Bug#372719: regression in FreeType security fix for DSA-1095

2006-09-11 Thread Steve Langasek 
On Mon, Sep 11, 2006 at 08:45:06PM +0200, Bernd Schubert wrote:

> > On Sat, Aug 19, 2006 at 04:23:50PM +0200, Martin Schulze wrote:
> > > Maybe it's better to fix it via proposed-updates and let the SRM team
> > > decide.

> > This has happened now, and is r3.  It's regrettable that we couldn't get it
> > out in a DSA update, but it's at least done for users who will upgrade from
> > stable.

> Sorry for my dumb question, but where do I find the latest package? I don't 
> see any recent libfreetype6 security updates and also sarge-proposed-updates 
> doesn't have anything about libfreetype6?

It's in stable.  sarge-proposed-updates is a staging ground; this package
has been included in the latest sarge point release.

> Another question, did you discuss this issue with upstream?

No.

> I mean, if there's some dispute on how it should be solved, shouldn't
> upstream be at least asked?

I don't see that there is any dispute on how it should be solved.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#372719: regression in FreeType security fix for DSA-1095

2006-09-11 Thread Bernd Schubert 
> Version: 2.1.7-5
> 
> On Sat, Aug 19, 2006 at 04:23:50PM +0200, Martin Schulze wrote:
> > Maybe it's better to fix it via proposed-updates and let the SRM team
> > decide.
> 
> This has happened now, and is r3.  It's regrettable that we couldn't get it
> out in a DSA update, but it's at least done for users who will upgrade from
> stable.

Sorry for my dumb question, but where do I find the latest package? I don't 
see any recent libfreetype6 security updates and also sarge-proposed-updates 
doesn't have anything about libfreetype6? On vorlons site  
(http://people.debian.org/~vorlon/) there's also only the -3 package from 
june.

Another question, did you discuss this issue with upstream? I mean, if there's 
some dispute on how it should be solved, shouldn't upstream be at least 
asked? This also applies to #367593, I searched the freetype list archives, 
but didn't find anything recent about debian bugs. 


Thanks,
Bernd

-- 
Bernd Schubert
PCI / Theoretische Chemie
Universität Heidelberg
INF 229
69120 Heidelberg

Bug#372719: regression in FreeType security fix for DSA-1095

2006-09-05 Thread Mgr. Peter Tuharsky 

Thank You, seems it works now.

Peter


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#372719: regression in FreeType security fix for DSA-1095

2006-08-19 Thread Martin Schulze 
Hi!

First of all, I'd like to apologise for my harsh words.  I spent the last
days nearly only on Debian issues including a lot of security and buildd
work and yesterday had just decided to not wait for your answer to a mail
from nearly one month ago and go ahead with the upload.

Steve Langasek wrote:
> On Sat, Aug 19, 2006 at 09:28:46AM +0200, Martin Schulze wrote:
> > > Well, apparently the -3 package that you said you couldn't find was on
> > > security.d.o all along, because this was *not* in the second -3 package 
> > > that
> > > I uploaded; but that one was rejected because it was a duplicate.
> 
> > > I've uploaded -4 now with the additional check.
> 
> > I was tying to build -2.5 with no luck, then just started with -3.1 to
> > fix your invisible -3 build, and just no you've deciced to upload -4
> > which is also invisible to us and which most probably blocks -3.1 from
> > building - as I see -4 build logs.  Thanks you very much.
> 
> Gee, thanks for swearing at me.  How is it *my* fault that you can't see
> builds that are being uploaded to the documented queue on
> security.debian.org, and why did you not bother to let *me* know that
> something had changed with the package when I'd previously been given
> approval to upload?  I'm sure I could've found something else to do with my
> time tonight besides trying to help clean up after your broken DSA build.

As I said, I've sent you a mail nearly one month ago apparently (according
to the date in the greeting of the mail you responded).  I was waiting for
your approval but it didn't happen until today.

> Either way, I guess this bug is not my problem any more, since I apparently
> can't contribute anything useful to fixing it and am not sure I would want
> to if there was.

Neither can I.

Maybe it's better to fix it via proposed-updates and let the SRM team
decide.

Regards,

Joey

-- 
Unix is user friendly ...  It's just picky about its friends.

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#372719: regression in FreeType security fix for DSA-1095

2006-08-19 Thread Steve Langasek 
On Sat, Aug 19, 2006 at 09:28:46AM +0200, Martin Schulze wrote:
> > Well, apparently the -3 package that you said you couldn't find was on
> > security.d.o all along, because this was *not* in the second -3 package that
> > I uploaded; but that one was rejected because it was a duplicate.

