[HarfBuzz] Fwd: Patch: Multiple security vulnerabilities in ICU Layout Engine

Steven R. Loomis srl at icu-project.org
Fri Apr 19 16:22:08 PDT 2013 

FYI. Note plug for harfbuzz.
-s


---------- Forwarded message ----------
From: *Steven R. Loomis*
Date: Friday, April 19, 2013
Subject: Patch: Multiple security vulnerabilities in ICU Layout Engine
To: icu-announce at lists.sourceforge.net


(FYI: I did not mention HarfBuzz in the post to icu-announce. However, the
download page does mention it.)

( This information is available on http://site.icu-project.org/download/51 )

Dear ICU  users and friends,
 Please find below information about a patch, affecting ALL versions of the
ICU layout engine.


   - 2013-Apr-18: Security Vulnerabilities in the Layout Engine.
      http://bugs.icu-project.org/trac/ticket/10107  (ALL prior versions)
      *Applications which use fonts from untrusted sources are vulnerable
      to security issues.*
         - *Scope: *These issues do not affect applications which don't use
         the ICU Layout Engine. These issues would primarily affect
applications
         which process fonts from untrusted sources, such as webfonts.
         - *NOTE: *Applications *must* implement
*LEFontInstance::getFontTable(LETag,
         size_t &length) * in their LEFontInstance subclasses, so that ICU
         can properly bounds-check font tables.
         - *Cross Reference: *The following RedHat Bug #s, CVEs, and Oracle
         Java bug#s are fixed by the following patch, which is
synchronized with the
         Java 1.7 u update 21:
            -
            - RH# 952656 - CVE-2013-2419 OpenJDK: font processing errors
            (2D, Java #8001031)
            - RH# 952708 - CVE-2013-2383 OpenJDK: font layout and glyph
            table errors (2D, Java #8004986)
            - RH# 952709 - CVE-2013-2384 OpenJDK: font layout and glyph
            table errors (2D, Java #8004987)
            - RH# 952711 - CVE-2013-1569 OpenJDK: font layout and glyph
            table errors (2D, Java #8004994)
         - Patch is located at:  the 'known issues' section of:
         http://site.icu-project.org/download/51


   - *HarfBuzz: *users of ICU Layout are *strongly* encouraged to consider
      the HarfBuzz
project<http://www.freedesktop.org/wiki/Software/HarfBuzz> as
      a replacement for the ICU Layout Engine.  An ICU team member responsible
      for the Layout Engine is contributing fixes and features to
HarfBuzz, and a
      drop in wrapper is available to allow use of HarfBuzz as a direct
      replacement for the ICU layout engine. See:
      http://www.freedesktop.org/wiki/Software/HarfBuzz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/harfbuzz/attachments/20130419/5119713c/attachment.html>

More information about the HarfBuzz mailing list