CVE-2020-15999 in FreeType

DoneSubmitted by Marius Bakke.
Details
4 participants
  • Ludovic Courtès
  • Marius Bakke
  • Maxim Cournoyer
  • Tobias Geerinckx-Rice
Owner
unassigned
Severity
normal
M
M
Marius Bakke wrote on 22 Oct 2020 18:48
(address . bug-guix@gnu.org)
87y2jyi4vf.fsf@gnu.org
Hello,
The 'freetype' package is vulnerable to CVE-2020-15999.
According tohttps://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html,an exploit already exists in the wild.
I'm busy for a couple of days and won't be able to work on it in time.Volunteers wanted!
Forwarding a message from oss-security, we may have to patch Ghostscriptas well:
-------------------- Start of forwarded message --------------------To: oss-security@lists.openwall.comCc: Werner LEMBERG <wl@gnu.org>From: Alan Coopersmith <alan.coopersmith@oracle.com>Date: Tue, 20 Oct 2020 09:49:31 -0700Subject: [oss-security] CVE-2020-15999 fixed in FreeType 2.10.4
Before making this release, Werner said:
Toggle quote (5 lines)> I've just fixed a heap buffer overflow that can happen for some> malformed `.ttf` files with PNG sbit glyphs. It seems that this> vulnerability gets already actively used in the wild, so I ask all> users to apply the corresponding commit as soon as possible.
But distros should be warned that 2.10.3 and later may break the buildof ghostscript, due to ghostscript's use of a withdrawn macro thatwasn't intended for external usage:
https://bugs.ghostscript.com/show_bug.cgi?id=702985https://lists.nongnu.org/archive/html/freetype-devel/2020-10/msg00002.html
Ghostscript's fix for that is at:https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b
-Alan Coopersmith- alan.coopersmith@oracle.com Oracle Solaris Engineering - https://blogs.oracle.com/alanc
-------- Forwarded Message --------Subject: [ft-announce] Announcing FreeType 2.10.4Date: Tue, 20 Oct 2020 07:47:31 +0200 (CEST)From: Werner LEMBERG <wl@gnu.org>To: freetype-announce@nongnu.org, freetype-devel@nongnu.org, freetype@nongnu.org

FreeType 2.10.4 has been released.
It is available from
http://savannah.nongnu.org/download/freetype/
or
http://sourceforge.net/projects/freetype/files/
The latter site also holds older versions of the FreeType library.
See below for the relevant snippet from the CHANGES file.
Enjoy!

Werner

PS: Downloads from savannah.nongnu.org will redirect to your nearest mirror site. Files on mirrors may be subject to a replication delay of up to 24 hours. In case of problems use http://download-mirror.savannah.gnu.org/releases/

----------------------------------------------------------------------

http://www.freetype.org

FreeType 2 is a software font engine that is designed to be small,efficient, highly customizable, and portable while capable ofproducing high-quality output (glyph images) of most vector and bitmapfont formats.
Note that FreeType 2 is a font service and doesn't provide APIs toperform higher-level features, like text layout or graphics processing(e.g., colored text rendering, `hollowing', etc.). However, itgreatly simplifies these tasks by providing a simple, easy to use, anduniform interface to access the content of font files.
FreeType 2 is released under two open-source licenses: our ownBSD-like FreeType License and the GPL. It can thus be used by anykind of projects, be they proprietary or not.

----------------------------------------------------------------------

CHANGES BETWEEN 2.10.3 and 2.10.4
I. IMPORTANT BUG FIXES
- A heap buffer overflow has been found in the handling of embedded PNG bitmaps, introduced in FreeType version 2.6.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
If you use option FT_CONFIG_OPTION_USE_PNG you should upgrade immediately.
_______________________________________________Freetype-announce mailing listFreetype-announce@nongnu.orghttps://lists.nongnu.org/mailman/listinfo/freetype-announce
-------------------- End of forwarded message --------------------
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+Rt9QPHG1hcml1c0BnbnUub3JnAAoJEKKgbfKjOlT6YwAIALlu6NLnR6wZ+Cgz4Ny/kuzGl5HLFIsMBiaTT3/wgqgPXNJ/N/efrNALjgJ0WRXf3BgqgYmsqLkzBpqB7LnEC13Z37sLerf1pMHxY1pcCISwMwnBnY1iVPRBopaZWhqFW1mlbB2RozW8kHeRYu3FHhRi27gTEFwKX1tthXZWLb7jD383VxLkubVaG+odgZfR1gk5fbkaj1fSEjm1DTgwfFX7X5hKPv+mc/jQUk5peC1kg7omeAhVPi3ApE3y/1yoD0CeHKyLeBGGIr0FsUOOh7CVWmwibA4bdRP6a4N5uKBrdRDTcW6+cZQ3Uxf0kK9bUuKW5lxp8B4NwExEdT9LLCI==HKh+-----END PGP SIGNATURE-----
T
T
Tobias Geerinckx-Rice wrote on 22 Oct 2020 21:30
(name . Marius Bakke)(address . marius@gnu.org)
874kmmawix.fsf@nckx
Marius,
Marius Bakke 写道:
Toggle quote (2 lines)> The 'freetype' package is vulnerable to CVE-2020-15999.
Oh dear. 'Thanks' for breaking the news.
Toggle quote (4 lines)> I'm busy for a couple of days and won't be able to work on it in > time.> Volunteers wanted!
It feels like it shouldn't work (what with the different .so version & all) but I've been unable to break a ghostscript grafted to use 2.10.4.
I'm currently reconfiguring my system with it; if it works, I'll push it.
Whatever happens, I won't have time to apply the core-updates half tonight.
Toggle quote (4 lines)> Forwarding a message from oss-security, we may have to patch > Ghostscript> as well:
I don't know enough about FT/GS's internals to really understand what's going on, but being a C(ompile-time) macro, this *could* be safe to graft, right?
Kind regards,
T G-R
-----BEGIN PGP SIGNATURE-----
iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCX5Hd1g0cbWVAdG9iaWFzLmdyAAoJEA2w/4hPVW15RIcBAO3/Uo4C+Y26XZIPoqvmrk5zoKt5A7AXlMxdHHEnp4dfAQDz+IpiqE1SS9+juAG66I8l2zuIpEyuWeLTgX/TikNtBQ===93kl-----END PGP SIGNATURE-----
L
L
Ludovic Courtès wrote on 31 Oct 2020 23:20
control message for bug #44146
(address . control@debbugs.gnu.org)
87a6w2rqar.fsf@gnu.org
tags 44146 + securityquit
M
M
Maxim Cournoyer wrote on 10 Nov 2020 21:21
Re: bug#44146: CVE-2020-15999 in FreeType
(name . Marius Bakke)(address . marius@gnu.org)(address . 44146-done@debbugs.gnu.org)
874klxgdyr.fsf@gmail.com
Hello,
Marius Bakke <marius@gnu.org> writes:
Toggle quote (11 lines)> Hello,>> The 'freetype' package is vulnerable to CVE-2020-15999.>> According to> https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html,> an exploit already exists in the wild.>> I'm busy for a couple of days and won't be able to work on it in time.> Volunteers wanted!
This was fixed by Tobias in commitd32b210f282ef74caf9890e1d4ffe8eb04bd64e5.
Closing.
Thank you for the report!
Maxim
Closed
?