[Bug 613194] CVE-2010-2519 freetype:
heap buffer overflow vulnerability when processing certain font files
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=613194
Stephen Herr <sherr(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|public=20100609,reported=20 |impact=important,public=201
|100702,source=vendor-sec,rh |00609,reported=20100702,sou
|el-4/freetype=affected/cvss |rce=vendor-sec,cvss2=6.8/AV
|2=6.8/AV:N/AC:M/Au:N/C:P/I: |:N/AC:M/Au:N/C:P/I:P/A:P,cw
|P/A:P,rhel-5/freetype=affec |e=CWE-122[auto],rhel-4/free
|ted/cvss2=6.8/AV:N/AC:M/Au: |type=affected/cvss2=6.8/AV:
|N/C:P/I:P/A:P,rhel-6/freety |N/AC:M/Au:N/C:P/I:P/A:P,rhe
|pe=notaffected/cvss2=6.8/AV |l-5/freetype=affected/cvss2
|:N/AC:M/Au:N/C:P/I:P/A:P,fe |=6.8/AV:N/AC:M/Au:N/C:P/I:P
|dora-all/freetype=affected/ |/A:P,rhel-6/freetype=notaff
|cvss2=6.8/AV:N/AC:M/Au:N/C: |ected/cvss2=6.8/AV:N/AC:M/A
|P/I:P/A:P,cwe=CWE-122[auto] |u:N/C:P/I:P/A:P,fedora-all/
| |freetype=affected/cvss2=6.8
| |/AV:N/AC:M/Au:N/C:P/I:P/A:P
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 7 months
[Bug 613167] CVE-2010-2500 freetype:
integer overflow vulnerability in smooth/ftgrays.c
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=613167
Stephen Herr <sherr(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|public=20100609,reported=20 |impact=important,public=201
|100702,source=vendor-sec,rh |00609,reported=20100702,sou
|el-3/freetype=affected/cvss |rce=vendor-sec,cvss2=6.8/AV
|2=6.8/AV:N/AC:M/Au:N/C:P/I: |:N/AC:M/Au:N/C:P/I:P/A:P,cw
|P/A:P,rhel-4/freetype=affec |e=CWE-190[auto],rhel-3/free
|ted/cvss2=6.8/AV:N/AC:M/Au: |type=affected/cvss2=6.8/AV:
|N/C:P/I:P/A:P,rhel-5/freety |N/AC:M/Au:N/C:P/I:P/A:P,rhe
|pe=affected/cvss2=6.8/AV:N/ |l-4/freetype=affected/cvss2
|AC:M/Au:N/C:P/I:P/A:P,rhel- |=6.8/AV:N/AC:M/Au:N/C:P/I:P
|6/freetype=notaffected/cvss |/A:P,rhel-5/freetype=affect
|2=6.8/AV:N/AC:M/Au:N/C:P/I: |ed/cvss2=6.8/AV:N/AC:M/Au:N
|P/A:P,fedora-all/freetype=a |/C:P/I:P/A:P,rhel-6/freetyp
|ffected/cvss2=6.8/AV:N/AC:M |e=notaffected/cvss2=6.8/AV:
|/Au:N/C:P/I:P/A:P,cwe=CWE-1 |N/AC:M/Au:N/C:P/I:P/A:P,fed
|90[auto] |ora-all/freetype=affected/c
| |vss2=6.8/AV:N/AC:M/Au:N/C:P
| |/I:P/A:P
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 7 months
[Bug 613162] CVE-2010-2499 freetype: buffer overflow vulnerability
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=613162
Stephen Herr <sherr(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|public=20100609,reported=20 |impact=important,public=201
|100702,source=vendor-sec,rh |00609,reported=20100702,sou
|el-4/freetype=affected/cvss |rce=vendor-sec,cvss2=6.8/AV
|2=6.8/AV:N/AC:M/Au:N/C:P/I: |:N/AC:M/Au:N/C:P/I:P/A:P,rh
|P/A:P,rhel-5/freetype=affec |el-4/freetype=affected/cvss
|ted/cvss2=6.8/AV:N/AC:M/Au: |2=6.8/AV:N/AC:M/Au:N/C:P/I:
|N/C:P/I:P/A:P,rhel-6/freety |P/A:P,rhel-5/freetype=affec
|pe=notaffected/cvss2=6.8/AV |ted/cvss2=6.8/AV:N/AC:M/Au:
|:N/AC:M/Au:N/C:P/I:P/A:P,fe |N/C:P/I:P/A:P,rhel-6/freety
|dora-all/freetype=affected/ |pe=notaffected/cvss2=6.8/AV
|cvss2=6.8/AV:N/AC:M/Au:N/C: |:N/AC:M/Au:N/C:P/I:P/A:P,fe
|P/I:P/A:P |dora-all/freetype=affected/
| |cvss2=6.8/AV:N/AC:M/Au:N/C:
| |P/I:P/A:P
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 7 months
[Bug 613160] CVE-2010-2498 freetype:
