Hello, The 'freetype' package is vulnerable to CVE-2020-15999. According to https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html, an exploit already exists in the wild. I'm busy for a couple of days and won't be able to work on it in time. Volunteers wanted! Forwarding a message from oss-security, we may have to patch Ghostscript as well: -------------------- Start of forwarded message -------------------- To: oss-security@lists.openwall.com Cc: Werner LEMBERG From: Alan Coopersmith Date: Tue, 20 Oct 2020 09:49:31 -0700 Subject: [oss-security] CVE-2020-15999 fixed in FreeType 2.10.4 Before making this release, Werner said: > I've just fixed a heap buffer overflow that can happen for some > malformed `.ttf` files with PNG sbit glyphs. It seems that this > vulnerability gets already actively used in the wild, so I ask all > users to apply the corresponding commit as soon as possible. But distros should be warned that 2.10.3 and later may break the build of ghostscript, due to ghostscript's use of a withdrawn macro that wasn't intended for external usage: https://bugs.ghostscript.com/show_bug.cgi?id=702985 https://lists.nongnu.org/archive/html/freetype-devel/2020-10/msg00002.html Ghostscript's fix for that is at: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b -Alan Coopersmith- alan.coopersmith@oracle.com Oracle Solaris Engineering - https://blogs.oracle.com/alanc -------- Forwarded Message -------- Subject: [ft-announce] Announcing FreeType 2.10.4 Date: Tue, 20 Oct 2020 07:47:31 +0200 (CEST) From: Werner LEMBERG To: freetype-announce@nongnu.org, freetype-devel@nongnu.org, freetype@nongnu.org FreeType 2.10.4 has been released. It is available from http://savannah.nongnu.org/download/freetype/ or http://sourceforge.net/projects/freetype/files/ The latter site also holds older versions of the FreeType library. See below for the relevant snippet from the CHANGES file. Enjoy! Werner PS: Downloads from savannah.nongnu.org will redirect to your nearest mirror site. Files on mirrors may be subject to a replication delay of up to 24 hours. In case of problems use http://download-mirror.savannah.gnu.org/releases/ ---------------------------------------------------------------------- http://www.freetype.org FreeType 2 is a software font engine that is designed to be small, efficient, highly customizable, and portable while capable of producing high-quality output (glyph images) of most vector and bitmap font formats. Note that FreeType 2 is a font service and doesn't provide APIs to perform higher-level features, like text layout or graphics processing (e.g., colored text rendering, `hollowing', etc.). However, it greatly simplifies these tasks by providing a simple, easy to use, and uniform interface to access the content of font files. FreeType 2 is released under two open-source licenses: our own BSD-like FreeType License and the GPL. It can thus be used by any kind of projects, be they proprietary or not. ---------------------------------------------------------------------- CHANGES BETWEEN 2.10.3 and 2.10.4 I. IMPORTANT BUG FIXES - A heap buffer overflow has been found in the handling of embedded PNG bitmaps, introduced in FreeType version 2.6. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999 If you use option FT_CONFIG_OPTION_USE_PNG you should upgrade immediately. _______________________________________________ Freetype-announce mailing list Freetype-announce@nongnu.org https://lists.nongnu.org/mailman/listinfo/freetype-announce -------------------- End of forwarded message --------------------