| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 05 Apr 2013 15:38:00 +0200 From: security@...driva.com To: full-disclosure@...ts.grok.org.uk Subject: [ MDVSA-2013:039 ] freetype2 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:039 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : freetype2 Date : April 5, 2013 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated freetype2 packages fixes security vulnerabilities: A null pointer de-reference flaw was found in the way Freetype font rendering engine handled Glyph bitmap distribution format (BDF) fonts. A remote attacker could provide a specially-crafted BDF font file, which once processed in an application linked against FreeType would lead to that application crash (CVE-2012-5668). An out-of heap-based buffer read flaw was found in the way FreeType font rendering engine performed parsing of glyph information and relevant bitmaps for glyph bitmap distribution format (BDF). A remote attacker could provide a specially-crafted BDF font file, which once opened in an application linked against FreeType would lead to that application crash (CVE-2012-5669). An out-of heap-based buffer write flaw was found in the way FreeType font rendering engine performed parsing of glyph information and relevant bitmaps for glyph bitmap distribution format (BDF). A remote attacker could provide a specially-crafted font file, which once opened in an application linked against FreeType would lead to that application crash, or, potentially, arbitrary code execution with the privileges of the user running the application (CVE-2012-5670). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5668 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5669 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5670 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0369 _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 653f48b259460703e658611db8e328cc mbs1/x86_64/freetype2-demos-2.4.9-2.1.mbs1.x86_64.rpm 3666cbc822d52b1f15e52472b7a772f5 mbs1/x86_64/lib64freetype6-2.4.9-2.1.mbs1.x86_64.rpm d289482a04b80742b1e54c1f60635a3e mbs1/x86_64/lib64freetype6-devel-2.4.9-2.1.mbs1.x86_64.rpm 9780e211766b665158a3ccbffa7b9913 mbs1/x86_64/lib64freetype6-static-devel-2.4.9-2.1.mbs1.x86_64.rpm d2953d7bc757ae70dbdf6b1ee25bb783 mbs1/SRPMS/freetype2-2.4.9-2.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRXqmqmqjQ0CJFipgRAiIHAJsHLm35MfYMY58e4GVdyvgx559EiACgnpO/ YP8RnRSRCZG+PLfARNZB25s= =1hoR -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists