Bug 502565
| Summary: | CVE-2006-1861 CVE-2007-2754 Multiple freetype1 vulnerabilities [Fedora rawhide] | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tomas Hoger <thoger> | ||||||
| Component: | freetype1 | Assignee: | Adam Jackson <ajax> | ||||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | rawhide | CC: | ajax, apodtele, fonts-bugs | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| URL: | http://fedoraproject.org/wiki/Security/TrackingBugs | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | 1.4-0.8.pre.fc11 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2009-05-28 08:01:08 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 240200, 484437 | ||||||||
| Attachments: |
|
||||||||
|
Description
Tomas Hoger
2009-05-26 08:05:25 UTC
These old issues were previously fixed in FT2, but parts apply to FT1 as well. The fixes were included in RHEL freetype packages update (which contain both FT1 and FT2 on RHEL-2.1 - RHEL-4): http://rhn.redhat.com/errata/RHSA-2009-0329.html All current Fedora branches should contain same FT1 version with identical patches, so this should apply to all. Created attachment 345396 [details] FT1 CVE-2006-1861 patch as used in RHSA Created attachment 345397 [details] FT1 CVE-2007-2754 patch as used in RHSA freetype1-1.4-0.8.pre.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/freetype1-1.4-0.8.pre.fc10 freetype1-1.4-0.8.pre.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/freetype1-1.4-0.8.pre.fc11 Would you please fix a typo ("obsolote") in the package description and make it more obvious that it is an old-old library by moving the second paragraph upfront?
I am curious which package still uses it and why we cannot drop this old library.
Nobody should use it any longer.
(In reply to comment #6) > I am curious which package still uses it and why we cannot drop this old > library. $ repoquery -q --whatrequires 'libttf.so.2()(64bit)' freetype1-0:1.4-0.6.pre.fc10.x86_64 freetype1-utils-0:1.4-0.6.pre.fc10.x86_64 MagicPoint-0:1.11b-7.fc10.x86_64 freetype1-devel-0:1.4-0.6.pre.fc10.x86_64 Looks like only MagicPoint now. Ah, looks like Ajax already did few steps to get rid of that last dependency either: http://cvs.fedoraproject.org/viewvc/rpms/MagicPoint/devel/MagicPoint.spec#rev1.11 freetype1 is a dead package in F12. We could remove it in F11 without too much hassle but I didn't think it was worth it given how close to release we are. freetype1-1.4-0.8.pre.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. freetype1-1.4-0.8.pre.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. |