Issue metadata
Sign in to add a comment
|
CrOS: Vulnerability reported in media-libs/freetype |
||||||||||||||||||||
Issue descriptionAutomated analysis has detected that the following third party packages have had vulnerabilities publicly reported. NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package. Package Name: media-libs/freetype Package Version: [cpe:/a:freetype:freetype:2.7 cpe:/a:freetype:freetype:2.7.1] Advisory: CVE-2016-10244 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2016-10244 CVSS severity score: 6.8/10.0 Confidence: high Description: The parse_charstrings function in type1/t1load.c in FreeType 2 before 2.7 does not ensure that a font contains a glyph name, which allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted file.
,
Mar 13 2017
We did roll to 2.7+, but jshin@ is investigating why this roll is not making it to CHROMEOS_LKGM in issue 699525 .
,
Mar 13 2017
But also, we don't support Type1 fonts, so we should not reach the code in question.
,
Jun 19 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by dominickn@chromium.org
, Mar 13 2017Status: WontFix (was: Untriaged)