Your message dated Sun, 23 Apr 2017 22:57:42 +0200 with message-id <20170423205742.f3j6bqbyusigmgrg@pisco.westfalen.local> and subject line Re: Bug#860303: freetype: CVE-2016-10328: heap-buffer-overflow in cff_parser_run() has caused the Debian Bug report #860303, regarding freetype: CVE-2016-10328: heap-buffer-overflow in cff_parser_run() to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 860303: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860303 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: freetype Version: 2.6.3-3.1 Severity: important Tags: security patch upstream Forwarded: https://savannah.nongnu.org/bugs/?func=detailitem&item_id=49858 Control: fixed -1 2.7.1-0.1 Hi, the following vulnerability was published for freetype. CVE-2016-10328[0]: | FreeType 2 before 2016-12-16 has an out-of-bounds write caused by a | heap-based buffer overflow related to the cff_parser_run function in | cff/cffparse.c. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-10328 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10328 [1] https://savannah.nongnu.org/bugs/?func=detailitem&item_id=49858 [2] http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=beecf80a6deecbaf5d264d4f864451bde4fe98b8 [3] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=289 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---On Sun, Apr 23, 2017 at 08:36:42PM +0200, Salvatore Bonaccorso wrote: > Control: severity -1 serious > > Rationale for making this serious. Moritz prepared an update > targetting jessie-security, versioned 2.5.2-3+deb8u2 and a DSA will be > released. Not fixing this issue in stretch would OTOH then mean a > regression when updating to stretch. > > I'm happy to prepare a corresponding NMU, will upload to a delayed > queue and attach the debdiff here. > > Let me though know if I should cancel the upload, if you want to > upload as maintainer. Actually, further investigation showed that this only affected git head for a day or so (also confirmed by upstream). I've updated the security tracker with the necessary information. Salvatore, please cancel your NMU, sorry the confusion, I wasn't able to get back to you earlier over the weekend. Cheers, Moritz
--- End Message ---
