From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id cMjHDhq4kV/zGwAA0tVLHw (envelope-from ) for ; Thu, 22 Oct 2020 16:49:30 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 8IEWCRq4kV8USwAAB5/wlQ (envelope-from ) for ; Thu, 22 Oct 2020 16:49:30 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9CE0A940222 for ; Thu, 22 Oct 2020 16:49:29 +0000 (UTC) Received: from localhost ([::1]:37186 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kVdmK-0003Dq-Fq for larch@yhetil.org; Thu, 22 Oct 2020 12:49:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58998) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kVdlu-0003CH-Bv for bug-guix@gnu.org; Thu, 22 Oct 2020 12:49:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:42162) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kVdlu-0007vF-0d for bug-guix@gnu.org; Thu, 22 Oct 2020 12:49:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kVdlt-00012G-UM for bug-guix@gnu.org; Thu, 22 Oct 2020 12:49:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#44146: CVE-2020-15999 in FreeType Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 22 Oct 2020 16:49:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 44146 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 44146@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16033853153940 (code B ref -1); Thu, 22 Oct 2020 16:49:01 +0000 Received: (at submit) by debbugs.gnu.org; 22 Oct 2020 16:48:35 +0000 Received: from localhost ([127.0.0.1]:53708 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kVdlL-00011N-D7 for submit@debbugs.gnu.org; Thu, 22 Oct 2020 12:48:35 -0400 Received: from lists.gnu.org ([209.51.188.17]:52246) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kVdlI-00011E-7C for submit@debbugs.gnu.org; Thu, 22 Oct 2020 12:48:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58904) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kVdlH-0002RP-Tf for bug-guix@gnu.org; Thu, 22 Oct 2020 12:48:23 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:47334) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kVdlH-0007sa-Jq for bug-guix@gnu.org; Thu, 22 Oct 2020 12:48:23 -0400 Received: from ti0006q161-1594.bb.online.no ([46.9.75.77]:54974 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kVdlG-0001Sb-C3 for bug-guix@gnu.org; Thu, 22 Oct 2020 12:48:22 -0400 From: Marius Bakke References: <28f1351e-1176-153d-1fc3-6768d807397c@oracle.com> Date: Thu, 22 Oct 2020 18:48:20 +0200 Message-ID: <87y2jyi4vf.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.0 (-) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Spam-Score: -3.61 X-TUID: BzpL+K/YFYlV --=-=-= Content-Type: text/plain Hello, The 'freetype' package is vulnerable to CVE-2020-15999. According to https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html, an exploit already exists in the wild. I'm busy for a couple of days and won't be able to work on it in time. Volunteers wanted! Forwarding a message from oss-security, we may have to patch Ghostscript as well: -------------------- Start of forwarded message -------------------- To: oss-security@lists.openwall.com Cc: Werner LEMBERG From: Alan Coopersmith Date: Tue, 20 Oct 2020 09:49:31 -0700 Subject: [oss-security] CVE-2020-15999 fixed in FreeType 2.10.4 Before making this release, Werner said: > I've just fixed a heap buffer overflow that can happen for some > malformed `.ttf` files with PNG sbit glyphs. It seems that this > vulnerability gets already actively used in the wild, so I ask all > users to apply the corresponding commit as soon as possible. But distros should be warned that 2.10.3 and later may break the build of ghostscript, due to ghostscript's use of a withdrawn macro that wasn't intended for external usage: https://bugs.ghostscript.com/show_bug.cgi?id=702985 https://lists.nongnu.org/archive/html/freetype-devel/2020-10/msg00002.html Ghostscript's fix for that is at: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b -Alan Coopersmith- alan.coopersmith@oracle.com Oracle Solaris Engineering - https://blogs.oracle.com/alanc -------- Forwarded Message -------- Subject: [ft-announce] Announcing FreeType 2.10.4 Date: Tue, 20 Oct 2020 07:47:31 +0200 (CEST) From: Werner LEMBERG To: freetype-announce@nongnu.org, freetype-devel@nongnu.org, freetype@nongnu.org FreeType 2.10.4 has been released. It is available from http://savannah.nongnu.org/download/freetype/ or http://sourceforge.net/projects/freetype/files/ The latter site also holds older versions of the FreeType library. See below for the relevant snippet from the CHANGES file. Enjoy! Werner PS: Downloads from savannah.nongnu.org will redirect to your nearest mirror site. Files on mirrors may be subject to a replication delay of up to 24 hours. In case of problems use http://download-mirror.savannah.gnu.org/releases/ ---------------------------------------------------------------------- http://www.freetype.org FreeType 2 is a software font engine that is designed to be small, efficient, highly customizable, and portable while capable of producing high-quality output (glyph images) of most vector and bitmap font formats. Note that FreeType 2 is a font service and doesn't provide APIs to perform higher-level features, like text layout or graphics processing (e.g., colored text rendering, `hollowing', etc.). However, it greatly simplifies these tasks by providing a simple, easy to use, and uniform interface to access the content of font files. FreeType 2 is released under two open-source licenses: our own BSD-like FreeType License and the GPL. It can thus be used by any kind of projects, be they proprietary or not. ---------------------------------------------------------------------- CHANGES BETWEEN 2.10.3 and 2.10.4 I. IMPORTANT BUG FIXES - A heap buffer overflow has been found in the handling of embedded PNG bitmaps, introduced in FreeType version 2.6. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999 If you use option FT_CONFIG_OPTION_USE_PNG you should upgrade immediately. _______________________________________________ Freetype-announce mailing list Freetype-announce@nongnu.org https://lists.nongnu.org/mailman/listinfo/freetype-announce -------------------- End of forwarded message -------------------- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+Rt9QPHG1hcml1c0Bn bnUub3JnAAoJEKKgbfKjOlT6YwAIALlu6NLnR6wZ+Cgz4Ny/kuzGl5HLFIsMBiaT T3/wgqgPXNJ/N/efrNALjgJ0WRXf3BgqgYmsqLkzBpqB7LnEC13Z37sLerf1pMHx Y1pcCISwMwnBnY1iVPRBopaZWhqFW1mlbB2RozW8kHeRYu3FHhRi27gTEFwKX1tt hXZWLb7jD383VxLkubVaG+odgZfR1gk5fbkaj1fSEjm1DTgwfFX7X5hKPv+mc/jQ Uk5peC1kg7omeAhVPi3ApE3y/1yoD0CeHKyLeBGGIr0FsUOOh7CVWmwibA4bdRP6 a4N5uKBrdRDTcW6+cZQ3Uxf0kK9bUuKW5lxp8B4NwExEdT9LLCI= =HKh+ -----END PGP SIGNATURE----- --=-=-=--