[ubuntu/natty-security] freetype 2.4.4-1ubuntu2.3 (Accepted)

Tyler Hicks tyhicks at canonical.com
Fri Mar 23 03:33:27 UTC 2012


freetype (2.4.4-1ubuntu2.3) natty-security; urgency=low

  * SECURITY UPDATE: Denial of service via crafted BDF font
    - debian/patches-freetype/CVE-2012-1126.patch: Perform better input
      sanitization when parsing properties. Based on upstream patch.
    - CVE-2012-1126
  * SECURITY UPDATE: Denial of service via crafted BDF font
    - debian/patches-freetype/CVE-2012-1127.patch: Perform better input
      sanitization when parsing glyphs. Based on upstream patch.
    - CVE-2012-1127
  * SECURITY UPDATE: Denial of service via crafted TrueType font
    - debian/patches-freetype/CVE-2012-1128.patch: Improve loop logic to avoid
      NULL pointer dereference. Based on upstream patch.
    - CVE-2012-1128
  * SECURITY UPDATE: Denial of service via crafted Type42 font
    - debian/patches-freetype/CVE-2012-1129.patch: Perform better input
      sanitization when parsing SFNT strings. Based on upstream patch.
    - CVE-2012-1129
  * SECURITY UPDATE: Denial of service via crafted PCF font
    - debian/patches-freetype/CVE-2012-1130.patch: Allocate enough memory to
      properly NULL-terminate parsed properties strings. Based on upstream
      patch.
    - CVE-2012-1130
  * SECURITY UPDATE: Denial of service via crafted TrueType font
    - debian/patches-freetype/CVE-2012-1131.patch: Use appropriate data type to
      prevent integer truncation on 64 bit systems when rendering fonts. Based
      on upstream patch.
    - CVE-2012-1131
  * SECURITY UPDATE: Denial of service via crafted Type1 font
    - debian/patches-freetype/CVE-2012-1132.patch: Ensure strings are of
      appropriate length when loading Type1 fonts. Based on upstream patch.
    - CVE-2012-1132
  * SECURITY UPDATE: Denial of service and arbitrary code execution via
    crafted BDF font
    - debian/patches-freetype/CVE-2012-1133.patch: Limit range of negative
      glyph encoding values to prevent invalid array indexes. Based on
      upstream patch.
    - CVE-2012-1133
  * SECURITY UPDATE: Denial of service and arbitrary code execution via
    crafted Type1 font
    - debian/patches-freetype/CVE-2012-1134.patch: Enforce a minimum Type1
      private dictionary size to prevent writing past array bounds. Based on
      upstream patch.
    - CVE-2012-1134
  * SECURITY UPDATE: Denial of service via crafted TrueType font
    - debian/patches-freetype/CVE-2012-1135.patch: Perform proper bounds
      checks when interpreting TrueType bytecode. Based on upstream patch.
    - CVE-2012-1135
  * SECURITY UPDATE: Denial of service and arbitrary code execution via
    crafted BDF font
    - debian/patches-freetype/CVE-2012-1136.patch: Ensure encoding field is
      defined when parsing glyphs. Based on upstream patch.
    - CVE-2012-1136
  * SECURITY UPDATE: Denial of service via crafted BDF font
    - debian/patches-freetype/CVE-2012-1137.patch: Allocate sufficient number
      of array elements to prevent reading past array bounds. Based on
      upstream patch.
    - CVE-2012-1137
  * SECURITY UPDATE: Denial of service via crafted TrueType font
    - debian/patches-freetype/CVE-2012-1138.patch: Correct typo resulting in
      invalid read from wrong memory location. Based on upstream patch.
    - CVE-2012-1138
  * SECURITY UPDATE: Denial of service via crafted BDF font
    - debian/patches-freetype/CVE-2012-1139.patch: Check array index values to
      prevent reading invalid memory. Based on upstream patch.
    - CVE-2012-1139
  * SECURITY UPDATE: Denial of service via crafted PostScript font
    - debian/patches-freetype/CVE-2012-1140.patch: Fix off-by-one error in
      boundary checks. Based on upstream patch.
    - CVE-2012-1140
  * SECURITY UPDATE: Denial of service via crafted BDF font
    - debian/patches-freetype/CVE-2012-1141.patch: Initialize field elements
      to prevent invalid read. Based on upstream patch.
    - CVE-2012-1141
  * SECURITY UPDATE: Denial of service via crafted Windows FNT/FON font
    - debian/patches-freetype/CVE-2012-1142.patch: Perform input sanitization
      on first and last character code fields. Based on upstream patch.
    - CVE-2012-1142
  * SECURITY UPDATE: Denial of service via crafted font
    - debian/patches-freetype/CVE-2012-1143.patch: Protect against divide by
      zero when dealing with 32 bit types. Based on upstream patch.
    - CVE-2012-1143
  * SECURITY UPDATE: Denial of service and arbitrary code execution via
    crafted TrueType font
    - debian/patches-freetype/CVE-2012-1144.patch: Perform input sanitization
      on the first glyph outline point value. Based on upstream patch.
    - CVE-2012-1144

