Debian Bug report logs - #602221
freetype: CVE-2010-3855 and CVE-2010-3814

version graph

Package: freetype; Maintainer for freetype is Steve Langasek <>;

Reported by: Moritz Muehlenhoff <>

Date: Tue, 2 Nov 2010 17:06:02 UTC

Severity: grave

Tags: security

Fixed in version freetype/2.4.2-2.1

Done: Moritz Muehlenhoff <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to,, Steve Langasek <>:
Bug#602221; Package freetype. (Tue, 02 Nov 2010 17:06:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <>:
New Bug report received and forwarded. Copy sent to, Steve Langasek <>. (Tue, 02 Nov 2010 17:06:05 GMT) Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Moritz Muehlenhoff <>
To: Debian Bug Tracking System <>
Subject: freetype: CVE-2010-3855 and CVE-2010-3814
Date: Tue, 02 Nov 2010 18:04:18 +0100
Package: freetype
Severity: grave
Tags: security
Justification: user security hole

Two security issues have been fixed in freetype, at least the first
should allow code injection:




-- System Information:
Debian Release: 5.0.1
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.32-ucs16-amd64
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Reply sent to Moritz Muehlenhoff <>:
You have taken responsibility. (Thu, 18 Nov 2010 20:51:04 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <>:
Bug acknowledged by developer. (Thu, 18 Nov 2010 20:51:04 GMT) Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Moritz Muehlenhoff <>
Subject: Bug#602221: fixed in freetype 2.4.2-2.1
Date: Thu, 18 Nov 2010 20:48:10 +0000
Source: freetype
Source-Version: 2.4.2-2.1

We believe that the bug you reported is fixed in the latest version of
freetype, which is due to be installed in the Debian FTP archive:

  to main/f/freetype/freetype2-demos_2.4.2-2.1_i386.deb
  to main/f/freetype/freetype_2.4.2-2.1.diff.gz
  to main/f/freetype/freetype_2.4.2-2.1.dsc
  to main/f/freetype/libfreetype6-dev_2.4.2-2.1_i386.deb
  to main/f/freetype/libfreetype6-udeb_2.4.2-2.1_i386.udeb
  to main/f/freetype/libfreetype6_2.4.2-2.1_i386.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Moritz Muehlenhoff <> (supplier of updated freetype package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.8
Date: Thu, 18 Nov 2010 21:16:12 +0100
Source: freetype
Binary: libfreetype6 libfreetype6-dev freetype2-demos libfreetype6-udeb
Architecture: source i386
Version: 2.4.2-2.1
Distribution: unstable
Urgency: medium
Maintainer: Steve Langasek <>
Changed-By: Moritz Muehlenhoff <>
 freetype2-demos - FreeType 2 demonstration programs
 libfreetype6 - FreeType 2 font engine, shared library files
 libfreetype6-dev - FreeType 2 font engine, development files
 libfreetype6-udeb - FreeType 2 font engine for the debian-installer (udeb)
Closes: 602221
 freetype (2.4.2-2.1) unstable; urgency=medium
   * Non-maintainer upload by the Security Team.
   * Fix CVE-2010-3855 and CVE-2010-3814 (Closes: #602221)
 5e5f444c312d4bb6f768b2243565deceffcd5ee0 1199 freetype_2.4.2-2.1.dsc
 568e6703b3beba2165f0b56e5d7c95148c3a1f24 36566 freetype_2.4.2-2.1.diff.gz
 028c4f43e4fe7884f4cd4fc8c4f6a6bf75bddeb6 359076 libfreetype6_2.4.2-2.1_i386.deb
 bcd9b326e91ea7b5a7e5c86a3d33b01020dafd97 710324 libfreetype6-dev_2.4.2-2.1_i386.deb
 14f7256384278dd2f321bfaee060c86ba5a083c9 189598 freetype2-demos_2.4.2-2.1_i386.deb
 0cf89f73eec7b8bc239e3c49bbd8f9f03e853add 265426 libfreetype6-udeb_2.4.2-2.1_i386.udeb
 41d3ed18e31cd974f9f4ef603eba5e84e7d187b1fa8b506611990683fd43e897 1199 freetype_2.4.2-2.1.dsc
 2a359e448ff0f7ac7c50ee81ffbd804b1900ee3e6450de77f4d7f605997af3b1 36566 freetype_2.4.2-2.1.diff.gz
 a0bdc67bd6445efa60ddb5889202e36be16f296275260650823a0884819f6583 359076 libfreetype6_2.4.2-2.1_i386.deb
 2419911213d788cddbafb021d52454f3cbeac7651048a7fd3bec93d305d987cc 710324 libfreetype6-dev_2.4.2-2.1_i386.deb
 80cf3fa0190caa13ce61ab961275805ea4f3161f14b43d6f89d47a64dbf105dd 189598 freetype2-demos_2.4.2-2.1_i386.deb
 26e5486865cd6633dd205194a98cbc504326099304916a4c798916c1a563a8e4 265426 libfreetype6-udeb_2.4.2-2.1_i386.udeb
 dff01e746c18bcbcf0a476872e5ae64b 1199 libs optional freetype_2.4.2-2.1.dsc
 68a5fe548b573eb994d212b0928f249b 36566 libs optional freetype_2.4.2-2.1.diff.gz
 66573cc6e4be9546e8a8c7f8fc662989 359076 libs optional libfreetype6_2.4.2-2.1_i386.deb
 fda31ec1ff9f5cca84f7939878d19d12 710324 libdevel optional libfreetype6-dev_2.4.2-2.1_i386.deb
 8b1dea92a774660fc154f63998490579 189598 utils optional freetype2-demos_2.4.2-2.1_i386.deb
 920fc009a335125920a77a99b3e0dc5c 265426 debian-installer extra libfreetype6-udeb_2.4.2-2.1_i386.udeb
Package-Type: udeb

Version: GnuPG v1.4.10 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Wed, 22 Dec 2010 07:31:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Sun Apr 20 16:21:59 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.