invalid free vulnerability with possible heap corruption
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=613160
Stephen Herr <sherr(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|public=20100609,reported=20 |impact=important,public=201
|100702,source=vendor-sec,rh |00609,reported=20100702,sou
|el-5/freetype=affected/cvss |rce=vendor-sec,cvss2=6.8/AV
|2=6.8/AV:N/AC:M/Au:N/C:P/I: |:N/AC:M/Au:N/C:P/I:P/A:P,rh
|P/A:P,rhel-4/freetype=affec |el-5/freetype=affected/cvss
|ted/cvss2=6.8/AV:N/AC:M/Au: |2=6.8/AV:N/AC:M/Au:N/C:P/I:
|N/C:P/I:P/A:P,rhel-6/freety |P/A:P,rhel-4/freetype=affec
|pe=notaffected/cvss2=6.8/AV |ted/cvss2=6.8/AV:N/AC:M/Au:
|:N/AC:M/Au:N/C:P/I:P/A:P,fe |N/C:P/I:P/A:P,rhel-6/freety
|dora-all/freetype=affected/ |pe=notaffected/cvss2=6.8/AV
|cvss2=6.8/AV:N/AC:M/Au:N/C: |:N/AC:M/Au:N/C:P/I:P/A:P,fe
|P/I:P/A:P |dora-all/freetype=affected/
| |cvss2=6.8/AV:N/AC:M/Au:N/C:
| |P/I:P/A:P
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 7 months
[Bug 1271792] New: repo-font-audit invalid option errors
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1271792
Bug ID: 1271792
Summary: repo-font-audit invalid option errors
Product: Fedora
Version: 23
Component: fontpackages
Assignee: nicolas.mailhot(a)laposte.net
Reporter: kvolny(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: fonts-bugs(a)lists.fedoraproject.org,
nicolas.mailhot(a)laposte.net, paul(a)frixxon.co.uk,
tagoh(a)redhat.com
Description of problem:
Following https://fedoraproject.org/wiki/Font_package_lifecycle#2.a the step
with repo-font-audit doesn't work for me as the tool reports many "invalid
option" errors for coreutils programs it obviously tries to use.
Version-Release number of selected component (if applicable):
fontpackages-tools-1.44-14.fc23.noarch
How reproducible:
always
Steps to Reproduce:
0. # dnf install fontpackages-tools createrepo rpm-build
... whatever needed
1. cd ~/rpmbuild/SRPMS
2. wget https://kvolny.fedorapeople.org/comic-neue-fonts-2.2-1.fc23.src.rpm
3. rpmbuild --rebuild comic-neue-fonts-2.2-1.fc23.src.rpm
4. cd ../RPMS/noarch
5. mkdir /tmp/testrepo
6. mv comic*rpm /tmp/testrepo
7. createrepo /tmp/testrepo
8. repo-font-audit testrepo file:///tmp/testrepo
Actual results:
Looking for packages:
— with font metadata…
Error: 'Package' object has no attribute 'packagesize'
— that include files with common font extensions…
— that use the core X11 protocol…
Inspecting packages:
– -. ◔mkdir: invalid option -- '.'
Try 'mkdir --help' for more information.
/bin/repo-font-audit: line 388: cd: -.: invalid option
cd: usage: cd [-L|[-P [-e]] [-@]] [dir]
curl: (3) [globbing] bad range specification in column 90
◑rpm2cpio: *.rpm: No such file or directory
◕cat: invalid option -- '.'
Try 'cat --help' for more information.
cpio: premature end of archive
cat: invalid option -- '.'
Try 'cat --help' for more information.
touch: invalid option -- '.'
Try 'touch --help' for more information.
cat: invalid option -- '.'
Try 'cat --help' for more information.
cpio: premature end of archive
rm: invalid option -- '.'
Try 'rm ./-..cpio' to remove the file '-..cpio'.
Try 'rm --help' for more information.
● sed: invalid option -- '.'
Usage: sed [OPTION]... {script-only-if-no-other-script} [input-file]...
