On mar., 2012-01-17 at 17:38 -0600, Jamie Strandboge wrote: > Package: t1lib > Version: 5.1.2-3.4 > Severity: grave > Tags: patch security > Justification: user security hole > User: ubuntu-de...@lists.ubuntu.com > Usertags: origin-ubuntu precise ubuntu-patch > > Dear Maintainer, > > In Ubuntu, the attached patch was applied to achieve the following: > > * SECURITY UPDATE: fix denial of service via oversized fonts > - debian/patches/CVE-2011-1552_1553_1554.patch: add additional tests to > address remaining crashes > - CVE-2011-1552 > - CVE-2011-1553 > - CVE-2011-1554 > * SECURITY UPDATE: fix heap-based buffer overflow via AFM font parser > - update debian/patches/series to apply CVE-2010-2642.patch which was > mistakenly not updated in 5.1.2-3.4 > - CVE-2010-2642 > - CVE-2011-0433 > > > Debian took the Ubuntu patch for CVE-2011-0764 (which is great). RedHat > later fixed the remaining open CVEs with a patch landing in Fedora's > http://koji.fedoraproject.org/koji/buildinfo?buildID=282529. I then > verified all the patches in Debian against Fedora's patchset and came up > with this patch against 5.1.2-3.4. While Debian included an equivalent > patch for CVE-2010-2642 (which also fixes CVE-2011-0433), it was not > added to the debian/patches/series file, so it wasn't applied during the > build. The attached debdiff should bring unstable up to date on these > issues. >
Damn, you're perfectly right, my fault.
I'm still a bit puzzled by the 155{2,3,4} patch. It seemed like the
patch for 0764 was fixing them too, but in the end it's not the case?
Regards,
--
Yves-Alexis
signature.asc
Description: This is a digitally signed message part
