#3183 closed task (fixed)
Freetype-2.4.4
| Reported by: | Randy McMurchy | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description (last modified by )
Version increment to 2.4.3
http://sourceforge.net/projects/freetype/
Note that the patent for the bytecode interpreter that includes glyph hinting expired in May 2010, so the sed to enable it is not required.
The sed for LCD optimization is still required if you wish to use it. Note that there are Microsoft patents covering the LCD optimization routines.
2.4.4 includes the vulnerability fixes.
Change History (11)
comment:1 by , 13 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 13 years ago
comment:3 by , 13 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:5 by , 13 years ago
There are two freetype vulnerabilities which I had missed. One is supposedly CVE-2010-3855, the other doesn't yet have a CVE.
For CVE-2010-3855 - summary details at e.g. http://security-tracker.debian.org/tracker/CVE-2010-3855 (or lwn.net if you are subscribed there) see http://git.savannah.gnu.org/cgit/freetype/freetype2.git/patch/id=59eb9f8cfe7d1df379a2318316d1f04f80fba54a -
+ Fix Savannah bug #31310. + + * src/truetype/ttgxvar.c (ft_var_readpackedpoints): Protect against + invalid `runcnt' values. +
That one seems to go way back, and distros have backported it.
For the second (probably 2.4.3 only) see http://git.savannah.gnu.org/cgit/freetype/freetype2.git/patch/?id=ac09390afcfaf2c63b75ffee5c0759e29359f9ac -
+2010-11-04 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp> + + [UVS] Fix find_variant_selector_charmap(), Savannah bug #31545. + + Since 2010-07-04, find_variant_selector_charmap() returns + the first cmap subtable always under rogue-compatible + configuration, it causes NULL pointer dereference and + make UVS-related functions crashed. +
comment:6 by , 13 years ago
Patch freetype-2.4.3-security_fixes-1.patch committed. Works for me, both in general use, and as 'system freetype' for ghostscript-9.00.
comment:7 by , 13 years ago
| Description: | modified (diff) |
|---|---|
| Summary: | Freetype-2.4.3 → Freetype-2.4.4 |
Randy, sorry to spring this on you, but I need an updated freetype in the book (either patched 2.4.3, or 2.4.4) so that I can put ghostscript-9.00 in. Unless you have objections, I'll take this ticket.
comment:8 by , 13 years ago
| Owner: | changed from to |
|---|---|
| Status: | assigned → new |
comment:9 by , 13 years ago
| Status: | new → assigned |
|---|
Builds fine against recent LFS SVN and Fontconfig had no complaints. I don't have Xorg installed yet to fully test.