-n, --quiet, --silent
suppress automatic printing of pattern space
-e script, --expression=script
add the script to the commands to be executed
-f script-file, --file=script-file
add the contents of script-file to the commands to be executed
--follow-symlinks
follow symlinks when processing in place
-i[SUFFIX], --in-place[=SUFFIX]
edit files in place (makes backup if SUFFIX supplied)
-c, --copy
use copy instead of rename when shuffling files in -i mode
-b, --binary
does nothing; for compatibility with WIN32/CYGWIN/MSDOS/EMX (
open files in binary mode (CR+LFs are not treated specially))
-l N, --line-length=N
specify the desired line-wrap length for the `l' command
--posix
disable all GNU extensions.
-r, --regexp-extended
use extended regular expressions in the script.
-s, --separate
consider files as separate rather than as a single continuous
long stream.
-u, --unbuffered
load minimal amounts of data from the input files and flush
the output buffers more often
-z, --null-data
separate lines by NUL characters
--help
display this help and exit
--version
output version information and exit
If no -e, --expression, -f, or --file option is given, then the first
non-option argument is taken as the sed script to interpret. All
remaining arguments are names of input files; if no input files are
specified, then the standard input is read.
GNU sed home page: <http://www.gnu.org/software/sed/>.
General help using GNU software: <http://www.gnu.org/gethelp/>.
sed: invalid option -- '.'
Usage: sed [OPTION]... {script-only-if-no-other-script} [input-file]...
-n, --quiet, --silent
suppress automatic printing of pattern space
-e script, --expression=script
add the script to the commands to be executed
-f script-file, --file=script-file
add the contents of script-file to the commands to be executed
--follow-symlinks
follow symlinks when processing in place
-i[SUFFIX], --in-place[=SUFFIX]
edit files in place (makes backup if SUFFIX supplied)
-c, --copy
use copy instead of rename when shuffling files in -i mode
-b, --binary
does nothing; for compatibility with WIN32/CYGWIN/MSDOS/EMX (
open files in binary mode (CR+LFs are not treated specially))
-l N, --line-length=N
specify the desired line-wrap length for the `l' command
--posix
disable all GNU extensions.
-r, --regexp-extended
use extended regular expressions in the script.
-s, --separate
consider files as separate rather than as a single continuous
long stream.
-u, --unbuffered
load minimal amounts of data from the input files and flush
the output buffers more often
-z, --null-data
separate lines by NUL characters
--help
display this help and exit
--version
output version information and exit
If no -e, --expression, -f, or --file option is given, then the first
non-option argument is taken as the sed script to interpret. All
remaining arguments are names of input files; if no input files are
specified, then the standard input is read.
GNU sed home page: <http://www.gnu.org/software/sed/>.
General help using GNU software: <http://www.gnu.org/gethelp/>.
– -. ◔mkdir: invalid option -- '.'
Try 'mkdir --help' for more information.
/bin/repo-font-audit: line 388: cd: -.: invalid option
cd: usage: cd [-L|[-P [-e]] [-@]] [dir]
curl: (3) [globbing] bad range specification in column 90
◑rpm2cpio: *.rpm: No such file or directory
◕cat: invalid option -- '.'
Try 'cat --help' for more information.
cpio: premature end of archive
cat: invalid option -- '.'
Try 'cat --help' for more information.
touch: invalid option -- '.'
Try 'touch --help' for more information.
cat: invalid option -- '.'
Try 'cat --help' for more information.
cpio: premature end of archive
rm: invalid option -- '.'
Try 'rm ./-..cpio' to remove the file '-..cpio'.
Try 'rm --help' for more information.
● sed: invalid option -- '.'
Usage: sed [OPTION]... {script-only-if-no-other-script} [input-file]...
-n, --quiet, --silent
suppress automatic printing of pattern space
-e script, --expression=script
add the script to the commands to be executed
-f script-file, --file=script-file
add the contents of script-file to the commands to be executed
--follow-symlinks
follow symlinks when processing in place
-i[SUFFIX], --in-place[=SUFFIX]
edit files in place (makes backup if SUFFIX supplied)
-c, --copy
use copy instead of rename when shuffling files in -i mode
-b, --binary
does nothing; for compatibility with WIN32/CYGWIN/MSDOS/EMX (
open files in binary mode (CR+LFs are not treated specially))
-l N, --line-length=N
specify the desired line-wrap length for the `l' command
--posix
disable all GNU extensions.
-r, --regexp-extended
use extended regular expressions in the script.
-s, --separate
consider files as separate rather than as a single continuous
long stream.
