GNU bug report logs

#44146 CVE-2020-15999 in FreeType

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #8 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 22 Oct 2020 19:30:34 +0000
From debbugs-submit-bounces@debbugs.gnu.org Thu Oct 22 15:30:34 2020
Received: from localhost ([127.0.0.1]:53921 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1kVgIE-0007Nb-7E
	for submit@debbugs.gnu.org; Thu, 22 Oct 2020 15:30:34 -0400
Received: from lists.gnu.org ([209.51.188.17]:55202)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@tobias.gr>) id 1kVgIC-0007NU-PI
 for submit@debbugs.gnu.org; Thu, 22 Oct 2020 15:30:33 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:36806)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@tobias.gr>) id 1kVgIC-00064W-Iq
 for bug-guix@gnu.org; Thu, 22 Oct 2020 15:30:32 -0400
Received: from tobias.gr ([80.241.217.52]:60128)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@tobias.gr>)
 id 1kVgIA-0003Fp-Og; Thu, 22 Oct 2020 15:30:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018;
 bh=4476W6JoMkmt3DbA5O8wKYkuEOzLwYRfaYaMOl+yEo4=; h=date:in-reply-to:
 references:subject:cc:to:from; b=Vbhe3Kc7vnLW3GSGyYAhlQUGsKdU2TnlAAFdl
 niYgIhbpVRZ3I2lSMtzxsCoHkXwK3eaZYSk1Kye+hbbSrnjPdeQ53QQG1w9htU/dFitzod
 BPvn3oJ6HIeBckPKvp1S6wDWIOQCO73UToxPyt9H6f3z02l4dtgYRJQUlSAJT7OuzR2YDF
 6KROxuluG5DESZrWedIRBD1C4dLDF4NJ2tr3JkdioCAOcxE8FH6ewzhV4173hBNllgI31b
 0m9udywSTX1+YQ+S+OHOHalO1qSfTSOFNAhnRwjNxepztFm/lHiE9vSilBzSWEZva95uoF
 P/TKr3DrMkzfCd72G7F3c3UJQ==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 28558f4f
 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO); 
 Thu, 22 Oct 2020 19:30:41 +0000 (UTC)
BIMI-Selector: v=BIMI1; s=default;
From: Tobias Geerinckx-Rice <me@tobias.gr>
To: Marius Bakke <marius@gnu.org>
Subject: Re: bug#44146: CVE-2020-15999 in FreeType
References: <28f1351e-1176-153d-1fc3-6768d807397c@oracle.com>
 <87y2jyi4vf.fsf@gnu.org>
In-reply-to: <87y2jyi4vf.fsf@gnu.org>
Date: Thu, 22 Oct 2020 21:30:30 +0200
Message-ID: <874kmmawix.fsf@nckx>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Received-SPF: pass client-ip=80.241.217.52; envelope-from=me@tobias.gr;
 helo=tobias.gr
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/22 15:30:27
X-ACL-Warn: Detected OS   = Linux 2.2.x-3.x [generic] [fuzzy]
X-Spam_score_int: -43
X-Spam_score: -4.4
X-Spam_bar: ----
X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
Cc: bug-guix@gnu.org, 44146@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

[Message part 1 (text/plain, inline)]
Marius,

Marius Bakke 写道:
> The 'freetype' package is vulnerable to CVE-2020-15999.

Oh dear.  'Thanks' for breaking the news.

> I'm busy for a couple of days and won't be able to work on it in 
> time.
> Volunteers wanted!

It feels like it shouldn't work (what with the different .so 
version & all) but I've been unable to break a ghostscript grafted 
to use 2.10.4.

I'm currently reconfiguring my system with it; if it works, I'll 
push it.

Whatever happens, I won't have time to apply the core-updates half 
tonight.

> Forwarding a message from oss-security, we may have to patch 
> Ghostscript
> as well:

I don't know enough about FT/GS's internals to really understand 
what's going on, but being a C(ompile-time) macro, this *could* be 
safe to graft, right?

Kind regards,

T G-R

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 02:04:04 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.