-
libxfont (1:1.4.99.901-1ubuntu0.1) utopic-security; urgency=medium
* SECURITY UPDATE: arbitrary code exection via invalid property count
- debian/patches/CVE-2015-1802.patch: check for integer overflow in
src/bitmap/bdfread.c.
- CVE-2015-1802
* SECURITY UPDATE: arbitrary code execution via bitmap data parse failure
- debian/patches/CVE-2015-1803.patch: bail out if bitmap can't be read
in src/bitmap/bdfread.c.
- CVE-2015-1803
* SECURITY UPDATE: arbitrary code execution via invalid metrics
- debian/patches/CVE-2015-1804.patch: ensure metrics fit in struct in
src/bitmap/bdfread.c.
- CVE-2015-1804
-- Marc Deslauriers <email address hidden> Wed, 18 Mar 2015 07:30:31 -0400
-
libxfont (1:1.4.99.901-1) unstable; urgency=medium
* New upstream release candidate.
+ includes the CVE-2014-{0209,0210,0211} patches
* Remove Cyril from Uploaders.
* Allow uscan to verify tarball signature.
-- Julien Cristau <email address hidden> Sat, 12 Jul 2014 17:44:11 +0200
-
libxfont (1:1.4.7-2) unstable; urgency=high
* Pull from upstream git to fix FTBFS with new fontsproto (closes: #746052)
* CVE-2014-0209: integer overflow of allocations in font metadata
* CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies
* CVE-2014-0211: integer overflows calculating memory needs for xfs replies
* Add breaks on xfs because we broke it by disabling font protocol support
in 1.4.7.
-- Julien Cristau <email address hidden> Tue, 13 May 2014 17:25:49 +0200
-
libxfont (1:1.4.7-1) unstable; urgency=high
* New upstream release
+ CVE-2013-6462: unlimited sscanf overflows stack buffer in
bdfReadCharacters()
* Don't put dbg symbols from the udeb in the dbg package.
* dev package is no longer Multi-Arch: same (closes: #720026).
* Disable support for connecting to a font server. That code is horrible and
full of holes.
-- Julien Cristau <email address hidden> Tue, 07 Jan 2014 17:51:29 +0100