-u, --unbuffered
load minimal amounts of data from the input files and flush
the output buffers more often
-z, --null-data
separate lines by NUL characters
--help
display this help and exit
--version
output version information and exit
If no -e, --expression, -f, or --file option is given, then the first
non-option argument is taken as the sed script to interpret. All
remaining arguments are names of input files; if no input files are
specified, then the standard input is read.
GNU sed home page: <http://www.gnu.org/software/sed/>.
General help using GNU software: <http://www.gnu.org/gethelp/>.
sed: invalid option -- '.'
Usage: sed [OPTION]... {script-only-if-no-other-script} [input-file]...
-n, --quiet, --silent
suppress automatic printing of pattern space
-e script, --expression=script
add the script to the commands to be executed
-f script-file, --file=script-file
add the contents of script-file to the commands to be executed
--follow-symlinks
follow symlinks when processing in place
-i[SUFFIX], --in-place[=SUFFIX]
edit files in place (makes backup if SUFFIX supplied)
-c, --copy
use copy instead of rename when shuffling files in -i mode
-b, --binary
does nothing; for compatibility with WIN32/CYGWIN/MSDOS/EMX (
open files in binary mode (CR+LFs are not treated specially))
-l N, --line-length=N
specify the desired line-wrap length for the `l' command
--posix
disable all GNU extensions.
-r, --regexp-extended
use extended regular expressions in the script.
-s, --separate
consider files as separate rather than as a single continuous
long stream.
-u, --unbuffered
load minimal amounts of data from the input files and flush
the output buffers more often
-z, --null-data
separate lines by NUL characters
--help
display this help and exit
--version
output version information and exit
If no -e, --expression, -f, or --file option is given, then the first
non-option argument is taken as the sed script to interpret. All
remaining arguments are names of input files; if no input files are
specified, then the standard input is read.
GNU sed home page: <http://www.gnu.org/software/sed/>.
General help using GNU software: <http://www.gnu.org/gethelp/>.
Analysing files…
♻
Consolidating data…
Conducting tests:
— Error: fonts deployed outside /usr/share/fonts
⇒ None!
— Error: fonts in packages that do not declare font metadata
⇒ None!
— Error: packages that mix different font families
⇒ None!
— Error: exact font duplication
⇒ None!
— Error: font faces duplicated by different packages
⇒ None!
— Error: fonts fc-query can not parse
⇒ None!
— Error: fonts not identified as such by libmagic
⇒ None!
— Error: broken symlinks to font files
⇒ None!
— Error: rpmlint
⇒ None!
— Error: fonts in packages that contain non-font data
⇒ None!
— Error: fonts in arch packages
⇒ None!
— Warning: fonts in packages that do not respect font naming conventions
⇒ None!
— Warning: bad font naming
⇒ None!
— Warning: core fonts use
⇒ None!
— Warning: font linking
⇒ None!
— Warning: font faces duplicated within a package
⇒ None!
— Warning: fonts that do not pass fontlint sanity checks
⇒ None!
— Warning: fonts with localized metadata but no English variant
⇒ None!
— Suggestion: fonts with partial script coverage
⇒ None!
— Suggestion: fonts with partial unicode block coverage
⇒ None!
Audit results:
– packages that declare font metadata:
⇒ None!
☛ File size is computed as extracted, while rpm is a compressed format.
☛ Mid-term, files in legacy PCF or Type1 formats need to be converted or
removed.
– font files in other packages (we should not find any!)
⇒ None!
– errors, warnings and suggestions:
⇒ None!
Packing mail data…
Packing result data…
Audit complete!
Run time: 9 s.
Number of items processed:
⇒ None!
1. Extracted data:
/home/kvolny/rpmbuild/RPMS/noarch/repo-font-audit-testrepo-20151014T175728Z.tar.xz
2. Short summary:
/home/kvolny/rpmbuild/RPMS/noarch/repo-font-audit-testrepo-20151014T175728Z-short.tar.xz
3. Mail data:
/home/kvolny/rpmbuild/RPMS/noarch/repo-font-audit-testrepo-20151014T175728Z-mail.tar.xz
This report was generated by the repo-font-audit command from:
http://fedoraproject.org/wiki/fontpackages
Please post questions, suggestions, patches or bug reports to:
https://admin.fedoraproject.org/mailman/listinfo/fonts
(subscription required)
♻
Expected results:
(no such errors)
Additional info:
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=5nIiUgzabR&a=cc_unsubscribe
5 years, 7 months