Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
Summary: CVE-2012-1144 freetype: insufficient checking of first outline point in TTF parser (#35689) [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=806271
Summary: CVE-2012-1144 freetype: insufficient checking of first
outline point in TTF parser (#35689) [fedora-all]
Product: Fedora
Version: 16
Platform: All
OS/Version: Linux
Status: NEW
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Component: mingw32-freetype
AssignedTo: rjones(a)redhat.com
ReportedBy: thoger(a)redhat.com
QAContact: extras-qa(a)fedoraproject.org
CC: lfarkas(a)lfarkas.org, rjones(a)redhat.com,
erik-fedora(a)vanpienbroek.nl,
fedora-mingw(a)lists.fedoraproject.org
Blocks: 800607
Classification: Fedora
Story Points: ---
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=800607
Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.
[bug automatically created by: add-tracking-bugs]
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=851189
Bug ID: 851189
QA Contact: extras-qa(a)fedoraproject.org
Severity: unspecified
Version: rawhide
Priority: unspecified
CC: fedora-mingw(a)lists.fedoraproject.org,
notting(a)redhat.com,
package-review(a)lists.fedoraproject.org
Assignee: nobody(a)fedoraproject.org
Summary: Review Request: mingw-lcms2 - MinGW Color Management
System
Regression: ---
Story Points: ---
Classification: Fedora
OS: Unspecified
Reporter: t.sailer(a)alumni.ethz.ch
Type: Bug
Documentation: ---
Hardware: Unspecified
Mount Type: ---
Status: NEW
Component: Package Review
Product: Fedora
Spec URL: http://sailer.fedorapeople.org/mingw-lcms2.spec
SRPM URL: http://sailer.fedorapeople.org/mingw-lcms2-2.3-1.fc17.src.rpm
Description:
MinGW Color Management System
Approved MinGW packaging guidelines are here:
http://fedoraproject.org/wiki/Packaging/MinGW
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=866032
Bug ID: 866032
QA Contact: extras-qa(a)fedoraproject.org
Severity: unspecified
Version: rawhide
Priority: unspecified
CC: erik-fedora(a)vanpienbroek.nl,
fedora-mingw(a)lists.fedoraproject.org,
lfarkas(a)lfarkas.org, rjones(a)redhat.com
Assignee: rjones(a)redhat.com
Summary: configure --disable-static prevents building of
freetype static library
Regression: ---
Story Points: ---
Classification: Fedora
OS: Unspecified
Reporter: ntd(a)entidi.it
Type: Bug
Documentation: ---
Hardware: Unspecified
Mount Type: ---
Status: NEW
Component: mingw-freetype
Product: Fedora
Back in 2008 static libraries were stripped from the final package. The
relevant commit does not explain why:
http://hg.et.redhat.com/cgi-bin/hg-misc.cgi/fedora-mingw--devel/rev/1d89b5e…
Actually they are disabled at configure level with --disable-static. I'd like
to know the rationale behind this.
If that reason still stands a comment should be added to the spec (or I can
provide a git patch myself... I don't know if this is common practice here)
otherwise adding --enable-static can be considered. I didn't find anything in
favor or against it in the wild.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=843190
Bug ID: 843190
Keywords: Security, SecurityTracking
Blocks: 843179 (CVE-2011-3464)
QA Contact: extras-qa(a)fedoraproject.org
Severity: high
Version: 17
Priority: high
CC: drizt(a)land.ru, erik-fedora(a)vanpienbroek.nl,
fedora-mingw(a)lists.fedoraproject.org,
ktietz(a)redhat.com, lfarkas(a)lfarkas.org,
rjones(a)redhat.com
Assignee: rjones(a)redhat.com
Summary: CVE-2011-3464 libpng: One-byte stack buffer overrun
in png_formatted_warning [fedora-17]
Regression: ---
Story Points: ---
Classification: Fedora
OS: Linux
Reporter: kseifried(a)redhat.com
Type: ---
Documentation: ---
Hardware: All
Mount Type: ---
Status: NEW
Component: mingw-libpng
Product: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=843179
fedora-17 tracking bug for mingw-libpng: see blocks bug list for full details
of the security issue(s).
