[Pkg-fonts-devel] Bug#947276: libspiro: CVE-2019-19847
Salvatore Bonaccorso
carnil at debian.org
Mon Dec 23 21:49:02 GMT 2019
Source: libspiro
Version: 1:20190731-2
Severity: normal
Tags: security upstream
Forwarded: https://github.com/fontforge/libspiro/issues/21
Hi,
The following vulnerability was published for libspiro. Although the
problematic function is exported, there seem at least in Debian not to
be any users of this (and it's not in the 'advertised' API). But just
filling the bug for tracking the upstream issue mainly.
CVE-2019-19847[0]:
| Libspiro through 20190731 has a stack-based buffer overflow in the
| spiro_to_bpath0() function in spiro.c.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-19847
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19847
[1] https://github.com/fontforge/libspiro/issues/21
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.3.0-3-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
More information about the Pkg-fonts-devel
mailing list