Bug 1079459 – libfreetype6 2.7.1 CVE-2017-8105 CVE-2017-8287

Bug 1079459 - libfreetype6 2.7.1 CVE-2017-8105 CVE-2017-8287


Summary:	libfreetype6 2.7.1 CVE-2017-8105 CVE-2017-8287

Status:	RESOLVED MOVED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	x86-64 openSUSE Factory

Priority:	P5 - None Severity: Normal
Target Milestone:	unspecified
Assigned To:	Fridrich Strba
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-02-06 00:19 UTC by simon izor
Modified:	2018-02-06 07:10 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description simon izor 2018-02-06 00:19:28 UTC

The current version of libfreetype6 being used in Tumbleweed contains a couple of CVEs and is also pretty outdated.  Please update libfreetype6 to 2.9.  Sorry if this is not the proper place to report this, but I don't see any way to flag packages as outdated.

https://sourceforge.net/projects/freetype/files/freetype2/2.8/

CVE-2017-8105, CVE-2017-8287: Older FreeType versions have out-of-bounds writes caused by heap-based buffer overflows related to Type 1 fonts. 


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8287

Comment 1 Andreas Stieger 2018-02-06 07:10:05 UTC

Already in bug 1036457, bug 1035807. Pinging maintainer there...