4afef13e4d5d 730166 libfreetype6-dev_2.3.9-5_amd64.deb 24b13a4d3d03c8f780caa7dffbc913f6b27ae5a852c70c82d6b1b8838bc66e40 223036 freetype2-demos_2.3.9-5_amd64.deb 7522f76a234097484ba9d0cc367233ba0168137f8c4b0a5e1a9ee4067b207a68 274926 libfreetype6-udeb_2.3.9-5_amd64.udeb Files: c72fa038c028dc181b41d0e68ea41fd7 1182 libs optional freetype_2.3.9-5.dsc e24a028d0a6b8e0bb943f658a0debdc8 35940 libs optional freetype_2.3.9-5.diff.gz f5c544643dd45c3039a59ef38fe266f2 408236 libs optional libfreetype6_2.3.9-5_amd64.deb 202260d88fd855c37d1d8333d228fe28 730166 libdevel optional libfreetype6-dev_2.3.9-5_amd64.deb ddb4ef66a2a8559f647cb83897f72292 223036 utils optional freetype2-demos_2.3.9-5_amd64.deb d5511ed77d9920133cd92e901b917dd3 274926 debian-installer extra libfreetype6-udeb_2.3.9-5_amd64.udeb Package-Type: udeb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKI75JKN6ufymYLloRAkyRAJsEv46N9Mn+yeycIKgWaF+i/hLN5gCdGVh5 RqUvWflPzGfZGzsbDINM5TI= =bIRi -----END PGP SIGNATURE-----
--- End Message ---