[Bug 1737785] New: CVE-2019-1010238 pango: heap based buffer
overflow can be used to get code execution
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1737785
Bug ID: 1737785
Summary: CVE-2019-1010238 pango: heap based buffer overflow can
be used to get code execution
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: mrehak(a)redhat.com
CC: caillon+fedoraproject(a)gmail.com,
eng-i18n-bugs(a)redhat.com,
fonts-bugs(a)lists.fedoraproject.org,
gnome-sig(a)lists.fedoraproject.org,
i18n-bugs(a)lists.fedoraproject.org,
john.j5live(a)gmail.com, mclasen(a)redhat.com,
pwu(a)redhat.com, rhughes(a)redhat.com,
rstrode(a)redhat.com, sandmann(a)redhat.com,
tagoh(a)redhat.com
Target Milestone: ---
Classification: Other
Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The
heap based buffer overflow can be used to get code execution. The component is:
function name: pango_log2vis_get_embedding_levels, assignment of nchars and the
loop condition. The attack vector is: Bug can be used when application pass
invalid utf-8 strings to functions like pango_itemize.
External References:
https://packetstormsecurity.com/files/153838/USN-4081-1.txt
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 12 months
[Bug 1806271] New: dropped stix-math-fonts subpackage causes broken
dependencies
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1806271
Bug ID: 1806271
Summary: dropped stix-math-fonts subpackage causes broken
dependencies
Product: Fedora
Version: rawhide
Status: NEW
Component: stix-fonts
Assignee: nicolas.mailhot(a)laposte.net
Reporter: decathorpe(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: fonts-bugs(a)lists.fedoraproject.org,
nicolas.mailhot(a)laposte.net, paul(a)frixxon.co.uk
Target Milestone: ---
Classification: Fedora
With the transition to new forge-based fonts macros, the stix-math-tonts
subpackage was dropped, but some packages depend on that. They are now not
installable on fedora 32+ because that package is gone (only Obsoleted, not
Provided).
This affects at least sagemath and texlive-stix.
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 1 month
[Bug 1790042] New: CVE-2020-5395 fontforge: Use-after-free in
SFD_GetFontMetaData function in sfd.c [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1790042
Bug ID: 1790042
Summary: CVE-2020-5395 fontforge: Use-after-free in
SFD_GetFontMetaData function in sfd.c [fedora-all]
Product: Fedora
Version: 31
Status: NEW
Component: fontforge
Keywords: Security, SecurityTracking
Severity: low
Priority: low
Assignee: kevin(a)scrye.com
Reporter: psampaio(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: fonts-bugs(a)lists.fedoraproject.org, kevin(a)scrye.com,
paul(a)frixxon.co.uk, pnemade(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 1 month
[Bug 1804509] New: fonttools-4.4.0 is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1804509
Bug ID: 1804509
Summary: fonttools-4.4.0 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: fonttools
Keywords: FutureFeature, Triaged
Assignee: pnemade(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: fonts-bugs(a)lists.fedoraproject.org,
pnemade(a)redhat.com, sshedmak(a)redhat.com,
tagoh(a)redhat.com
Target Milestone: ---
Classification: Fedora
Latest upstream release: 4.4.0
Current version/release in rawhide: 4.3.0-1.fc32
URL: https://github.com/fonttools/fonttools/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/7388/
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 2 months
[Bug 1807696] New: config file precedence of 50 overrides local.conf
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1807696
Bug ID: 1807696
Summary: config file precedence of 50 overrides local.conf
Product: Fedora
Version: 32
Hardware: All
OS: Linux
Status: NEW
Component: bitstream-vera-fonts
Severity: medium
Assignee: nicolas.mailhot(a)laposte.net
Reporter: awilliam(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: caillon+fedoraproject(a)gmail.com, caolanm(a)redhat.com,
cz172638(a)gmail.com,
fonts-bugs(a)lists.fedoraproject.org,
gnome-sig(a)lists.fedoraproject.org,
john.j5live(a)gmail.com, mclasen(a)redhat.com,
nicolas.mailhot(a)laposte.net, pavel.lisy(a)gmail.com,
rhughes(a)redhat.com, rstrode(a)redhat.com,
sandmann(a)redhat.com
Target Milestone: ---
Classification: Fedora
The bitstream-vera-fonts packages were recently given fontconfig config
snippets with a precedence of 50. Trouble is, this seems to override
customizations in local.conf, because the snippet that loads local.conf has
precedence 51. So even though I had this in local.conf:
<alias>
<family>sans-serif</family>
<prefer>
<family>Cantarell</family>
<family>Droid Sans</family>
<family>Bitstream Vera Sans</family>
<family>DejaVu Sans</family>
<family>Verdana</family>
<family>Arial</family>
<family>Albany AMT</family>
<family>Luxi Sans</family>
<family>Nimbus Sans L</family>
<family>Helvetica</family>
<family>Lucida Sans Unicode</family>
<family>BPG Glaho International</family> <!--
lat,cyr,arab,geor -->
<family>Tahoma</family> <!--
lat,cyr,greek,heb,arab,thai -->
</prefer>
</alias>
I was getting this from fontconfig:
[root@adam conf.d]# fc-match "sans"
Vera.ttf: "Bitstream Vera Sans" "Regular"
because 50-bitstream-vera-sans-fonts.conf has this:
<alias>
<family>sans-serif</family>
<prefer>
<family>Bitstream Vera Sans</family>
</prefer>
</alias>
if I moved 50-bitstream-vera-sans-fonts.conf to
52-bitstream-vera-sans-fonts.conf , and ran fc-cache, fontconfig would give me
Cantarell.
I've now just replaced my local.conf with a 10- precedence config snippet, but
still this seems wrong, I think maybe that specific <family><prefer> bit should
be split out into a file with 60ish precedence?
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 2 months