unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#44146: CVE-2020-15999 in FreeType
       [not found] <28f1351e-1176-153d-1fc3-6768d807397c@oracle.com>
@ 2020-10-22 16:48 ` Marius Bakke
  2020-10-22 19:30   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  2020-11-10 20:21   ` Maxim Cournoyer
  0 siblings, 2 replies; 3+ messages in thread
From: Marius Bakke @ 2020-10-22 16:48 UTC (permalink / raw)
  To: 44146

[-- Attachment #1: Type: text/plain, Size: 3870 bytes --]

Hello,

The 'freetype' package is vulnerable to CVE-2020-15999.

According to
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html,
an exploit already exists in the wild.

I'm busy for a couple of days and won't be able to work on it in time.
Volunteers wanted!

Forwarding a message from oss-security, we may have to patch Ghostscript
as well:

-------------------- Start of forwarded message --------------------
To: oss-security@lists.openwall.com
Cc: Werner LEMBERG <wl@gnu.org>
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Tue, 20 Oct 2020 09:49:31 -0700
Subject: [oss-security] CVE-2020-15999 fixed in FreeType 2.10.4

Before making this release, Werner said:

> I've just fixed a heap buffer overflow that can happen for some
> malformed `.ttf` files with PNG sbit glyphs.  It seems that this
> vulnerability gets already actively used in the wild, so I ask all
> users to apply the corresponding commit as soon as possible.

But distros should be warned that 2.10.3 and later may break the build
of ghostscript, due to ghostscript's use of a withdrawn macro that
wasn't intended for external usage:

https://bugs.ghostscript.com/show_bug.cgi?id=702985
https://lists.nongnu.org/archive/html/freetype-devel/2020-10/msg00002.html

Ghostscript's fix for that is at:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b

	-Alan Coopersmith-               alan.coopersmith@oracle.com
	 Oracle Solaris Engineering - https://blogs.oracle.com/alanc

-------- Forwarded Message --------
Subject: [ft-announce] Announcing FreeType 2.10.4
Date: Tue, 20 Oct 2020 07:47:31 +0200 (CEST)
From: Werner LEMBERG <wl@gnu.org>
To: freetype-announce@nongnu.org, freetype-devel@nongnu.org, freetype@nongnu.org


FreeType 2.10.4 has been released.

It is available from

     http://savannah.nongnu.org/download/freetype/

or

     http://sourceforge.net/projects/freetype/files/

The latter site also holds older versions of the FreeType library.

See below for the relevant snippet from the CHANGES file.

Enjoy!


    Werner


PS: Downloads from  savannah.nongnu.org  will redirect to your nearest
     mirror site.   Files on  mirrors may  be subject to  a replication
     delay   of   up   to   24   hours.   In   case   of  problems  use
     http://download-mirror.savannah.gnu.org/releases/


----------------------------------------------------------------------


http://www.freetype.org


FreeType 2  is a software  font engine that  is designed to  be small,
efficient,  highly   customizable,  and  portable   while  capable  of
producing high-quality output (glyph images) of most vector and bitmap
font formats.

Note that  FreeType 2 is  a font service  and doesn't provide  APIs to
perform higher-level features, like text layout or graphics processing
(e.g.,  colored  text  rendering,  `hollowing',  etc.).   However,  it
greatly simplifies these tasks by providing a simple, easy to use, and
uniform interface to access the content of font files.

FreeType  2  is  released  under  two open-source  licenses:  our  own
BSD-like FreeType  License and the  GPL.  It can  thus be used  by any
kind of projects, be they proprietary or not.


----------------------------------------------------------------------


CHANGES BETWEEN 2.10.3 and 2.10.4

   I. IMPORTANT BUG FIXES

   - A heap buffer overflow has been found  in the handling of embedded
     PNG bitmaps, introduced in FreeType version 2.6.

       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999

     If you  use option  FT_CONFIG_OPTION_USE_PNG  you  should  upgrade
     immediately.

_______________________________________________
Freetype-announce mailing list
Freetype-announce@nongnu.org
https://lists.nongnu.org/mailman/listinfo/freetype-announce

-------------------- End of forwarded message --------------------

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* bug#44146: CVE-2020-15999 in FreeType
  2020-10-22 16:48 ` bug#44146: CVE-2020-15999 in FreeType Marius Bakke
@ 2020-10-22 19:30   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  2020-11-10 20:21   ` Maxim Cournoyer
  1 sibling, 0 replies; 3+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-10-22 19:30 UTC (permalink / raw)
  To: Marius Bakke; +Cc: 44146

[-- Attachment #1: Type: text/plain, Size: 832 bytes --]

Marius,

Marius Bakke 写道:
> The 'freetype' package is vulnerable to CVE-2020-15999.

Oh dear.  'Thanks' for breaking the news.

> I'm busy for a couple of days and won't be able to work on it in 
> time.
> Volunteers wanted!

It feels like it shouldn't work (what with the different .so 
version & all) but I've been unable to break a ghostscript grafted 
to use 2.10.4.

I'm currently reconfiguring my system with it; if it works, I'll 
push it.

Whatever happens, I won't have time to apply the core-updates half 
tonight.

> Forwarding a message from oss-security, we may have to patch 
> Ghostscript
> as well:

I don't know enough about FT/GS's internals to really understand 
what's going on, but being a C(ompile-time) macro, this *could* be 
safe to graft, right?

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* bug#44146: CVE-2020-15999 in FreeType
  2020-10-22 16:48 ` bug#44146: CVE-2020-15999 in FreeType Marius Bakke
  2020-10-22 19:30   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
@ 2020-11-10 20:21   ` Maxim Cournoyer
  1 sibling, 0 replies; 3+ messages in thread
From: Maxim Cournoyer @ 2020-11-10 20:21 UTC (permalink / raw)
  To: Marius Bakke; +Cc: 44146-done

Hello,

Marius Bakke <marius@gnu.org> writes:

> Hello,
>
> The 'freetype' package is vulnerable to CVE-2020-15999.
>
> According to
> https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html,
> an exploit already exists in the wild.
>
> I'm busy for a couple of days and won't be able to work on it in time.
> Volunteers wanted!

This was fixed by Tobias in commit
d32b210f282ef74caf9890e1d4ffe8eb04bd64e5.

Closing.

Thank you for the report!

Maxim




^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-11-10 20:22 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <28f1351e-1176-153d-1fc3-6768d807397c@oracle.com>
2020-10-22 16:48 ` bug#44146: CVE-2020-15999 in FreeType Marius Bakke
2020-10-22 19:30   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2020-11-10 20:21   ` Maxim Cournoyer

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).