> > I've uploaded -4 now with the additional check.

> I was tying to build -2.5 with no luck, then just started with -3.1 to
> fix your invisible -3 build, and just no you've deciced to upload -4
> which is also invisible to us and which most probably blocks -3.1 from
> building - as I see -4 build logs.  Thanks you very much.

Gee, thanks for swearing at me.  How is it *my* fault that you can't see
builds that are being uploaded to the documented queue on
security.debian.org, and why did you not bother to let *me* know that
something had changed with the package when I'd previously been given
approval to upload?  I'm sure I could've found something else to do with my
time tonight besides trying to help clean up after your broken DSA build.

Either way, I guess this bug is not my problem any more, since I apparently
can't contribute anything useful to fixing it and am not sure I would want
to if there was.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#372719: regression in FreeType security fix for DSA-1095

2006-08-19 Thread Martin Schulze 
Steve Langasek wrote:
> On Sun, Jul 23, 2006 at 08:51:29PM +0200, Martin Schulze wrote:
> > Steve Langasek wrote:
> > > On Fri, Jul 07, 2006 at 08:42:59PM +0200, Martin Schulze wrote:
> 
> > > It appears to be a correct fix for the regression that has been reported.
> 
> > > > I'd rather make it read:
> 
> > > > if (height <= 0 || (FT_ULong)pitch > LONG_MAX/height)
> 
> > > > because later we have "pitch * height" which will result in a malloc
> > > > of zero.
> 
> > s/of zero/of less than zero/ it should have read, i.e. a negative malloc
> > which is general a bad thing.
> 
> Ok, that's fair.  I think there's still the possibility of a negative malloc
> if pitch is negative, but that's now several steps removed from the stated
> vulnerability, and in the meantime we still have the crasher regression, so
> I've updated the patch to use the height <= 0 check.
> 
> > I still see
> 
> > --- freetype-2.1.7.orig/--variant=buildd/debootstrap/debootstrap.log
> > +++ freetype-2.1.7/--variant=buildd/debootstrap/debootstrap.log
> > @@ -0,0 +1,2 @@
> > +/usr/sbin/debootstrap: line 349: .: /chroots/sarge-i386-pristine: is a 
> > directory
> > +/usr/sbin/debootstrap: line 349: .: /chroots/sarge-i386-pristine: is a 
> > directory
> > 
> > which ought not to be there.
> 
> Well, apparently the -3 package that you said you couldn't find was on
> security.d.o all along, because this was *not* in the second -3 package that
> I uploaded; but that one was rejected because it was a duplicate.
> 
> I've uploaded -4 now with the additional check.

Oh damn you!

This way we won't get an update any time.

I was tying to build -2.5 with no luck, then just started with -3.1 to
fix your invisible -3 build, and just no you've deciced to upload -4
which is also invisible to us and which most probably blocks -3.1 from
building - as I see -4 build logs.  Thanks you very much.

-- 
Unix is user friendly ...  It's just picky about its friends.

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#372719: regression in FreeType security fix for DSA-1095

2006-08-19 Thread Steve Langasek 
On Sun, Jul 23, 2006 at 08:51:29PM +0200, Martin Schulze wrote:
> Steve Langasek wrote:
> > On Fri, Jul 07, 2006 at 08:42:59PM +0200, Martin Schulze wrote:

> > It appears to be a correct fix for the regression that has been reported.

> > > I'd rather make it read:

> > > if (height <= 0 || (FT_ULong)pitch > LONG_MAX/height)

> > > because later we have "pitch * height" which will result in a malloc
> > > of zero.

> s/of zero/of less than zero/ it should have read, i.e. a negative malloc
> which is general a bad thing.

Ok, that's fair.  I think there's still the possibility of a negative malloc
if pitch is negative, but that's now several steps removed from the stated
vulnerability, and in the meantime we still have the crasher regression, so
I've updated the patch to use the height <= 0 check.

> I still see

> --- freetype-2.1.7.orig/--variant=buildd/debootstrap/debootstrap.log
> +++ freetype-2.1.7/--variant=buildd/debootstrap/debootstrap.log
> @@ -0,0 +1,2 @@
> +/usr/sbin/debootstrap: line 349: .: /chroots/sarge-i386-pristine: is a 
> directory
> +/usr/sbin/debootstrap: line 349: .: /chroots/sarge-i386-pristine: is a 
> directory
> 
> which ought not to be there.

Well, apparently the -3 package that you said you couldn't find was on
security.d.o all along, because this was *not* in the second -3 package that
I uploaded; but that one was rejected because it was a duplicate.

