|
Apache OpenOffice (AOO) Bugzilla – Full Text Issue Listing |
| Summary: | freetype security bug (CVE-2007-2754) | ||
|---|---|---|---|
| Product: | utilities | Reporter: | rene |
| Component: | code | Assignee: | eric.savary |
| Status: | CLOSED FIXED | QA Contact: | Unknown <non-migrated> |
| Severity: | Trivial | ||
| Priority: | P1 (highest) | CC: | bjoern.milcke, issues, nesshof, pavel |
| Version: | OOo 2.2.1 RC2 | Keywords: | security |
| Target Milestone: | OOo 2.2.1 | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2754 | ||
| Issue Type: | DEFECT | Latest Confirmation in: | --- |
| Developer Difficulty: | --- | ||
target 2.2.1 set keyword Hmm. I don't see ttg*.* compiled... fixed anyway (cws freetypettg) ah. no. we *are* affected. freetype does nasty things like this: $ grep ttgl * Jamfile: _sources = ttdriver ttobjs ttpload ttgload ttinterp ttgxvar ; rules.mk: $(TT_DIR)/ttgload.c \ truetype.c:#include "ttgload.c" /* glyph loader */ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [...] note the .c . reassign for verification VERIFIED in CWS freetypettg. verified in 2.2.1 -< closed |
bm saw it initially and mentioned it in #dev.openoffice.org already (but adfais didn't file an issue) and I just saw this upload to Debian unstable. freetype (2.2.1-6) unstable; urgency=high . * High-urgency upload for security fix. * Remove spurious patch file from the package diff, sigh. * Add debian/patches-freetype/CVE-2007-2754_ttgfload to address CVE-2007-2754, a bug allowing execution of arbitrary code via a crafted TTF image by way of an integer overflow. Closes: #425625. see http://bugs.debian.org/425625 which also contains the url to the patch: http://cvs.savannah.nongnu.org/viewvc/freetype2/src/truetype/ttgload.c?root=freetype&r1=1.177&r2=1.178. We have 2.2.1 in our tree... I guess we should fix that for OOo 2.2.1...