Hello, The 'freetype' package is vulnerable to CVE-2020-15999. According tohttps://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html,an exploit already exists in the wild. I'm busy for a couple of days and won't be able to work on it in time.Volunteers wanted! Forwarding a message from oss-security, we may have to patch Ghostscriptas well: -------------------- Start of forwarded message --------------------To: firstname.lastname@example.orgCc: Werner LEMBERG <email@example.com>From: Alan Coopersmith <firstname.lastname@example.org>Date: Tue, 20 Oct 2020 09:49:31 -0700Subject: [oss-security] CVE-2020-15999 fixed in FreeType 2.10.4 Before making this release, Werner said:
Toggle quote (5 lines)> I've just fixed a heap buffer overflow that can happen for some> malformed `.ttf` files with PNG sbit glyphs. It seems that this> vulnerability gets already actively used in the wild, so I ask all> users to apply the corresponding commit as soon as possible.
FreeType 2 is a software font engine that is designed to be small,efficient, highly customizable, and portable while capable ofproducing high-quality output (glyph images) of most vector and bitmapfont formats. Note that FreeType 2 is a font service and doesn't provide APIs toperform higher-level features, like text layout or graphics processing(e.g., colored text rendering, `hollowing', etc.). However, itgreatly simplifies these tasks by providing a simple, easy to use, anduniform interface to access the content of font files. FreeType 2 is released under two open-source licenses: our ownBSD-like FreeType License and the GPL. It can thus be used by anykind of projects, be they proprietary or not.
Toggle quote (2 lines)> The 'freetype' package is vulnerable to CVE-2020-15999.
Oh dear. 'Thanks' for breaking the news.
Toggle quote (4 lines)> I'm busy for a couple of days and won't be able to work on it in > time.> Volunteers wanted!
It feels like it shouldn't work (what with the different .so version & all) but I've been unable to break a ghostscript grafted to use 2.10.4. I'm currently reconfiguring my system with it; if it works, I'll push it. Whatever happens, I won't have time to apply the core-updates half tonight.
Toggle quote (4 lines)> Forwarding a message from oss-security, we may have to patch > Ghostscript> as well:
I don't know enough about FT/GS's internals to really understand what's going on, but being a C(ompile-time) macro, this *could* be safe to graft, right? Kind regards, T G-R
(name . Marius Bakke)(address . email@example.com)(address . firstname.lastname@example.org)
Hello, Marius Bakke <email@example.com> writes:
Toggle quote (11 lines)> Hello,>> The 'freetype' package is vulnerable to CVE-2020-15999.>> According to> https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html,> an exploit already exists in the wild.>> I'm busy for a couple of days and won't be able to work on it in time.> Volunteers wanted!
This was fixed by Tobias in commitd32b210f282ef74caf9890e1d4ffe8eb04bd64e5. Closing. Thank you for the report! Maxim