Date: Wed, 21 Mar 2012 19:57:51 -0500
Changed-By: Tyler Hicks <tyhicks at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/natty/+source/freetype/2.4.4-1ubuntu2.3
-------------- next part --------------
Format: 1.8
Date: Wed, 21 Mar 2012 19:57:51 -0500
Source: freetype
Binary: libfreetype6 libfreetype6-dev freetype2-demos libfreetype6-udeb
Architecture: source
Version: 2.4.4-1ubuntu2.3
Distribution: natty-security
Urgency: low
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Tyler Hicks <tyhicks at canonical.com>
Description: 
 freetype2-demos - FreeType 2 demonstration programs
 libfreetype6 - FreeType 2 font engine, shared library files
 libfreetype6-dev - FreeType 2 font engine, development files
 libfreetype6-udeb - FreeType 2 font engine for the debian-installer (udeb)
Changes: 
 freetype (2.4.4-1ubuntu2.3) natty-security; urgency=low
 .
   * SECURITY UPDATE: Denial of service via crafted BDF font
     - debian/patches-freetype/CVE-2012-1126.patch: Perform better input
       sanitization when parsing properties. Based on upstream patch.
     - CVE-2012-1126
   * SECURITY UPDATE: Denial of service via crafted BDF font
     - debian/patches-freetype/CVE-2012-1127.patch: Perform better input
       sanitization when parsing glyphs. Based on upstream patch.
     - CVE-2012-1127
   * SECURITY UPDATE: Denial of service via crafted TrueType font
     - debian/patches-freetype/CVE-2012-1128.patch: Improve loop logic to avoid
       NULL pointer dereference. Based on upstream patch.
     - CVE-2012-1128
   * SECURITY UPDATE: Denial of service via crafted Type42 font
     - debian/patches-freetype/CVE-2012-1129.patch: Perform better input
       sanitization when parsing SFNT strings. Based on upstream patch.
     - CVE-2012-1129
   * SECURITY UPDATE: Denial of service via crafted PCF font
     - debian/patches-freetype/CVE-2012-1130.patch: Allocate enough memory to
       properly NULL-terminate parsed properties strings. Based on upstream
       patch.
     - CVE-2012-1130
   * SECURITY UPDATE: Denial of service via crafted TrueType font
     - debian/patches-freetype/CVE-2012-1131.patch: Use appropriate data type to
       prevent integer truncation on 64 bit systems when rendering fonts. Based
       on upstream patch.
     - CVE-2012-1131
   * SECURITY UPDATE: Denial of service via crafted Type1 font
     - debian/patches-freetype/CVE-2012-1132.patch: Ensure strings are of
       appropriate length when loading Type1 fonts. Based on upstream patch.
     - CVE-2012-1132
   * SECURITY UPDATE: Denial of service and arbitrary code execution via
     crafted BDF font
     - debian/patches-freetype/CVE-2012-1133.patch: Limit range of negative
       glyph encoding values to prevent invalid array indexes. Based on
       upstream patch.
     - CVE-2012-1133
   * SECURITY UPDATE: Denial of service and arbitrary code execution via
     crafted Type1 font
     - debian/patches-freetype/CVE-2012-1134.patch: Enforce a minimum Type1
       private dictionary size to prevent writing past array bounds. Based on
       upstream patch.
