Bug#861220: marked as done (freetype: CVE-2017-8105)

[Debian Bug Tracking System]

Your message dated Sun, 28 May 2017 10:33:54 +0000
with message-id <e1devwe-0003hi...@fasolo.debian.org>
and subject line Bug#861220: fixed in freetype 2.8-0.1
has caused the Debian Bug report #861220,
regarding freetype: CVE-2017-8105
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
861220: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861220
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: freetype
Version: 2.5.2-3
Severity: important
Tags: upstream patch security

Hi,

the following vulnerability was published for freetype.

CVE-2017-8105[0]:
| FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a
| heap-based buffer overflow related to the t1_decoder_parse_charstrings
| function in psaux/t1decode.c.

It is fixed by the upstream commit [1].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-8105
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105
[1] 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee431bef8d4d466b40c9cb2d4dbcb7791

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: freetype
Source-Version: 2.8-0.1

We believe that the bug you reported is fixed in the latest version of
freetype, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 861...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laurent Bigonville <bi...@debian.org> (supplier of updated freetype package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 26 May 2017 17:39:07 +0200
Source: freetype
Binary: libfreetype6 libfreetype6-dev freetype2-demos libfreetype6-udeb
Architecture: source amd64
Version: 2.8-0.1
Distribution: experimental
Urgency: medium
Maintainer: Steve Langasek <vor...@debian.org>
Changed-By: Laurent Bigonville <bi...@debian.org>
Description:
 freetype2-demos - FreeType 2 demonstration programs
 libfreetype6 - FreeType 2 font engine, shared library files
 libfreetype6-dev - FreeType 2 font engine, development files
 libfreetype6-udeb - FreeType 2 font engine for the debian-installer (udeb)
Closes: 860307 860313 861220 861308
Changes:
 freetype (2.8-0.1) experimental; urgency=medium
 .
   * Non-maintainer upload.
   * New upstream release
     - Better protect `flex' handling (CVE-2017-8105) (Closes: #861220)
     - t1_builder_close_contour: Add safety guard (CVE-2017-8287)
       (Closes: #861308)
     - tt_size_reset: Do nothing for CFF2 (CVE-2017-7864) (Closes: #860313)
     - Improve handling for buggy variation fonts (CVE-2017-7857 CVE-2017-7858)
       (Closes: #860307)
Checksums-Sha1:
 c309662ce0a8422647a44fd724f720a8f6691c27 1802 freetype_2.8-0.1.dsc
 cd947c7d6593880e36b1e0e5746dfab7c633314d 4225710 freetype_2.8.orig.tar.gz
 2b0add0b2cac4bb6d63ef3a2fbc241e3429644af 39950 freetype_2.8-0.1.diff.gz
 0d16bce9a19281c10df0bdb714b5d26a3c39151e 707670 
freetype2-demos-dbgsym_2.8-0.1_amd64.deb
 69b109d7b18c3403ff68313f4e6bbe1aa2ee28db 118930 
freetype2-demos_2.8-0.1_amd64.deb
