Fedora alert FEDORA-2012-0289 (t1lib)

From:
    	     
 
updates@fedoraproject.org 
To:
    	     
 
package-announce@lists.fedoraproject.org 
Subject:
    	     
 
[SECURITY] Fedora 16 Update: t1lib-5.1.2-9.fc16 
Date:
    	     
 
Sat, 28 Jan 2012 03:23:39 +0000
Message-ID:
    	     
 
<20120128032339.841A5208DE@bastion01.phx2.fedoraproject.org>
Archive‑link:
 
        	
Article
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-0289
2012-01-11 05:14:16
--------------------------------------------------------------------------------

Name        : t1lib
Product     : Fedora 16
Version     : 5.1.2
Release     : 9.fc16
URL         : ftp://sunsite.unc.edu/pub/Linux/libs/graphics/t1lib-5.1.2...
Summary     : PostScript Type 1 font rasterizer
Description :
T1lib is a rasterizer library for Adobe Type 1 Fonts. It supports
rotation and transformation, kerning underlining and antialiasing. It
does not depend on X11, but does provides some special functions for
X11.

AFM-files can be generated from Type 1 font files and font subsetting
is possible.

--------------------------------------------------------------------------------
Update Information:

This update fixes several security flaws in t1lib (flaws in AFM parser and when handling specially
crafted Type1 fonts).
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan 10 2012 Jaroslav Škarvada <jskarvad@redhat.com> - 5.1.2-9
- Add patch to fix CVE-2010-2642, CVE-2011-0433 (afm-fix patch)
- New version of patch for CVE-2011-0764, also fixes CVE-2011-1552,
  CVE-2011-1553, CVE-2011-1554 (type1-inv-rw-fix patch)
  Resolves: rhbz#772899
- Add explicit NVR requires to apps subpackage (consumes libt1(x).so)
- Fix rpmlint warning (mixed-use-of-spaces-and-tabs)
* Tue Jan  3 2012 José Matos <jamatos@fedoraproject.org> - 5.1.2-8
- Add patch to fix CVE-2011-0764
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #666318 - CVE-2010-2642 evince, t1lib: Heap based buffer overflow in DVI file AFM font
parser
        https://bugzilla.redhat.com/show_bug.cgi?id=666318
  [ 2 ] Bug #679732 - CVE-2011-0433 evince, t1lib: Heap-based buffer overflow DVI file AFM font
parser
        https://bugzilla.redhat.com/show_bug.cgi?id=679732
  [ 3 ] Bug #692909 - CVE-2011-0764 t1lib: Invalid pointer dereference via crafted Type 1 font
        https://bugzilla.redhat.com/show_bug.cgi?id=692909
  [ 4 ] Bug #692853 - CVE-2011-1552 t1lib: invalid read crash via crafted Type 1 font
        https://bugzilla.redhat.com/show_bug.cgi?id=692853
  [ 5 ] Bug #692854 - CVE-2011-1553 t1lib: Use-after-free via crafted Type 1 font
        https://bugzilla.redhat.com/show_bug.cgi?id=692854
  [ 6 ] Bug #692856 - CVE-2011-1554 t1lib: Off-by-one via crafted Type 1 font
        https://bugzilla.redhat.com/show_bug.cgi?id=692856
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update t1lib' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-...