Bug 5294

Summary: freetype2 several new security issues fixed in 2.4.9
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, dmorganec, fundawang, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: freetype2-2.4.4-5.4.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-04-09 00:55:24 CEST 
The announcement of freetype2 2.4.9 lists several security issues that were fixed, most of which have been assigned CVEs.  Cauldron has 2.4.9, so is not vulnerable.  Mageia 1 does not have patches for these vulnerabilities.

http://sourceforge.net/projects/freetype/files/freetype2/2.4.9/README/view

Debian has issued a security advisory for some of these CVEs on March 7:
http://www.debian.org/security/2012/dsa-2428
David Walser 2012-04-09 00:58:09 CEST

CC: (none) => fundawang

David Walser 2012-04-09 00:58:15 CEST

CC: (none) => dmorganec

Comment 1 David Walser 2012-04-09 16:17:35 CEST 
Here's an Ubuntu advisory for these issues from March 22:
http://www.ubuntu.com/usn/usn-1403-1/
Comment 2 David Walser 2012-04-12 16:49:27 CEST 
Mandriva has issued an advisory for these issues today (April 12):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:057
Comment 3 David Walser 2012-04-12 17:46:32 CEST 
Patched package uploaded.

Advisory:
========================

Updated freetype2 packages fix security vulnerabilities:

Multiple flaws were found in FreeType. Specially crafted files
could cause application crashes or potentially execute arbitrary
code (CVE-2012-1126, CVE-2012-1127, CVE-2012-1128, CVE-2012-1129,
CVE-2012-1130, CVE-2012-1131, CVE-2012-1132, CVE-2012-1133,
CVE-2012-1134, CVE-2012-1135, CVE-2012-1136, CVE-2012-1137,
CVE-2012-1138, CVE-2012-1139, CVE-2012-1140, CVE-2012-1141,
CVE-2012-1142, CVE-2012-1143, CVE-2012-1144).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1126
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1127
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1129
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1130
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1131
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1132
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1133
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1134
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1135
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1136
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1137
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1139
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1140
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1141
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1142
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1143
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1144
http://sourceforge.net/projects/freetype/files/freetype2/2.4.9/README/view
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:057
========================

Updated packages in core/updates_testing:
========================
libfreetype6-2.4.4-5.5.mga1
libfreetype6-devel-2.4.4-5.5.mga1
libfreetype6-static-devel-2.4.4-5.5.mga1
freetype2-demos-2.4.4-5.5.mga1

from freetype2-2.4.4-5.5.mga1.src.rpm

Assignee: bugsquad => qa-bugs

Comment 4 Dave Hodgins 2012-04-13 05:29:51 CEST 
Testing complete on i586 for the srpm
freetype2-2.4.4-5.5.mga1.src.rpm

As usual for freetype2, just testing that xpdf works.

CC: (none) => davidwhodgins

Comment 5 claire robinson 2012-04-13 18:28:22 CEST 
Tested OK x86_64

Validating

See comment 3 for SRPM & Advisory.

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 6 Thomas Backlund 2012-04-13 19:45:39 CEST 
Update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED