CVE-2020-15999 in FreeType

DoneSubmitted by Marius Bakke.
4 participants
  • Ludovic Courtès
  • Marius Bakke
  • Maxim Cournoyer
  • Tobias Geerinckx-Rice
Marius Bakke wrote on 22 Oct 2020 18:48
(address .
The 'freetype' package is vulnerable to CVE-2020-15999.
According to,an exploit already exists in the wild.
I'm busy for a couple of days and won't be able to work on it in time.Volunteers wanted!
Forwarding a message from oss-security, we may have to patch Ghostscriptas well:
-------------------- Start of forwarded message --------------------To: oss-security@lists.openwall.comCc: Werner LEMBERG <>From: Alan Coopersmith <>Date: Tue, 20 Oct 2020 09:49:31 -0700Subject: [oss-security] CVE-2020-15999 fixed in FreeType 2.10.4
Before making this release, Werner said:
Toggle quote (5 lines)> I've just fixed a heap buffer overflow that can happen for some> malformed `.ttf` files with PNG sbit glyphs. It seems that this> vulnerability gets already actively used in the wild, so I ask all> users to apply the corresponding commit as soon as possible.
But distros should be warned that 2.10.3 and later may break the buildof ghostscript, due to ghostscript's use of a withdrawn macro thatwasn't intended for external usage:
Ghostscript's fix for that is at:;a=commitdiff;h=41ef9a0bc36b
-Alan Coopersmith- Oracle Solaris Engineering -
-------- Forwarded Message --------Subject: [ft-announce] Announcing FreeType 2.10.4Date: Tue, 20 Oct 2020 07:47:31 +0200 (CEST)From: Werner LEMBERG <>To:,,

FreeType 2.10.4 has been released.
It is available from
The latter site also holds older versions of the FreeType library.
See below for the relevant snippet from the CHANGES file.


PS: Downloads from will redirect to your nearest mirror site. Files on mirrors may be subject to a replication delay of up to 24 hours. In case of problems use


FreeType 2 is a software font engine that is designed to be small,efficient, highly customizable, and portable while capable ofproducing high-quality output (glyph images) of most vector and bitmapfont formats.
Note that FreeType 2 is a font service and doesn't provide APIs toperform higher-level features, like text layout or graphics processing(e.g., colored text rendering, `hollowing', etc.). However, itgreatly simplifies these tasks by providing a simple, easy to use, anduniform interface to access the content of font files.
FreeType 2 is released under two open-source licenses: our ownBSD-like FreeType License and the GPL. It can thus be used by anykind of projects, be they proprietary or not.


CHANGES BETWEEN 2.10.3 and 2.10.4
- A heap buffer overflow has been found in the handling of embedded PNG bitmaps, introduced in FreeType version 2.6.
If you use option FT_CONFIG_OPTION_USE_PNG you should upgrade immediately.
_______________________________________________Freetype-announce mailing listFreetype-announce@nongnu.org
-------------------- End of forwarded message --------------------
iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+Rt9QPHG1hcml1c0BnbnUub3JnAAoJEKKgbfKjOlT6YwAIALlu6NLnR6wZ+Cgz4Ny/kuzGl5HLFIsMBiaTT3/wgqgPXNJ/N/efrNALjgJ0WRXf3BgqgYmsqLkzBpqB7LnEC13Z37sLerf1pMHxY1pcCISwMwnBnY1iVPRBopaZWhqFW1mlbB2RozW8kHeRYu3FHhRi27gTEFwKX1tthXZWLb7jD383VxLkubVaG+odgZfR1gk5fbkaj1fSEjm1DTgwfFX7X5hKPv+mc/jQUk5peC1kg7omeAhVPi3ApE3y/1yoD0CeHKyLeBGGIr0FsUOOh7CVWmwibA4bdRP6a4N5uKBrdRDTcW6+cZQ3Uxf0kK9bUuKW5lxp8B4NwExEdT9LLCI==HKh+-----END PGP SIGNATURE-----
Tobias Geerinckx-Rice wrote on 22 Oct 2020 21:30
(name . Marius Bakke)(address .
Marius Bakke 写道:
Toggle quote (2 lines)> The 'freetype' package is vulnerable to CVE-2020-15999.
Oh dear. 'Thanks' for breaking the news.
Toggle quote (4 lines)> I'm busy for a couple of days and won't be able to work on it in > time.> Volunteers wanted!
It feels like it shouldn't work (what with the different .so version & all) but I've been unable to break a ghostscript grafted to use 2.10.4.
I'm currently reconfiguring my system with it; if it works, I'll push it.
Whatever happens, I won't have time to apply the core-updates half tonight.
Toggle quote (4 lines)> Forwarding a message from oss-security, we may have to patch > Ghostscript> as well:
I don't know enough about FT/GS's internals to really understand what's going on, but being a C(ompile-time) macro, this *could* be safe to graft, right?
Kind regards,
iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCX5Hd1g0cbWVAdG9iaWFzLmdyAAoJEA2w/4hPVW15RIcBAO3/Uo4C+Y26XZIPoqvmrk5zoKt5A7AXlMxdHHEnp4dfAQDz+IpiqE1SS9+juAG66I8l2zuIpEyuWeLTgX/TikNtBQ===93kl-----END PGP SIGNATURE-----
Ludovic Courtès wrote on 31 Oct 2020 23:20
control message for bug #44146
(address .
tags 44146 + securityquit
Maxim Cournoyer wrote on 10 Nov 2020 21:21
Re: bug#44146: CVE-2020-15999 in FreeType
(name . Marius Bakke)(address . .
Marius Bakke <> writes:
Toggle quote (11 lines)> Hello,>> The 'freetype' package is vulnerable to CVE-2020-15999.>> According to>,> an exploit already exists in the wild.>> I'm busy for a couple of days and won't be able to work on it in time.> Volunteers wanted!
This was fixed by Tobias in commitd32b210f282ef74caf9890e1d4ffe8eb04bd64e5.
Thank you for the report!
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to