bug#44146: CVE-2020-15999 in FreeType

bug#44146: CVE-2020-15999 in FreeType

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 3870 bytes --]

Hello,

The 'freetype' package is vulnerable to CVE-2020-15999.

According to
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html,
an exploit already exists in the wild.

I'm busy for a couple of days and won't be able to work on it in time.
Volunteers wanted!

Forwarding a message from oss-security, we may have to patch Ghostscript
as well:

-------------------- Start of forwarded message --------------------
To: oss-security@lists.openwall.com
Cc: Werner LEMBERG <wl@gnu.org>
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Tue, 20 Oct 2020 09:49:31 -0700
Subject: [oss-security] CVE-2020-15999 fixed in FreeType 2.10.4

Before making this release, Werner said:

> I've just fixed a heap buffer overflow that can happen for some
> malformed `.ttf` files with PNG sbit glyphs.  It seems that this
> vulnerability gets already actively used in the wild, so I ask all
> users to apply the corresponding commit as soon as possible.

But distros should be warned that 2.10.3 and later may break the build
of ghostscript, due to ghostscript's use of a withdrawn macro that
wasn't intended for external usage:

https://bugs.ghostscript.com/show_bug.cgi?id=702985
https://lists.nongnu.org/archive/html/freetype-devel/2020-10/msg00002.html

Ghostscript's fix for that is at:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b

	-Alan Coopersmith-               alan.coopersmith@oracle.com
	 Oracle Solaris Engineering - https://blogs.oracle.com/alanc

-------- Forwarded Message --------
Subject: [ft-announce] Announcing FreeType 2.10.4
Date: Tue, 20 Oct 2020 07:47:31 +0200 (CEST)
From: Werner LEMBERG <wl@gnu.org>
To: freetype-announce@nongnu.org, freetype-devel@nongnu.org, freetype@nongnu.org


FreeType 2.10.4 has been released.

It is available from

     http://savannah.nongnu.org/download/freetype/

or

     http://sourceforge.net/projects/freetype/files/

The latter site also holds older versions of the FreeType library.

See below for the relevant snippet from the CHANGES file.

Enjoy!


    Werner


PS: Downloads from  savannah.nongnu.org  will redirect to your nearest
     mirror site.   Files on  mirrors may  be subject to  a replication
     delay   of   up   to   24   hours.   In   case   of  problems  use
     http://download-mirror.savannah.gnu.org/releases/


----------------------------------------------------------------------


http://www.freetype.org


FreeType 2  is a software  font engine that  is designed to  be small,
efficient,  highly   customizable,  and  portable   while  capable  of
producing high-quality output (glyph images) of most vector and bitmap
font formats.

Note that  FreeType 2 is  a font service  and doesn't provide  APIs to
perform higher-level features, like text layout or graphics processing
(e.g.,  colored  text  rendering,  `hollowing',  etc.).   However,  it
greatly simplifies these tasks by providing a simple, easy to use, and
uniform interface to access the content of font files.

FreeType  2  is  released  under  two open-source  licenses:  our  own
BSD-like FreeType  License and the  GPL.  It can  thus be used  by any
kind of projects, be they proprietary or not.


----------------------------------------------------------------------


CHANGES BETWEEN 2.10.3 and 2.10.4

   I. IMPORTANT BUG FIXES

   - A heap buffer overflow has been found  in the handling of embedded
     PNG bitmaps, introduced in FreeType version 2.6.

       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999

     If you  use option  FT_CONFIG_OPTION_USE_PNG  you  should  upgrade
     immediately.

_______________________________________________
Freetype-announce mailing list
Freetype-announce@nongnu.org
https://lists.nongnu.org/mailman/listinfo/freetype-announce

-------------------- End of forwarded message --------------------

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]

bug#44146: CVE-2020-15999 in FreeType

[Tobias Geerinckx-Rice via Bug reports for GNU Guix]

[-- Attachment #1: Type: text/plain, Size: 832 bytes --]

Marius,

Marius Bakke 写道：
> The 'freetype' package is vulnerable to CVE-2020-15999.

Oh dear.  'Thanks' for breaking the news.

> I'm busy for a couple of days and won't be able to work on it in 
> time.
> Volunteers wanted!

It feels like it shouldn't work (what with the different .so 
version & all) but I've been unable to break a ghostscript grafted 
to use 2.10.4.

I'm currently reconfiguring my system with it; if it works, I'll 
push it.

Whatever happens, I won't have time to apply the core-updates half 
tonight.

> Forwarding a message from oss-security, we may have to patch 
> Ghostscript
> as well:

I don't know enough about FT/GS's internals to really understand 
what's going on, but being a C(ompile-time) macro, this *could* be 
safe to graft, right?

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

bug#44146: CVE-2020-15999 in FreeType

[Maxim Cournoyer]

Hello,

Marius Bakke <marius@gnu.org> writes:

> Hello,
>
> The 'freetype' package is vulnerable to CVE-2020-15999.
>
> According to
> https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html,
> an exploit already exists in the wild.
>
> I'm busy for a couple of days and won't be able to work on it in time.
> Volunteers wanted!

This was fixed by Tobias in commit
d32b210f282ef74caf9890e1d4ffe8eb04bd64e5.

Closing.

Thank you for the report!

Maxim