[Bug 1074647] New: CVE-2014-2240 freetype: OOB stack-based read/write in cf2_hintmap_build() [fedora-20]
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1074647
Bug ID: 1074647
Summary: CVE-2014-2240 freetype: OOB stack-based read/write in
cf2_hintmap_build() [fedora-20]
Product: Fedora
Version: 20
Component: freetype
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: mkasik(a)redhat.com
Reporter: vdanen(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: behdad(a)fedoraproject.org,
fonts-bugs(a)lists.fedoraproject.org,
kevin(a)tigcc.ticalc.org, mkasik(a)redhat.com
Blocks: 1074646 (CVE-2014-2240)
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
fedora-20 tracking bug for freetype: see blocks bug list for full details of
the security issue(s).
[bug automatically created by: add-tracking-bugs]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1074646
[Bug 1074646] CVE-2014-2240 freetype: OOB stack-based read/write in
cf2_hintmap_build()
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=v4fZcfKSM8&a=cc_unsubscribe
9 years, 10 months
[Bug 1023977] New: Use fc-cache /usr/share/fonts/<your font directory> instead of /usr/share/fonts
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1023977
Bug ID: 1023977
Summary: Use fc-cache /usr/share/fonts/<your font directory>
instead of /usr/share/fonts
Product: Red Hat Enterprise Linux 7
Version: 7.0
Component: ghostscript-fonts
Assignee: twaugh(a)redhat.com
Reporter: twaugh(a)redhat.com
QA Contact: qe-i18n-bugs(a)redhat.com
CC: fonts-bugs(a)lists.fedoraproject.org,
patrick.noffke(a)gmail.com, tagoh(a)redhat.com,
twaugh(a)redhat.com
Depends On: 1021757
Group: redhat
+++ This bug was initially created as a clone of Bug #1021757 +++
Description of problem:
Running fc-cache with /usr/share/fonts takes too much time and may breaks the
cache for parents when installing multiple font packages or upgrading
fontconfig, especially sometimes happens on the installation say.
As the macro in fontpackages does, please follow it up and use fc-cache
/usr/share/fonts/<your font directory> instead of /usr/share/fonts.
Version-Release number of selected component (if applicable):
ghostscript-fonts-5.50-30.fc19.noarch
How reproducible:
always
Steps to Reproduce:
1.rpm -q --scripts ghostscript-fonts-5.50-30.fc19.noarch
2.
3.
Actual results:
postinstall scriptlet (using /bin/sh):
{
mkfontscale /usr/share/fonts/default/ghostscript
mkfontdir /usr/share/fonts/default/ghostscript
fc-cache /usr/share/fonts
} &> /dev/null || :
postuninstall scriptlet (using /bin/sh):
{
if [ "$1" = "0" ]; then
fc-cache /usr/share/fonts
fi
} &> /dev/null || :
Expected results:
the directory should be /usr/share/fonts/<your font directory> instead
Additional info:
--- Additional comment from Tim Waugh on 2013-10-22 04:51:41 EDT ---
For the postuninstall scriptlet too?
Is there anything planned for the Fedora Project packaging guidelines to make
sure there are no regressions with this?
Does this change look correct?:
diff --git a/ghostscript-fonts.spec b/ghostscript-fonts.spec
index d66fbaa..c2cbc3f 100644
--- a/ghostscript-fonts.spec
+++ b/ghostscript-fonts.spec
@@ -1,7 +1,7 @@
Summary: Fonts for the Ghostscript PostScript interpreter
Name: ghostscript-fonts
Version: 5.50
-Release: 30%{?dist}
+Release: 31%{?dist}
# Contacted Kevin Hartig, who agreed to relicense his fonts under the SIL Open
Font
# License. Hershey fonts are under the "Hershey Font License", which is not
what Fontmap
# says (Fontmap is wrong).
@@ -58,13 +58,13 @@ ln -sf %{fontdir}
$RPM_BUILD_ROOT%{catalogue}/default-ghostscript
{
mkfontscale %{fontdir}
mkfontdir %{fontdir}
- fc-cache %{_datadir}/fonts
+ fc-cache %{fontdir}
} &> /dev/null || :
%postun
{
if [ "$1" = "0" ]; then
- fc-cache %{_datadir}/fonts
+ fc-cache %{fontdir}
fi
} &> /dev/null || :
@@ -80,6 +80,10 @@ rm -rf $RPM_BUILD_ROOT
%ghost %verify(not md5 size mtime) %{fontdir}/fonts.scale
%changelog
+* Tue Oct 22 2013 Tim Waugh <twaugh(a)redhat.com> - 5.50-31
+- Run fc-cache on our font directory, not the entire font collection
+ (bug #1021757).
+
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng(a)lists.fedoraproject.org>
- 5.50-30
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
--- Additional comment from Nicolas Mailhot on 2013-10-22 05:23:13 EDT ---
(In reply to Tim Waugh from comment #1)
> For the postuninstall scriptlet too?
>
> Is there anything planned for the Fedora Project packaging guidelines to
> make sure there are no regressions with this?
Well, what the packaging guidelines actually say is that you shouldn't install
any font without using fontpackages-devel templates and macros or splitting
fonts per family, which means all font packages have the same implementation
and there is no risk of single-package regression.
I appreciate that ghostscript antedates the consolidation work that went into
current font packaging guidelines, but maybe it's time to align it with them?
Also TEX people have spent many years cleaning up and modernizing gs fonts. It
would be worthwhile to package the tex gyre family and use them as replacement,
dropping all legacy font formats and core font calls. I *think* tex gyre
licensing is finally clean and safe (but you'd need to check with spot)
--- Additional comment from Tim Waugh on 2013-10-22 06:15:13 EDT ---
That's a fair point. :-)
That work might have to be done in step with urw-fonts.
--- Additional comment from Fedora Update System on 2013-10-22 06:27:51 EDT ---
ghostscript-fonts-5.50-32.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/ghostscript-fonts-5.50-32.fc19
--- Additional comment from Fedora Update System on 2013-10-22 06:28:34 EDT ---
ghostscript-fonts-5.50-32.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/ghostscript-fonts-5.50-32.fc20
--- Additional comment from Fedora Update System on 2013-10-22 14:51:18 EDT ---
Package ghostscript-fonts-5.50-32.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing
ghostscript-fonts-5.50-32.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-19682/ghostscript-fon...
then log in and leave karma (feedback).
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1021757
[Bug 1021757] Use fc-cache /usr/share/fonts/<your font directory> instead
of /usr/share/fonts
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=IVu6jiD8ho&a=cc_unsubscribe
9 years, 10 months