[Bug 450774] CVE-2008-1808 FreeType off-by-one flaws
bugzilla at redhat.com
bugzilla at redhat.com
Wed Jun 18 07:19:45 UTC 2008
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2008-1808 FreeType off-by-one flaws
Alias: CVE-2008-1808
https://bugzilla.redhat.com/show_bug.cgi?id=450774
Bug 450774 depends on bug 451212, which changed state.
Bug 451212 Summary: CVE-2008-1806 CVE-2008-1807 CVE-2008-1808 Multiple freetype vulnerabilities [Fedora 8]
https://bugzilla.redhat.com/show_bug.cgi?id=451212
What |Old Value |New Value
----------------------------------------------------------------------------
Status|MODIFIED |CLOSED
Resolution| |CURRENTRELEASE
------- Additional Comments From thoger at redhat.com 2008-06-18 03:19 EST -------
In reply to https://bugzilla.redhat.com/show_bug.cgi?id=450773#c12 :
The only part of the upstream patch that should be related to .ttf issue covered
by this CVE id is:
- if ( last_point > CUR.zp2.n_points )
+ if ( BOUNDS ( last_point , CUR.zp2.n_points ) )
maxTwilightPoints check does not seem directly related and was probably added as
additional sanity check.
As the .pfb is not supported by freetype1 we should ideally try to avoid
mentioning CVE-2008-1806 and CVE-2008-1807 in the freetype1 RPM changelog.
As for bodhi update request, we do not need to submit updated freetype1 packages
as security update, as (binary) Fedora packages were not affected by this
problem. But I'm ok with pushing it as security update anyway, provided that we
clearly mention in the notes that only users rebuilding freetype1 with bci were
affected by the problem. Update request should only refer to this bug, not to
the bugs for other CVEs.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the fonts-bugs
mailing list