I've uploaded -4 now with the additional check.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#372719: regression in FreeType security fix for DSA-1095

2006-07-23 Thread Martin Schulze 
Steve Langasek wrote:
> On Fri, Jul 07, 2006 at 08:42:59PM +0200, Martin Schulze wrote:
> 
> > Steve Langasek wrote:
> > > As mentioned earlier this month, a regression was found in the freetype
> > > 2.1.7-2.5 package uploaded for DSA-1095 which caused applications to crash
> > > with division-by-zero errors.  I've prepared a maintainer upload to fix
> > > this regression using the patch from bug #373581, which can be found at
> > > .
> 
> > Are you sure this is the proper fix?
> 
> > -+if ((FT_ULong)pitch > LONG_MAX/height)
> > ++if (height != 0 && (FT_ULong)pitch > LONG_MAX/height)
> 
> It appears to be a correct fix for the regression that has been reported.
> 
> > I'd rather make it read:
> 
> > if (height <= 0 || (FT_ULong)pitch > LONG_MAX/height)
> 
> > because later we have "pitch * height" which will result in a malloc
> > of zero.

s/of zero/of less than zero/ it should have read, i.e. a negative malloc
which is general a bad thing.

> This 'pitch * height' is pre-existing code in 2.1.7-2.4 and users report no
> problems with OOo running against that version of freetype.  I have not
> traced the code to determine whether changing the returned error in the case
> of a height of 0 has any side effects; given that there are no previous
> complaints about height==0, I don't think this is a change that needs to be
> made in a security update.

Yeah, height==0 is evil, but height<0 is evil as well and will result
in "interesting" results, hence, should be avoided as well.

I still see

--- freetype-2.1.7.orig/--variant=buildd/debootstrap/debootstrap.log
+++ freetype-2.1.7/--variant=buildd/debootstrap/debootstrap.log
@@ -0,0 +1,2 @@
+/usr/sbin/debootstrap: line 349: .: /chroots/sarge-i386-pristine: is a 
directory
+/usr/sbin/debootstrap: line 349: .: /chroots/sarge-i386-pristine: is a 
directory

which ought not to be there.  Please build the source package before
building the binary package and review the change with interdiff -z.

Regards,

Joey

-- 
Long noun chains don't automatically imply security.  -- Bruce Schneier

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#372719: regression in FreeType security fix for DSA-1095

2006-07-15 Thread Steve Langasek 
On Fri, Jul 07, 2006 at 08:42:59PM +0200, Martin Schulze wrote:

> Steve Langasek wrote:
> > As mentioned earlier this month, a regression was found in the freetype
> > 2.1.7-2.5 package uploaded for DSA-1095 which caused applications to crash
> > with division-by-zero errors.  I've prepared a maintainer upload to fix
> > this regression using the patch from bug #373581, which can be found at
> > .

> Are you sure this is the proper fix?

> -+if ((FT_ULong)pitch > LONG_MAX/height)
> ++if (height != 0 && (FT_ULong)pitch > LONG_MAX/height)

It appears to be a correct fix for the regression that has been reported.

> I'd rather make it read:

> if (height <= 0 || (FT_ULong)pitch > LONG_MAX/height)

> because later we have "pitch * height" which will result in a malloc
> of zero.

This 'pitch * height' is pre-existing code in 2.1.7-2.4 and users report no
problems with OOo running against that version of freetype.  I have not
traced the code to determine whether changing the returned error in the case
of a height of 0 has any side effects; given that there are no previous
complaints about height==0, I don't think this is a change that needs to be
made in a security update.

> The package contains changes to debootstrap.log that should
> not be there btw.

Hmm, so it does.  I've re-rolled the package to drop this spurious change
and am re-uploading it now.

On Fri, Jul 07, 2006 at 08:44:22PM +0200, Martin Schulze wrote:
> Steve Langasek wrote:
> > On Mon, Jun 26, 2006 at 08:36:07AM +0100, Steve Kemp wrote:
> > > On Sun, Jun 25, 2006 at 03:09:51PM -0700, Steve Langasek wrote:
> > 
> > > > As mentioned earlier this month, a regression was found in the freetype
> > > > 2.1.7-2.5 package uploaded for DSA-1095 which caused applications to 
> > > > crash
> > > > with division-by-zero errors.  I've prepared a maintainer upload to fix
> > > > this regression using the patch from bug #373581, which can be found at
> > > > .
> > 
> > > > Can I upload this to security.d.o for a revised DSA?
> > 
> > >   Yes, please do.

> > Uploaded.

> Btw. where?  I can't see it.