     - CVE-2012-1134
   * SECURITY UPDATE: Denial of service via crafted TrueType font
     - debian/patches-freetype/CVE-2012-1135.patch: Perform proper bounds
       checks when interpreting TrueType bytecode. Based on upstream patch.
     - CVE-2012-1135
   * SECURITY UPDATE: Denial of service and arbitrary code execution via
     crafted BDF font
     - debian/patches-freetype/CVE-2012-1136.patch: Ensure encoding field is
       defined when parsing glyphs. Based on upstream patch.
     - CVE-2012-1136
   * SECURITY UPDATE: Denial of service via crafted BDF font
     - debian/patches-freetype/CVE-2012-1137.patch: Allocate sufficient number
       of array elements to prevent reading past array bounds. Based on
       upstream patch.
     - CVE-2012-1137
   * SECURITY UPDATE: Denial of service via crafted TrueType font
     - debian/patches-freetype/CVE-2012-1138.patch: Correct typo resulting in
       invalid read from wrong memory location. Based on upstream patch.
     - CVE-2012-1138
   * SECURITY UPDATE: Denial of service via crafted BDF font
     - debian/patches-freetype/CVE-2012-1139.patch: Check array index values to
       prevent reading invalid memory. Based on upstream patch.
     - CVE-2012-1139
   * SECURITY UPDATE: Denial of service via crafted PostScript font
     - debian/patches-freetype/CVE-2012-1140.patch: Fix off-by-one error in
       boundary checks. Based on upstream patch.
     - CVE-2012-1140
   * SECURITY UPDATE: Denial of service via crafted BDF font
     - debian/patches-freetype/CVE-2012-1141.patch: Initialize field elements
       to prevent invalid read. Based on upstream patch.
     - CVE-2012-1141
   * SECURITY UPDATE: Denial of service via crafted Windows FNT/FON font
     - debian/patches-freetype/CVE-2012-1142.patch: Perform input sanitization
       on first and last character code fields. Based on upstream patch.
     - CVE-2012-1142
   * SECURITY UPDATE: Denial of service via crafted font
     - debian/patches-freetype/CVE-2012-1143.patch: Protect against divide by
       zero when dealing with 32 bit types. Based on upstream patch.
     - CVE-2012-1143
   * SECURITY UPDATE: Denial of service and arbitrary code execution via
     crafted TrueType font
     - debian/patches-freetype/CVE-2012-1144.patch: Perform input sanitization
       on the first glyph outline point value. Based on upstream patch.
     - CVE-2012-1144
Checksums-Sha1: 
 b1768309f805f2442193c36f79c36aa7e15e36c8 1986 freetype_2.4.4-1ubuntu2.3.dsc
 0dcf38ef6578f77e658f06da6e1900f933416b91 45413 freetype_2.4.4-1ubuntu2.3.diff.gz
Checksums-Sha256: 
 01657b8b7a88ccdd757b93f207665723f3be1ffce5dbb2bc35699b5db1e923e2 1986 freetype_2.4.4-1ubuntu2.3.dsc
 e89a31aea2cfc7c1b6cc32da60e0637591d0585d557986c4c26f5c7857f48ca2 45413 freetype_2.4.4-1ubuntu2.3.diff.gz
Files: 
 ff83977005bc52acca03c2151d0fd53b 1986 libs optional freetype_2.4.4-1ubuntu2.3.dsc
 9a897d47a3334691bed0c6d81b80ec1b 45413 libs optional freetype_2.4.4-1ubuntu2.3.diff.gz
Original-Maintainer: Steve Langasek <vorlon at debian.org>


More information about the Natty-changes mailing list