[Bug 450774] CVE-2008-1808 FreeType off-by-one flaws
bugzilla at redhat.com
bugzilla at redhat.com
Wed Jun 18 08:11:16 UTC 2008
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2008-1808 FreeType off-by-one flaws
Alias: CVE-2008-1808
https://bugzilla.redhat.com/show_bug.cgi?id=450774
------- Additional Comments From j.w.r.degoede at hhs.nl 2008-06-18 04:11 EST -------
(In reply to comment #13)
> In reply to https://bugzilla.redhat.com/show_bug.cgi?id=450773#c12 :
>
> maxTwilightPoints check does not seem directly related and was probably added as
> additional sanity check.
>
> As the .pfb is not supported by freetype1 we should ideally try to avoid
> mentioning CVE-2008-1806 and CVE-2008-1807 in the freetype1 RPM changelog.
>
Its a little too late for that, as a freetype1 with those in the ChangeLog is
already in rawhide. I did add "(where applicable)" to the changelog to indicate
not all of the mentioned issues where relevant for freetype1.
> As for bodhi update request, we do not need to submit updated freetype1 packages
> as security update, as (binary) Fedora packages were not affected by this
> problem.
Ok.
> But I'm ok with pushing it as security update anyway, provided that we
> clearly mention in the notes that only users rebuilding freetype1 with bci were
> affected by the problem. Update request should only refer to this bug, not to
> the bugs for other CVEs.
I don't believe anyone is offering rebuild freetype1 packages with BCI enabled,
so I considered this issue closed then. If you want I can still do an update,
esp. since the new freetype1 is already build in bodhi for F-8 and F-9.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the Fedora-fonts-bugs-list
mailing list