Apache OpenOffice (AOO) Bugzilla – Issue 77734
freetype security bug (CVE-2007-2754)
Last modified: 2007-06-26 14:25:57 UTC
bm saw it initially and mentioned it in #dev.openoffice.org already (but adfais didn't file an issue) and I just saw this upload to Debian unstable. freetype (2.2.1-6) unstable; urgency=high . * High-urgency upload for security fix. * Remove spurious patch file from the package diff, sigh. * Add debian/patches-freetype/CVE-2007-2754_ttgfload to address CVE-2007-2754, a bug allowing execution of arbitrary code via a crafted TTF image by way of an integer overflow. Closes: #425625. see http://bugs.debian.org/425625 which also contains the url to the patch: http://cvs.savannah.nongnu.org/viewvc/freetype2/src/truetype/ttgload.c?root=freetype&r1=1.177&r2=1.178. We have 2.2.1 in our tree... I guess we should fix that for OOo 2.2.1...
target 2.2.1
set keyword
Hmm. I don't see ttg*.* compiled...
fixed anyway (cws freetypettg)
ah. no. we *are* affected. freetype does nasty things like this: $ grep ttgl * Jamfile: _sources = ttdriver ttobjs ttpload ttgload ttinterp ttgxvar ; rules.mk: $(TT_DIR)/ttgload.c \ truetype.c:#include "ttgload.c" /* glyph loader */ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [...] note the .c
.
reassign for verification
VERIFIED in CWS freetypettg.
verified in 2.2.1 -< closed