From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id IMcFIiDekV8WZgAA0tVLHw (envelope-from ) for ; Thu, 22 Oct 2020 19:31:44 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id UIhHHCDekV/PNgAAB5/wlQ (envelope-from ) for ; Thu, 22 Oct 2020 19:31:44 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A1E3E9402C2 for ; Thu, 22 Oct 2020 19:31:43 +0000 (UTC) Received: from localhost ([::1]:38206 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kVgJI-00067L-KF for larch@yhetil.org; Thu, 22 Oct 2020 15:31:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36896) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kVgIh-000678-9T for bug-guix@gnu.org; Thu, 22 Oct 2020 15:31:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:42376) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kVgIh-0003Jp-0h for bug-guix@gnu.org; Thu, 22 Oct 2020 15:31:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kVgIg-0007Ox-Ud for bug-guix@gnu.org; Thu, 22 Oct 2020 15:31:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#44146: CVE-2020-15999 in FreeType Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 22 Oct 2020 19:31:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44146 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Marius Bakke Cc: 44146@debbugs.gnu.org X-Debbugs-Original-Cc: bug-guix@gnu.org, 44146@debbugs.gnu.org Received: via spool by 44146-submit@debbugs.gnu.org id=B44146.160339502928357 (code B ref 44146); Thu, 22 Oct 2020 19:31:02 +0000 Received: (at 44146) by debbugs.gnu.org; 22 Oct 2020 19:30:29 +0000 Received: from localhost ([127.0.0.1]:53917 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kVgI8-0007NI-Uw for submit@debbugs.gnu.org; Thu, 22 Oct 2020 15:30:29 -0400 Received: from tobias.gr ([80.241.217.52]:60574) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kVgI7-0007NA-86 for 44146@debbugs.gnu.org; Thu, 22 Oct 2020 15:30:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018; bh=4476W6JoMkmt3DbA5O8wKYkuEOzLwYRfaYaMOl+yEo4=; h=date:in-reply-to: references:subject:cc:to:from; b=Vbhe3Kc7vnLW3GSGyYAhlQUGsKdU2TnlAAFdl niYgIhbpVRZ3I2lSMtzxsCoHkXwK3eaZYSk1Kye+hbbSrnjPdeQ53QQG1w9htU/dFitzod BPvn3oJ6HIeBckPKvp1S6wDWIOQCO73UToxPyt9H6f3z02l4dtgYRJQUlSAJT7OuzR2YDF 6KROxuluG5DESZrWedIRBD1C4dLDF4NJ2tr3JkdioCAOcxE8FH6ewzhV4173hBNllgI31b 0m9udywSTX1+YQ+S+OHOHalO1qSfTSOFNAhnRwjNxepztFm/lHiE9vSilBzSWEZva95uoF P/TKr3DrMkzfCd72G7F3c3UJQ== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 28558f4f (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO); Thu, 22 Oct 2020 19:30:41 +0000 (UTC) BIMI-Selector: v=BIMI1; s=default; References: <28f1351e-1176-153d-1fc3-6768d807397c@oracle.com> <87y2jyi4vf.fsf@gnu.org> In-reply-to: <87y2jyi4vf.fsf@gnu.org> Date: Thu, 22 Oct 2020 21:30:30 +0200 Message-ID: <874kmmawix.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -3.3 (---) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" Reply-to: Tobias Geerinckx-Rice From: Tobias Geerinckx-Rice via Bug reports for GNU Guix X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=tobias.gr header.s=2018 header.b=Vbhe3Kc7; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Spam-Score: -3.11 X-TUID: od1Um2AHm+hF --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Marius, Marius Bakke =E5=86=99=E9=81=93=EF=BC=9A > The 'freetype' package is vulnerable to CVE-2020-15999. Oh dear. 'Thanks' for breaking the news. > I'm busy for a couple of days and won't be able to work on it in=20 > time. > Volunteers wanted! It feels like it shouldn't work (what with the different .so=20 version & all) but I've been unable to break a ghostscript grafted=20 to use 2.10.4. I'm currently reconfiguring my system with it; if it works, I'll=20 push it. Whatever happens, I won't have time to apply the core-updates half=20 tonight. > Forwarding a message from oss-security, we may have to patch=20 > Ghostscript > as well: I don't know enough about FT/GS's internals to really understand=20 what's going on, but being a C(ompile-time) macro, this *could* be=20 safe to graft, right? Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCX5Hd1g0cbWVAdG9iaWFz LmdyAAoJEA2w/4hPVW15RIcBAO3/Uo4C+Y26XZIPoqvmrk5zoKt5A7AXlMxdHHEn p4dfAQDz+IpiqE1SS9+juAG66I8l2zuIpEyuWeLTgX/TikNtBQ== =93kl -----END PGP SIGNATURE----- --=-=-=--