GNU bug report logs

#44146 CVE-2020-15999 in FreeType

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 22 Oct 2020 16:48:35 +0000
From debbugs-submit-bounces@debbugs.gnu.org Thu Oct 22 12:48:35 2020
Received: from localhost ([127.0.0.1]:53708 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1kVdlL-00011N-D7
	for submit@debbugs.gnu.org; Thu, 22 Oct 2020 12:48:35 -0400
Received: from lists.gnu.org ([209.51.188.17]:52246)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <marius@gnu.org>) id 1kVdlI-00011E-7C
 for submit@debbugs.gnu.org; Thu, 22 Oct 2020 12:48:25 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:58904)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <marius@gnu.org>) id 1kVdlH-0002RP-Tf
 for bug-guix@gnu.org; Thu, 22 Oct 2020 12:48:23 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:47334)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <marius@gnu.org>) id 1kVdlH-0007sa-Jq
 for bug-guix@gnu.org; Thu, 22 Oct 2020 12:48:23 -0400
Received: from ti0006q161-1594.bb.online.no ([46.9.75.77]:54974 helo=localhost)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <marius@gnu.org>) id 1kVdlG-0001Sb-C3
 for bug-guix@gnu.org; Thu, 22 Oct 2020 12:48:22 -0400
From: Marius Bakke <marius@gnu.org>
To: bug-guix@gnu.org
Subject: CVE-2020-15999 in FreeType
References: <28f1351e-1176-153d-1fc3-6768d807397c@oracle.com>
Date: Thu, 22 Oct 2020 18:48:20 +0200
Message-ID: <87y2jyi4vf.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

[Message part 1 (text/plain, inline)]
Hello,

The 'freetype' package is vulnerable to CVE-2020-15999.

According to
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html,
an exploit already exists in the wild.

I'm busy for a couple of days and won't be able to work on it in time.
Volunteers wanted!

Forwarding a message from oss-security, we may have to patch Ghostscript
as well:

-------------------- Start of forwarded message --------------------
To: oss-security@lists.openwall.com
Cc: Werner LEMBERG <wl@gnu.org>
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Tue, 20 Oct 2020 09:49:31 -0700
Subject: [oss-security] CVE-2020-15999 fixed in FreeType 2.10.4

Before making this release, Werner said:

> I've just fixed a heap buffer overflow that can happen for some
> malformed `.ttf` files with PNG sbit glyphs.  It seems that this
> vulnerability gets already actively used in the wild, so I ask all
> users to apply the corresponding commit as soon as possible.

But distros should be warned that 2.10.3 and later may break the build
of ghostscript, due to ghostscript's use of a withdrawn macro that
wasn't intended for external usage:

https://bugs.ghostscript.com/show_bug.cgi?id=702985
https://lists.nongnu.org/archive/html/freetype-devel/2020-10/msg00002.html

Ghostscript's fix for that is at:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b

	-Alan Coopersmith-               alan.coopersmith@oracle.com
	 Oracle Solaris Engineering - https://blogs.oracle.com/alanc

-------- Forwarded Message --------
Subject: [ft-announce] Announcing FreeType 2.10.4
Date: Tue, 20 Oct 2020 07:47:31 +0200 (CEST)
From: Werner LEMBERG <wl@gnu.org>
To: freetype-announce@nongnu.org, freetype-devel@nongnu.org, freetype@nongnu.org


FreeType 2.10.4 has been released.

It is available from

     http://savannah.nongnu.org/download/freetype/

or

     http://sourceforge.net/projects/freetype/files/

The latter site also holds older versions of the FreeType library.

See below for the relevant snippet from the CHANGES file.

Enjoy!


    Werner


PS: Downloads from  savannah.nongnu.org  will redirect to your nearest
     mirror site.   Files on  mirrors may  be subject to  a replication
     delay   of   up   to   24   hours.   In   case   of  problems  use
     http://download-mirror.savannah.gnu.org/releases/


----------------------------------------------------------------------


http://www.freetype.org


FreeType 2  is a software  font engine that  is designed to  be small,
efficient,  highly   customizable,  and  portable   while  capable  of
producing high-quality output (glyph images) of most vector and bitmap
font formats.

Note that  FreeType 2 is  a font service  and doesn't provide  APIs to
perform higher-level features, like text layout or graphics processing
(e.g.,  colored  text  rendering,  `hollowing',  etc.).   However,  it
greatly simplifies these tasks by providing a simple, easy to use, and
uniform interface to access the content of font files.

FreeType  2  is  released  under  two open-source  licenses:  our  own
BSD-like FreeType  License and the  GPL.  It can  thus be used  by any
kind of projects, be they proprietary or not.


----------------------------------------------------------------------


CHANGES BETWEEN 2.10.3 and 2.10.4

   I. IMPORTANT BUG FIXES

   - A heap buffer overflow has been found  in the handling of embedded
     PNG bitmaps, introduced in FreeType version 2.6.

       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999

     If you  use option  FT_CONFIG_OPTION_USE_PNG  you  should  upgrade
     immediately.

_______________________________________________
Freetype-announce mailing list
Freetype-announce@nongnu.org
https://lists.nongnu.org/mailman/listinfo/freetype-announce

-------------------- End of forwarded message --------------------

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 02:31:42 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.