[bug automatically created by: add-tracking-bugs]
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=849693
Vincent Danen <vdanen(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |vdanen(a)redhat.com
--- Comment #29 from Vincent Danen <vdanen(a)redhat.com> ---
I've done some additional poking around on this. In Fedora 17, I've found the
following packages which contain libiberty/objalloc.c:
arm-gp2x-linux-binutils-2.16.1-11.fc17
arm-gp2x-linux-gcc-4.1.2-13.fc17
avr-binutils-2.20-3.fc17
avr-gcc-4.6.3-1.fc17
avr-gdb-7.1-4.fc17
binutils-2.22.52.0.1-10.fc17
CableSwig-3.20.0-6.fc17
compat-gcc-296-2.96-144
compat-gcc-32-3.2.3-68.3
compat-gcc-34-3.4.6-24.fc17
cross-gcc-4.7.1-0.1.20120606.fc17
gcc-4.7.2-2.fc17
gccxml-0.9.0-0.12.20120309.fc17
gdb-7.4.50.20120120-50.fc17
ghdl-0.29-2.143svn.6.fc17
insight-7.4.50-1.20120403cvs.fc17
mingw-binutils-2.22.52-4.fc17
mingw-crt-2.0.999-0.6.trunk.20120601.fc17
mingw-crt-2.0.999-0.6.trunk.20120601.fc17
mingw-gcc-4.7.0-2.fc17
mingw-gdb-7.4.50.20120603-1.fc17
mingw-headers-2.0.999-0.7.trunk.20120601.fc17
mingw-headers-2.0.999-0.7.trunk.20120601.fc17
mingw-w64-tools-2.0.999-0.2.trunk.20120124.fc17
mingw-w64-tools-2.0.999-0.2.trunk.20120124.fc17
mono-debugger-2.10-3.fc17
msp430-binutils-2.19.1-4.fc17
msp430-gcc-3.2.3-6.20100805cvs.fc17
nesc-1.3.4-1.fc17
sh-elf-binutils-2.21-3.fc17
Obviously not all of them compile in or use the affected function. The
following packages actually export the _objalloc_alloc symbol (this is
incomplete as my tool doesn't have Fedora 17 imported, so this is from Fedora
16):
binutils-2.21.53.0.1-6.fc16 (binutils): _objalloc_alloc in
/usr/lib/libbfd-2.21.53.0.1-6.fc16.so
crash-6.0.2-1.fc16 (crash): _objalloc_alloc in /usr/bin/crash
gdb-7.3.50.20110722-10.fc16 (gdb): _objalloc_alloc in /usr/bin/gdb
insight-6.8.1-4.fc15 (insight): _objalloc_alloc in /usr/bin/insight
lush-1.2.1-6.fc12 (lush): _objalloc_alloc in /usr/bin/lush
mono-debugger-2.10-1.fc16 (mono-debugger): _objalloc_alloc in
/usr/lib/libmonodebuggerserver.so.0.0.0
mutrace-0.2-2.fc15 (mutrace): _objalloc_alloc in
/usr/lib/libmutrace-backtrace-symbols.so
Based on prior discussion, it does not seem that gcc is affected by this, and
the above backs it up unless gcc is hiding the symbols (or my tool is wrong).
It looks as though lush isn't in Fedora 17 so could be ignored, but the
immediate suspects are gdb, binutils, crash, insight, mono-debugger, and
mutrace. I don't know about, for instance, avr-gdb as it doesn't seem to
export the symbol, but I also don't know if that really means anything (not
sure what avr binaries are or what "remote debugging is", based on the rpm
description).
If nothing else, this is a list to work off of, at least initially.
I'm hesitant to file tracking bugs for these, however, because a tracking bug
was filed for gdb a month ago for Fedora, and nothing has been done with it
that I can see. Is there a problem with the patch, or some other reason for
not getting the fix into gdb?
