-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:235 http://www.mandriva.com/security/ _______________________________________________________________________ Package : freetype2 Date : November 16, 2010 Affected: Corporate 4.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities were discovered and corrected in freetype2: An error exists in the "ft_var_readpackedpoints()" function in src/truetype/ttgxvar.c when processing TrueType GX fonts and can be exploited to cause a heap-based buffer overflow via a specially crafted font (CVE-2010-3855). The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3855 http://secunia.com/advisories/41738 _______________________________________________________________________ Updated Packages: Corporate 4.0: 8fda305a5fae4aefca37ba2830b1a345 corporate/4.0/i586/libfreetype6-2.1.10-9.14.20060mlcs4.i586.rpm 2b33f336eaa4105112adbac8780c7be1 corporate/4.0/i586/libfreetype6-devel-2.1.10-9.14.20060mlcs4.i586.rpm 129a3208e9f5c6a1c10660930736bb5c corporate/4.0/i586/libfreetype6-static-devel-2.1.10-9.14.20060mlcs4.i586.rpm 08ee97b65dff2197555a55ffb8aabcde corporate/4.0/SRPMS/freetype2-2.1.10-9.14.20060mlcs4.src.rpm Corporate 4.0/X86_64: c19152256818aff210dde26c75e588d7 corporate/4.0/x86_64/lib64freetype6-2.1.10-9.14.20060mlcs4.x86_64.rpm ee453b7d6affc8830283e5f2366edf72 corporate/4.0/x86_64/lib64freetype6-devel-2.1.10-9.14.20060mlcs4.x86_64.rpm 7ea2ccaeeccf5250f053eec9c74b1d9a corporate/4.0/x86_64/lib64freetype6-static-devel-2.1.10-9.14.20060mlcs4.x86_64.rpm 08ee97b65dff2197555a55ffb8aabcde corporate/4.0/SRPMS/freetype2-2.1.10-9.14.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFM4kTAmqjQ0CJFipgRAm7qAJ9ZrJZFcEolbskRtdhmAVeoo3dkwwCeOCTA yPEXVemOYVrUmY1OpYUoJ8o= =N3n6 -----END PGP SIGNATURE-----