From: Marius Bakke <marius@gnu.org>
To: 44146@debbugs.gnu.org
Subject: bug#44146: CVE-2020-15999 in FreeType
Date: Thu, 22 Oct 2020 18:48:20 +0200 [thread overview]
Message-ID: <87y2jyi4vf.fsf@gnu.org> (raw)
In-Reply-To: 28f1351e-1176-153d-1fc3-6768d807397c@oracle.com
[-- Attachment #1: Type: text/plain, Size: 3870 bytes --]
Hello,
The 'freetype' package is vulnerable to CVE-2020-15999.
According to
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html,
an exploit already exists in the wild.
I'm busy for a couple of days and won't be able to work on it in time.
Volunteers wanted!
Forwarding a message from oss-security, we may have to patch Ghostscript
as well:
-------------------- Start of forwarded message --------------------
To: oss-security@lists.openwall.com
Cc: Werner LEMBERG <wl@gnu.org>
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Tue, 20 Oct 2020 09:49:31 -0700
Subject: [oss-security] CVE-2020-15999 fixed in FreeType 2.10.4
Before making this release, Werner said:
> I've just fixed a heap buffer overflow that can happen for some
> malformed `.ttf` files with PNG sbit glyphs. It seems that this
> vulnerability gets already actively used in the wild, so I ask all
> users to apply the corresponding commit as soon as possible.
But distros should be warned that 2.10.3 and later may break the build
of ghostscript, due to ghostscript's use of a withdrawn macro that
wasn't intended for external usage:
https://bugs.ghostscript.com/show_bug.cgi?id=702985
https://lists.nongnu.org/archive/html/freetype-devel/2020-10/msg00002.html
Ghostscript's fix for that is at:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b
-Alan Coopersmith- alan.coopersmith@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/alanc
-------- Forwarded Message --------
Subject: [ft-announce] Announcing FreeType 2.10.4
Date: Tue, 20 Oct 2020 07:47:31 +0200 (CEST)
From: Werner LEMBERG <wl@gnu.org>
To: freetype-announce@nongnu.org, freetype-devel@nongnu.org, freetype@nongnu.org
FreeType 2.10.4 has been released.
It is available from
http://savannah.nongnu.org/download/freetype/
or
http://sourceforge.net/projects/freetype/files/
The latter site also holds older versions of the FreeType library.
See below for the relevant snippet from the CHANGES file.
Enjoy!
Werner
PS: Downloads from savannah.nongnu.org will redirect to your nearest
mirror site. Files on mirrors may be subject to a replication
delay of up to 24 hours. In case of problems use
http://download-mirror.savannah.gnu.org/releases/
----------------------------------------------------------------------
http://www.freetype.org
FreeType 2 is a software font engine that is designed to be small,
efficient, highly customizable, and portable while capable of
producing high-quality output (glyph images) of most vector and bitmap
font formats.
Note that FreeType 2 is a font service and doesn't provide APIs to
perform higher-level features, like text layout or graphics processing
(e.g., colored text rendering, `hollowing', etc.). However, it
greatly simplifies these tasks by providing a simple, easy to use, and
uniform interface to access the content of font files.
FreeType 2 is released under two open-source licenses: our own
BSD-like FreeType License and the GPL. It can thus be used by any
kind of projects, be they proprietary or not.
----------------------------------------------------------------------
CHANGES BETWEEN 2.10.3 and 2.10.4
I. IMPORTANT BUG FIXES
- A heap buffer overflow has been found in the handling of embedded
PNG bitmaps, introduced in FreeType version 2.6.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
If you use option FT_CONFIG_OPTION_USE_PNG you should upgrade
immediately.
_______________________________________________
Freetype-announce mailing list
Freetype-announce@nongnu.org
https://lists.nongnu.org/mailman/listinfo/freetype-announce
-------------------- End of forwarded message --------------------
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]
next parent reply other threads:[~2020-10-22 16:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <28f1351e-1176-153d-1fc3-6768d807397c@oracle.com>
2020-10-22 16:48 ` Marius Bakke [this message]
2020-10-22 19:30 ` bug#44146: CVE-2020-15999 in FreeType Tobias Geerinckx-Rice via Bug reports for GNU Guix
2020-11-10 20:21 ` Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y2jyi4vf.fsf@gnu.org \
--to=marius@gnu.org \
--cc=44146@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).