On Sun, Mar 11, 2018 at 02:02:22PM +0100, Rene Engelhard wrote:
> Hi,
>
> On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote:
> > CVE-2018-7999[0]:
> > | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
> > | vulnerability was found in Segment.cpp during a dumbRendering
> > | operation, which may allow attackers to cause a denial of service or
> > | possibly have unspecified other impact via a crafted .ttf file.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2018-7999
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999
> > [1] https://github.com/silnrsi/graphite/issues/22
>
> upstream fix backported. Uploaded to sid.
>
> Merged this for jessie and stretch, too. See attached debdiffs. Want me
> to upload for a DSA?
This doesn't warrant a DSA, we can either postpone until the next more
severe graphite vulnerabity or fix it via a point update.
Cheers,
Moritz
