On Sat, Jul 07, 2007 at 07:23:38PM +0200, Moritz Muehlenhoff wrote: > On May 30, 2007 at 10:59:15PM +0100, Steve Kemp wrote: > > > I haven't > > > yet looked into whether this bug affects the sarge version of the package, > > > I'll do that next (unless somebody here already knows the answer).
> > I was under the impression that it wasn't vulnerable, but I admit > > I've not yet checked. If we've not heard back by the time I make > > the upload I'll take a look myself. > What has been the result? DSA 1302 doesn't mention Sarge. I've just checked, and the implementation of TT_Load_Simple_Glyph() in freetype 2.1.7 has the same lack of bounds checking that 2.2 does. I would say a security update is warranted after all. :/ -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