Successfully uploaded freetype_2.1.7-3.dsc to security-master.debian.org.
Successfully uploaded freetype_2.1.7-3.diff.gz to security-master.debian.org.
Successfully uploaded libfreetype6_2.1.7-3_i386.deb to 
security-master.debian.org.
Successfully uploaded libfreetype6-dev_2.1.7-3_i386.deb to 
security-master.debian.org.
Successfully uploaded freetype2-demos_2.1.7-3_i386.deb to 
security-master.debian.org.
Successfully uploaded libfreetype6-udeb_2.1.7-3_i386.udeb to 
security-master.debian.org.
Successfully uploaded freetype_2.1.7-3_i386.changes to 
security-master.debian.org.

This was done with distribution=stable-security.  Hopefully the second try
won't disappear also...

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


signature.asc
Description: Digital signature

Bug#372719: regression in FreeType security fix for DSA-1095

2006-07-07 Thread Martin Schulze 
Steve Langasek wrote:
> On Mon, Jun 26, 2006 at 08:36:07AM +0100, Steve Kemp wrote:
> > On Sun, Jun 25, 2006 at 03:09:51PM -0700, Steve Langasek wrote:
> 
> > > As mentioned earlier this month, a regression was found in the freetype
> > > 2.1.7-2.5 package uploaded for DSA-1095 which caused applications to crash
> > > with division-by-zero errors.  I've prepared a maintainer upload to fix
> > > this regression using the patch from bug #373581, which can be found at
> > > .
> 
> > > Can I upload this to security.d.o for a revised DSA?
> 
> >   Yes, please do.
> 
> Uploaded.

Btw. where?  I can't see it.

Regards,

Joey

-- 
Reading is a lost art nowadays.  -- Michael Weber

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#372719: regression in FreeType security fix for DSA-1095

2006-07-07 Thread Martin Schulze 
Hi!

Steve Langasek wrote:
> As mentioned earlier this month, a regression was found in the freetype
> 2.1.7-2.5 package uploaded for DSA-1095 which caused applications to crash
> with division-by-zero errors.  I've prepared a maintainer upload to fix
> this regression using the patch from bug #373581, which can be found at
> .

Are you sure this is the proper fix?

-+if ((FT_ULong)pitch > LONG_MAX/height)
++if (height != 0 && (FT_ULong)pitch > LONG_MAX/height)

I'd rather make it read:

if (height <= 0 || (FT_ULong)pitch > LONG_MAX/height)

because later we have "pitch * height" which will result in a malloc
of zero.

That way, OOo won't crash anymore but may handle the font error
properly.

The package contains changes to debootstrap.log that should
not be there btw.

Regards,

Joey

-- 
Reading is a lost art nowadays.  -- Michael Weber

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#372719: regression in FreeType security fix for DSA-1095

2006-06-26 Thread Steve Langasek 
On Mon, Jun 26, 2006 at 08:36:07AM +0100, Steve Kemp wrote:
> On Sun, Jun 25, 2006 at 03:09:51PM -0700, Steve Langasek wrote:

> > As mentioned earlier this month, a regression was found in the freetype
> > 2.1.7-2.5 package uploaded for DSA-1095 which caused applications to crash
> > with division-by-zero errors.  I've prepared a maintainer upload to fix
> > this regression using the patch from bug #373581, which can be found at
> > .

> > Can I upload this to security.d.o for a revised DSA?

>   Yes, please do.

Uploaded.

Thanks,
-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#372719: regression in FreeType security fix for DSA-1095

2006-06-26 Thread Steve Kemp 
On Sun, Jun 25, 2006 at 03:09:51PM -0700, Steve Langasek wrote:

> As mentioned earlier this month, a regression was found in the freetype
> 2.1.7-2.5 package uploaded for DSA-1095 which caused applications to crash
> with division-by-zero errors.  I've prepared a maintainer upload to fix
> this regression using the patch from bug #373581, which can be found at
> .
> 
> Can I upload this to security.d.o for a revised DSA?

  Yes, please do.

Steve
-- 


signature.asc
Description: Digital signature

Bug#372719: regression in FreeType security fix for DSA-1095

2006-06-25 Thread Steve Langasek 
Hi guys,

As mentioned earlier this month, a regression was found in the freetype
2.1.7-2.5 package uploaded for DSA-1095 which caused applications to crash
with division-by-zero errors.  I've prepared a maintainer upload to fix
this regression using the patch from bug #373581, which can be found at
.

Can I upload this to security.d.o for a revised DSA?

Thanks,
-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


signature.asc
Description: Digital signature