*** This bug is a security vulnerability *** Public security bug reported:
https://security-tracker.debian.org/tracker/CVE-2018-10733 This issue is fixed in Ubuntu 18.10 and needs to be fixed in at least Ubuntu 18.04 LTS. https://launchpad.net/ubuntu/+source/libgxps/0.3.0-3 https://salsa.debian.org/gnome-team/libgxps/commits/debian/master I believe you'll want these commits: * Cherry-pick gxps-archive-Ensure-gxps_archive_read_entry-fills-the-GEr.patch & gxps-archive-Handle-errors-returned-by-archive_read_data.patch: - Fix heap buffer overflow in ft_font_face_hash of gxps-fonts.c CVE-2018-10733 (Closes: #897954) * Cherry-pick gxps-images-fix-integer-overflow-in-png-decoder.patch: - Fix an integer overflow This is a bug fix that might not be needed for the security update. * Cherry-pick gxps-images-clear-the-error-before-trying-to-load-an-imag.patch: - clear an error so that fallback image loading works Note that there is another reported security issue that appears unfixed: https://security-tracker.debian.org/tracker/CVE-2018-10767 It looks like the Debian and Ubuntu security teams have determined that these 2 CVEs are low priority. ** Affects: libgxps (Ubuntu) Importance: Undecided Status: New ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10733 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797785 Title: heap buffer overflow in ft_font_face_hash of gxps-fonts.c CVE-2018-10733 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libgxps/+bug/1797785/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