 221a986c3f6ca293dceeb4bd759ee844167a92ec 7204 freetype_2.8-0.1_amd64.buildinfo
 5f47cce915ba22281ede922cd63ce37fa1d634b1 979370 
libfreetype6-dbgsym_2.8-0.1_amd64.deb
 2bafb3b509fd75e217b7afc24cd0b4911d33a0bc 2652038 
libfreetype6-dev_2.8-0.1_amd64.deb
 c320642a60d871f15def795064ad70eb0e43031c 319948 
libfreetype6-udeb_2.8-0.1_amd64.udeb
 6dda061a5000c4cacf15f7aad19679696280155a 457458 libfreetype6_2.8-0.1_amd64.deb
Checksums-Sha256:
 f3d63967bf4ca1e70e6bef84b45220c175ff9db7905eec40cee8f82b5d4a898b 1802 
freetype_2.8-0.1.dsc
 7ba438204ec4532cfa770faff63a90f0555369bb594c15014cc0fb5f0d52e3b4 4225710 
freetype_2.8.orig.tar.gz
 1e7d22aff95549ab9adc8110316fb687cbbc7206b3ca93bb6e46bd9f7a1258a5 39950 
freetype_2.8-0.1.diff.gz
 3cce74a07493cea2800161294c9e91bc35eb5096d72853221af88ee4e5943b5c 707670 
freetype2-demos-dbgsym_2.8-0.1_amd64.deb
 57291562ae4a97a1988ebdccd1dd7a5f4629825e311682c4e3c690abce6ee422 118930 
freetype2-demos_2.8-0.1_amd64.deb
 468ffb445b0fd362032e9535c4a6e5e1acbba5938b68aa4d3a46cf2225c848bf 7204 
freetype_2.8-0.1_amd64.buildinfo
 58b13cb5c684757bdb95b9d843203d2a5877c88500b058662efd63c9a8394efc 979370 
libfreetype6-dbgsym_2.8-0.1_amd64.deb
 bedd13230b147b0e92a980f4675d220f1a88ebbc504d73832930b38a5830c83b 2652038 
libfreetype6-dev_2.8-0.1_amd64.deb
 d12c3318e562bb020d3ee2f57c5c79b836185a93cecd59715de15df6c950114f 319948 
libfreetype6-udeb_2.8-0.1_amd64.udeb
 75d3d9d546053e70b04ff666764d4aa078600147ec24bbe40f29da52ecc87926 457458 
libfreetype6_2.8-0.1_amd64.deb
Files:
 641dd1ebc1a4475ba1dd29590ad8e338 1802 libs optional freetype_2.8-0.1.dsc
 57f60f3460978f41aeea5f9159eb1dc5 4225710 libs optional freetype_2.8.orig.tar.gz
 432fa93bef74bcbaab3a7ef741ff4e15 39950 libs optional freetype_2.8-0.1.diff.gz
 d10147103f671ea3ab1101b718c6a7dd 707670 debug extra 
freetype2-demos-dbgsym_2.8-0.1_amd64.deb
 1a3363c2a0ea823f3b701097416aa0e0 118930 utils optional 
freetype2-demos_2.8-0.1_amd64.deb
 73516dbcc12103b9b63e649e6b173b49 7204 libs optional 
freetype_2.8-0.1_amd64.buildinfo
 14922518599ba1ff390bca4ca8c6985f 979370 debug extra 
libfreetype6-dbgsym_2.8-0.1_amd64.deb
 83ad2e7c4f512c3815979f990a1f7af5 2652038 libdevel optional 
libfreetype6-dev_2.8-0.1_amd64.deb
 07e5531e530ffd432b10a6b3b98cde2e 319948 debian-installer extra 
libfreetype6-udeb_2.8-0.1_amd64.udeb
 3b2f0be04f8389930b732af7e4d0e091 457458 libs optional 
libfreetype6_2.8-0.1_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----

iQFFBAEBCAAvFiEEmRrdqQAhuF2x31DwH8WJHrqwQ9UFAlkoTvIRHGJpZ29uQGRl
Ymlhbi5vcmcACgkQH8WJHrqwQ9UXPggAnD5JCD3CBcb9kEKygOvHRlLTUwr8AVO6
thMAJY2bXJvkBxRIgZtr6zYFEb4Zre/SR/2lhW0WnL7gwk2l/7oxbTcvklODhJB2
0mxRtsZExL/gRu9reN+/fnHe9wkQp6isLVrq9mVNsQBWiOFwijimtJ+L8rdiosrs
oXWVbDH2qoH9bMekUKK2bXUnaV1Ftv9o7IEcRvroauh4uZVAdlOuboUSo4Z2sCD7
gsLASggcWB7FHwQ8IsbKereKjrvHXULCaB/gpe3mbC9kELJd4eanxlrvNYNBr1xV
efxXSke6ZaXg4+gxHTu2kSnzY84SUwRMuoDIoBsBbx4Kn56R88q4tA==
=driz
-----END PGP SIGNATURE-----

--- End Message ---