[Bug 963283] Re: [Precise] FreeType is vulnerable to CVE-2012-1126 through CVE-2012-1144

Tyler Hicks tyhicks at canonical.com
Fri Mar 23 17:18:03 UTC 2012 

I've tested this debdiff using the QA Regression Testing framework and
the reproducers attached to the upstream bugs.

** Patch added: "freetype_2.4.8-1ubuntu1.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/freetype/+bug/963283/+attachment/2923617/+files/freetype_2.4.8-1ubuntu1.debdiff

** Description changed:

  Precise, along with Debian unstable and testing, currently use freetype
  version 2.4.8-1. Upstream FreeType recently released version 2.4.9,
  which addressed many security issues:
  
  http://sourceforge.net/projects/freetype/files/freetype2/2.4.9/README/view
  
  There have also been a few upstream commits, since the 2.4.9 release,
  that made improvements and/or corrections to the changes in 2.4.9.
  
  I've addressed these issues in our stable releases, but Precise is still
  in need of an update. I will attach a debdiff of the fixes backported to
  2.4.8-1.
+ 
+ The Ubuntu CVE Tracker has links to the related bugs and patches:
+ 
+ http://people.canonical.com/~ubuntu-security/cve/pkg/freetype.html

** Changed in: freetype (Ubuntu)
       Status: Triaged => Confirmed

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to freetype in Ubuntu.
https://bugs.launchpad.net/bugs/963283

Title:
  [Precise] FreeType is vulnerable to CVE-2012-1126 through
  CVE-2012-1144

Status in “freetype” package in Ubuntu:
  Confirmed

Bug description:
  Precise, along with Debian unstable and testing, currently use
  freetype version 2.4.8-1. Upstream FreeType recently released version
  2.4.9, which addressed many security issues:

  http://sourceforge.net/projects/freetype/files/freetype2/2.4.9/README/view

  There have also been a few upstream commits, since the 2.4.9 release,
  that made improvements and/or corrections to the changes in 2.4.9.

  I've addressed these issues in our stable releases, but Precise is
  still in need of an update. I will attach a debdiff of the fixes
  backported to 2.4.8-1.

  The Ubuntu CVE Tracker has links to the related bugs and patches:

  http://people.canonical.com/~ubuntu-security/cve/pkg/freetype.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freetype/+bug/963283/+subscriptions

More information about the foundations-bugs mailing list