From debbugs-submit-bounces@debbugs.gnu.org Thu Oct 22 12:48:35 2020 Received: (at submit) by debbugs.gnu.org; 22 Oct 2020 16:48:35 +0000 Received: from localhost ([127.0.0.1]:53708 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kVdlL-00011N-D7 for submit@debbugs.gnu.org; Thu, 22 Oct 2020 12:48:35 -0400 Received: from lists.gnu.org ([209.51.188.17]:52246) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kVdlI-00011E-7C for submit@debbugs.gnu.org; Thu, 22 Oct 2020 12:48:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58904) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kVdlH-0002RP-Tf for bug-guix@gnu.org; Thu, 22 Oct 2020 12:48:23 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:47334) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kVdlH-0007sa-Jq for bug-guix@gnu.org; Thu, 22 Oct 2020 12:48:23 -0400 Received: from ti0006q161-1594.bb.online.no ([46.9.75.77]:54974 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kVdlG-0001Sb-C3 for bug-guix@gnu.org; Thu, 22 Oct 2020 12:48:22 -0400 From: Marius Bakke To: bug-guix@gnu.org Subject: CVE-2020-15999 in FreeType References: <28f1351e-1176-153d-1fc3-6768d807397c@oracle.com> Date: Thu, 22 Oct 2020 18:48:20 +0200 Message-ID: <87y2jyi4vf.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Hello, The 'freetype' package is vulnerable to CVE-2020-15999. According to https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html, an exploit already exists in the wild. I'm busy for a couple of days and won't be able to work on it in time. Volunteers wanted! Forwarding a message from oss-security, we may have to patch Ghostscript as well: -------------------- Start of forwarded message -------------------- To: oss-security@lists.openwall.com Cc: Werner LEMBERG From: Alan Coopersmith Date: Tue, 20 Oct 2020 09:49:31 -0700 Subject: [oss-security] CVE-2020-15999 fixed in FreeType 2.10.4 Before making this release, Werner said: > I've just fixed a heap buffer overflow that can happen for some > malformed `.ttf` files with PNG sbit glyphs. It seems that this > vulnerability gets already actively used in the wild, so I ask all > users to apply the corresponding commit as soon as possible. But distros should be warned that 2.10.3 and later may break the build of ghostscript, due to ghostscript's use of a withdrawn macro that wasn't intended for external usage: https://bugs.ghostscript.com/show_bug.cgi?id=702985 https://lists.nongnu.org/archive/html/freetype-devel/2020-10/msg00002.html Ghostscript's fix for that is at: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b -Alan Coopersmith- alan.coopersmith@oracle.com Oracle Solaris Engineering - https://blogs.oracle.com/alanc -------- Forwarded Message -------- Subject: [ft-announce] Announcing FreeType 2.10.4 Date: Tue, 20 Oct 2020 07:47:31 +0200 (CEST) From: Werner LEMBERG To: freetype-announce@nongnu.org, freetype-devel@nongnu.org, freetype@nongnu.org FreeType 2.10.4 has been released. It is available from http://savannah.nongnu.org/download/freetype/ or http://sourceforge.net/projects/freetype/files/ The latter site also holds older versions of the FreeType library. See below for the relevant snippet from the CHANGES file. Enjoy! Werner PS: Downloads from savannah.nongnu.org will redirect to your nearest mirror site. Files on mirrors may be subject to a replication delay of up to 24 hours. In case of problems use http://download-mirror.savannah.gnu.org/releases/ ---------------------------------------------------------------------- http://www.freetype.org FreeType 2 is a software font engine that is designed to be small, efficient, highly customizable, and portable while capable of producing high-quality output (glyph images) of most vector and bitmap font formats. Note that FreeType 2 is a font service and doesn't provide APIs to perform higher-level features, like text layout or graphics processing (e.g., colored text rendering, `hollowing', etc.). However, it greatly simplifies these tasks by providing a simple, easy to use, and uniform interface to access the content of font files. FreeType 2 is released under two open-source licenses: our own BSD-like FreeType License and the GPL. It can thus be used by any kind of projects, be they proprietary or not. ---------------------------------------------------------------------- CHANGES BETWEEN 2.10.3 and 2.10.4 I. IMPORTANT BUG FIXES - A heap buffer overflow has been found in the handling of embedded PNG bitmaps, introduced in FreeType version 2.6. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999 If you use option FT_CONFIG_OPTION_USE_PNG you should upgrade immediately. _______________________________________________ Freetype-announce mailing list Freetype-announce@nongnu.org https://lists.nongnu.org/mailman/listinfo/freetype-announce -------------------- End of forwarded message -------------------- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+Rt9QPHG1hcml1c0Bn bnUub3JnAAoJEKKgbfKjOlT6YwAIALlu6NLnR6wZ+Cgz4Ny/kuzGl5HLFIsMBiaT T3/wgqgPXNJ/N/efrNALjgJ0WRXf3BgqgYmsqLkzBpqB7LnEC13Z37sLerf1pMHx Y1pcCISwMwnBnY1iVPRBopaZWhqFW1mlbB2RozW8kHeRYu3FHhRi27gTEFwKX1tt hXZWLb7jD383VxLkubVaG+odgZfR1gk5fbkaj1fSEjm1DTgwfFX7X5hKPv+mc/jQ Uk5peC1kg7omeAhVPi3ApE3y/1yoD0CeHKyLeBGGIr0FsUOOh7CVWmwibA4bdRP6 a4N5uKBrdRDTcW6+cZQ3Uxf0kK9bUuKW5lxp8B4NwExEdT9LLCI= =HKh+ -----END PGP SIGNATURE----- --=-=-=--