Report forwarded
to bug-guix@gnu.org: bug#44146; Package guix.
(Thu, 22 Oct 2020 16:49:01 GMT) (full text, mbox, link).
Acknowledgement sent
to Marius Bakke <marius@gnu.org>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org.
(Thu, 22 Oct 2020 16:49:02 GMT) (full text, mbox, link).
Hello,
The 'freetype' package is vulnerable to CVE-2020-15999.
According to
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html,
an exploit already exists in the wild.
I'm busy for a couple of days and won't be able to work on it in time.
Volunteers wanted!
Forwarding a message from oss-security, we may have to patch Ghostscript
as well:
-------------------- Start of forwarded message --------------------
To: oss-security@lists.openwall.com
Cc: Werner LEMBERG <wl@gnu.org>
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Tue, 20 Oct 2020 09:49:31 -0700
Subject: [oss-security] CVE-2020-15999 fixed in FreeType 2.10.4
Before making this release, Werner said:
> I've just fixed a heap buffer overflow that can happen for some
> malformed `.ttf` files with PNG sbit glyphs. It seems that this
> vulnerability gets already actively used in the wild, so I ask all
> users to apply the corresponding commit as soon as possible.
But distros should be warned that 2.10.3 and later may break the build
of ghostscript, due to ghostscript's use of a withdrawn macro that
wasn't intended for external usage:
https://bugs.ghostscript.com/show_bug.cgi?id=702985https://lists.nongnu.org/archive/html/freetype-devel/2020-10/msg00002.html
Ghostscript's fix for that is at:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b
-Alan Coopersmith- alan.coopersmith@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/alanc
-------- Forwarded Message --------
Subject: [ft-announce] Announcing FreeType 2.10.4
Date: Tue, 20 Oct 2020 07:47:31 +0200 (CEST)
From: Werner LEMBERG <wl@gnu.org>
To: freetype-announce@nongnu.org, freetype-devel@nongnu.org, freetype@nongnu.org
FreeType 2.10.4 has been released.
It is available from
http://savannah.nongnu.org/download/freetype/
or
http://sourceforge.net/projects/freetype/files/
The latter site also holds older versions of the FreeType library.
See below for the relevant snippet from the CHANGES file.
Enjoy!
Werner
PS: Downloads from savannah.nongnu.org will redirect to your nearest
mirror site. Files on mirrors may be subject to a replication
delay of up to 24 hours. In case of problems use
http://download-mirror.savannah.gnu.org/releases/
----------------------------------------------------------------------
http://www.freetype.org
FreeType 2 is a software font engine that is designed to be small,
efficient, highly customizable, and portable while capable of
producing high-quality output (glyph images) of most vector and bitmap
font formats.
Note that FreeType 2 is a font service and doesn't provide APIs to
perform higher-level features, like text layout or graphics processing
(e.g., colored text rendering, `hollowing', etc.). However, it
greatly simplifies these tasks by providing a simple, easy to use, and
uniform interface to access the content of font files.
FreeType 2 is released under two open-source licenses: our own
BSD-like FreeType License and the GPL. It can thus be used by any
kind of projects, be they proprietary or not.
----------------------------------------------------------------------
CHANGES BETWEEN 2.10.3 and 2.10.4
I. IMPORTANT BUG FIXES
- A heap buffer overflow has been found in the handling of embedded
PNG bitmaps, introduced in FreeType version 2.6.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
If you use option FT_CONFIG_OPTION_USE_PNG you should upgrade
immediately.
_______________________________________________
Freetype-announce mailing list
Freetype-announce@nongnu.org
https://lists.nongnu.org/mailman/listinfo/freetype-announce
-------------------- End of forwarded message --------------------
Marius,
Marius Bakke 写道:
> The 'freetype' package is vulnerable to CVE-2020-15999.
Oh dear. 'Thanks' for breaking the news.
> I'm busy for a couple of days and won't be able to work on it in
> time.
> Volunteers wanted!
It feels like it shouldn't work (what with the different .so
version & all) but I've been unable to break a ghostscript grafted
to use 2.10.4.
I'm currently reconfiguring my system with it; if it works, I'll
push it.
Whatever happens, I won't have time to apply the core-updates half
tonight.
> Forwarding a message from oss-security, we may have to patch
> Ghostscript
> as well:
I don't know enough about FT/GS's internals to really understand
what's going on, but being a C(ompile-time) macro, this *could* be
safe to graft, right?
Kind regards,
T G-R
Subject: Re: bug#44146: CVE-2020-15999 in FreeType
Date: Tue, 10 Nov 2020 15:21:32 -0500
Hello,
Marius Bakke <marius@gnu.org> writes:
> Hello,
>
> The 'freetype' package is vulnerable to CVE-2020-15999.
>
> According to
> https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html,
> an exploit already exists in the wild.
>
> I'm busy for a couple of days and won't be able to work on it in time.
> Volunteers wanted!
This was fixed by Tobias in commit
d32b210f282ef74caf9890e1d4ffe8eb04bd64e5.
Closing.
Thank you for the report!
Maxim
bug archived.
Request was from Debbugs Internal Request <help-debbugs@gnu.org>
to internal_control@debbugs.gnu.org.
(Wed, 09 Dec 2020 12:24:08 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the
GNU Public License version 2. The current version can be
obtained from https://bugs.debian.org/debbugs-source/.