[SECURITY] [DSA 2388-1] t1lib security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2388-1 security@xxxxxxxxxx
http://www.debian.org/security/ Yves-Alexis Perez
January 14, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : t1lib
Vulnerability : several
Problem type : local
Debian-specific: no
CVE ID : CVE-2010-2642 CVE-2011-0433 CVE-2011-0764 CVE-2011-1552
CVE-2011-1553 CVE-2011-1554
Debian Bug : 652996

Several vulnerabilities were discovered in t1lib, a Postscript Type 1
font rasterizer library, some of which might lead to code execution
through the opening of files embedding bad fonts.

CVE-2010-2642
A heap-based buffer overflow in the AFM font metrics parser
potentially leads to the execution of arbitrary code.

CVE-2011-0433
Another heap-based buffer overflow in the AFM font metrics
parser potentially leads to the execution of arbitrary code.

CVE-2011-0764
An invalid pointer dereference allows execution of arbitrary
code using crafted Type 1 fonts.

CVE-2011-1552
Another invalid pointer dereference results in an application
crash, triggered by crafted Type 1 fonts.

CVE-2011-1553
A use-after-free vulnerability results in an application
crash, triggered by crafted Type 1 fonts.

CVE-2011-1554
An off-by-one error results in an invalid memory read and
application crash, triggered by crafted Type 1 fonts.

For the oldstable distribution (lenny), this problem has been fixed in
version 5.1.2-3+lenny1.

For the stable distribution (squeeze), this problem has been fixed in
version 5.1.2-3+squeeze1.

For the testing distribution (wheezy), this problem has been fixed in
version 5.1.2-3.3.

For the unstable distribution (sid), this problem has been fixed in
version 5.1.2-3.3.

We recommend that you upgrade your t1lib packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJPEqtaAAoJEL97/wQC1SS++s4H/1V+Q5spiTcrjuLqFrwyljqz
YtEtm2jVuZKNJwXmntLA3hpyO6cAbw7yZVfimcJagGb7Vc8PkeCR4L+U7Hl7FGk2
4QELdzlMYeM7bJdchBmrmrv0Jd7jhqAek4MMO2gMJyaNxDwnjvWpjWtf1wYzPlJ5
3kopGxF0nKf47IsFd6fFwu5mkCl+RwhG5b0JVuyPYqxr2ir64iS3rcMIxCS3yBOc
IgYhNwNW+WQaJP5MwXelLnzkKJJGmugk9SrLaazVlIRGOXu34RZfziByxbQQQCF6
jGKm2L9ZcWfkDBHsoldEyP1J3WQLNUEqyxzLEib78D/28jEiuAu0GWNCkE+sO78=
=uEYD
-----END PGP SIGNATURE-----



Relevant Pages

  • [Full-disclosure] [SECURITY] [DSA 2388-1] t1lib security update
    ... through the opening of files embedding bad fonts. ... A use-after-free vulnerability results in an application ... For the oldstable distribution, this problem has been fixed in ... Further information about Debian Security Advisories, ...
    (Full-Disclosure)
  • Re: changing the font size in Xdialog
    ... Then it can be something worth to report to the Xdialog developer... ... Recent Debian distributions seem to have utterly broken fonts for GTK+ ... Debian distribution and think you found a bug, ...
    (Debian-User)
  • Re: X in sarge cant display Chinese
    ... Fonts, and especially the way fonts are selected for use by Debian ... If you want Chinese display in Mozilla, ... any kind of UTF-8 locale, you can view, edit, type, and print documents ...
    (Debian-User)
  • Re: What to get
    ... > looks too buggy right now) because I want the Development Packages. ... But if you are afraid of the command line, debian might not be ... I'd prefer to start with GUI and learn CLI after setup. ... > and if the fonts have improved, I might someday ditch Windows altogether. ...
    (comp.os.linux.setup)
  • Re: Fonts quality in Desktop with Iceweasel
    ... I have in the same machine centos 4.4 and debian etch, ... when using firefox fonts are much better ... Microsoft fonts, Arial, Tahoma,Verdana... ...
    (Debian-User)