SCIENTIFIC-LINUX-ERRATA Archives

July 2010

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Security ERRATA Important: freetype for SL4 , SL5
From:
Connie Sieh <[log in to unmask]>
Reply To:
Connie Sieh <[log in to unmask]>
Date:
Sat, 31 Jul 2010 23:14:54 -0500
Content-Type:
TEXT/PLAIN
Parts/Attachments:
TEXT/PLAIN (86 lines) 
Synopsis:          Important: freetype security update
Issue date:        2010-07-30
CVE Names:         CVE-2010-2498 CVE-2010-2499 CVE-2010-2500
                    CVE-2010-2519 CVE-2010-2527 CVE-2010-2541


An invalid memory management flaw was found in the way the FreeType font
engine processed font files. If a user loaded a carefully-crafted font file
with an application linked against FreeType, it could cause the application
to crash or, possibly, execute arbitrary code with the privileges of the
user running the application. (CVE-2010-2498)

An integer overflow flaw was found in the way the FreeType font engine
processed font files. If a user loaded a carefully-crafted font file with
an application linked against FreeType, it could cause the application to
crash or, possibly, execute arbitrary code with the privileges of the user
running the application. (CVE-2010-2500)

Several buffer overflow flaws were found in the way the FreeType font
engine processed font files. If a user loaded a carefully-crafted font file
with an application linked against FreeType, it could cause the application
to crash or, possibly, execute arbitrary code with the privileges of the
user running the application. (CVE-2010-2499, CVE-2010-2519)

Several buffer overflow flaws were found in the FreeType demo applications.
If a user loaded a carefully-crafted font file with a demo application, it
could cause the application to crash or, possibly, execute arbitrary code
with the privileges of the user running the application. (CVE-2010-2527,
CVE-2010-2541)

Note: All of the issues in this erratum only affect the FreeType 2 font
engine.

Users are advised to upgrade to these updated packages, which contain
backported patches to correct these issues. The X server must be restarted
(log out, then log back in) for this update to take effect.

File List

SL4:

SRPM
freetype-2.1.9-14.el4.8.src.rpm

i386:
freetype-2.1.9-14.el4.8.i386.rpm
freetype-debuginfo-2.1.9-14.el4.8.i386.rpm
freetype-demos-2.1.9-14.el4.8.i386.rpm
freetype-devel-2.1.9-14.el4.8.i386.rpm
freetype-utils-2.1.9-14.el4.8.i386.rpm


x86_64:
freetype-2.1.9-14.el4.8.i386.rpm
freetype-2.1.9-14.el4.8.x86_64.rpm
freetype-debuginfo-2.1.9-14.el4.8.i386.rpm
freetype-debuginfo-2.1.9-14.el4.8.x86_64.rpm
freetype-demos-2.1.9-14.el4.8.x86_64.rpm
freetype-devel-2.1.9-14.el4.8.x86_64.rpm
freetype-utils-2.1.9-14.el4.8.x86_64.rpm


SL5

Source:
freetype-2.2.1-25.el5_5.src.rpm

i386:
freetype-2.2.1-25.el5_5.i386.rpm
freetype-debuginfo-2.2.1-25.el5_5.i386.rpm
freetype-demos-2.2.1-25.el5_5.i386.rpm
freetype-debuginfo-2.2.1-25.el5_5.i386.rpm
freetype-devel-2.2.1-25.el5_5.i386.rpm

x86_64:
freetype-2.2.1-25.el5_5.i386.rpm
freetype-2.2.1-25.el5_5.x86_64.rpm
freetype-debuginfo-2.2.1-25.el5_5.i386.rpm
freetype-debuginfo-2.2.1-25.el5_5.x86_64.rpm
freetype-demos-2.2.1-25.el5_5.x86_64.rpm
freetype-devel-2.2.1-25.el5_5.i386.rpm
freetype-devel-2.2.1-25.el5_5.x86_64.rpm

-connie sieh
-Troy Dawson

ATOM RSS1 RSS2