Hi Steve,
Steve Langasek wrote:
> Security team, I'm not sure if this warrants a DSA; I definitely don't see
> much risk of a remote exploit the way the CVE claims, I don't know of any
> applications that will load untrusted truetype fonts provided remotely
> across the network. If you do think a DSA is warranted here, let me know
> and I'll be happy to prepare an upload.
I guess we should fix this, it's indirectly remotely exploitable at least
by providing someone a malformed TTF font file. As libfreetype is an important
infrastructure library there might also be unforeseen indirect attack
vectors, like embedding TTFs in other document types, etc.
Steve Kemp wanted to work on a DSA, so you should probably check back
with him before preparing an upload.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