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=870455
--- Comment #7 from Orion Poplawski <orion(a)cora.nwra.com> ---
It appears it doesn't, must have not removed my cache when testing. So it
appears that FindQt4 looks for qmake in $PATH and env $QTDIR/bin. It sets
QT_BINARY_DIR from qmake output if not already set, but does not use it to find
qmake.
If anyone has a good suggestion for how this should be handled in FindQt4,
please file a bug upstream. Otherwise I suggest using mingw32-cmake, or
setting PATH or QTDIR. I suppose the QT_BINARY_DIR should still be fixed in
Toolchain-mingw32.cmake, or perhaps just removed to avoid confusion?
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=849693
--- Comment #28 from Toshio Ernie Kuratomi <a.badger(a)gmail.com> ---
Note: According to the fesco ticket[1]_, fesco thought it might be more
appropriate for the security team to open bugs for the affected packages than
fsco since the security team might have tooling to create an track the bugs.
I see that some of the other packages were added to the whiteboard for this bug
and some of the other package maintainers are CC'd but not all of them. (for
instance, mono-debugger owner: chkr)
I'm just making sure that the fesco request shows up here so that it doesn't
fall through the cracks.
[1]_: https://fedorahosted.org/fesco/ticket/956#comment:19
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=870455
--- Comment #6 from Marcin Wojdyr <wojdyr(a)gmail.com> ---
(In reply to comment #4)
> When using mingw32-cmake it seems to use qmake-qt4 from:
>
> QT_QMAKE_EXECUTABLE=/usr/i686-w64-mingw32/bin/qmake-qt4
I didn't know about mingw32-cmake, I just used plain cmake, like this:
cmake -D CMAKE_TOOLCHAIN_FILE=/usr/share/mingw/Toolchain-mingw32.cmake ..
It indeed works when calling through mingw32-cmake or when PATH is set as in
mingw32-cmake:
PATH=/usr/i686-w64-mingw32/bin:$PATH.
>
> Do you have a sample CMakeLists.txt for testing?
cmake_minimum_required(VERSION 2.8)
project(foo CXX)
set(CMAKE_FIND_LIBRARY_SUFFIXES ${CMAKE_STATIC_LIBRARY_SUFFIX})
find_package(Qt4 REQUIRED QtCore QtGui)
include(${QT_USE_FILE})
message(STATUS "QT_QMAKE_EXECUTABLE='${QT_QMAKE_EXECUTABLE}'")
I think changing QT_BINARY_DIR (comment 5) doesn't affect qmake path.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=870455
Orion Poplawski <orion(a)cora.nwra.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |drizt(a)land.ru,
| |erik-fedora(a)vanpienbroek.nl
| |,
| |fedora-mingw(a)lists.fedorapr
| |oject.org,
| |kalevlember(a)gmail.com,
| |lfarkas(a)lfarkas.org,
| |rjones(a)redhat.com
Component|cmake |mingw32-filesystem
Assignee|orion(a)cora.nwra.com |rjones(a)redhat.com
--- Comment #5 from Orion Poplawski <orion(a)cora.nwra.com> ---
Toolchain appears to be setting QT_BINARY_DIR to:
QT_BINARY_DIR=/usr/i686-w64-mingw32/bin/usr/bin
which isn't correct.
--- /usr/share/mingw/Toolchain-mingw32.cmake.orig 2012-10-29
20:53:22.038953114 -0600
+++ /usr/share/mingw/Toolchain-mingw32.cmake 2012-10-29 20:52:00.350620208
-0600
@@ -14,7 +14,7 @@
SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
# Make sure Qt can be detected by CMake
-SET(QT_BINARY_DIR /usr/i686-w64-mingw32/bin /usr/bin)
+SET(QT_BINARY_DIR /usr/i686-w64-mingw32/bin)
# set the resource compiler (RHBZ #652435)
SET(CMAKE_RC_COMPILER /usr/bin/i686-w64-mingw32-windres)
should do the trick.
--
You are receiving this mail because:
You are on the CC list for the bug.