Hello,
The 'freetype' package is vulnerable to CVE-2020-15999.
According to
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html,
an exploit already exists in the wild.
I'm busy for a couple of days and won't be able to work on it in time.
Volunteers wanted!
Forwarding a message from oss-security, we may have to patch Ghostscript
as well:
-------------------- Start of forwarded message --------------------
To: oss-security@lists.openwall.com
Cc: Werner LEMBERG <wl@gnu.org>
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Tue, 20 Oct 2020 09:49:31 -0700
Subject: [oss-security] CVE-2020-15999 fixed in FreeType 2.10.4
Before making this release, Werner said:
> I've just fixed a heap buffer overflow that can happen for some
> malformed `.ttf` files with PNG sbit glyphs. It seems that this
> vulnerability gets already actively used in the wild, so I ask all
> users to apply the corresponding commit as soon as possible.
But distros should be warned that 2.10.3 and later may break the build
of ghostscript, due to ghostscript's use of a withdrawn macro that
wasn't intended for external usage:
https://bugs.ghostscript.com/show_bug.cgi?id=702985
https://lists.nongnu.org/archive/html/freetype-devel/2020-10/msg00002.html
Ghostscript's fix for that is at:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b
-Alan Coopersmith- alan.coopersmith@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/alanc
-------- Forwarded Message --------
Subject: [ft-announce] Announcing FreeType 2.10.4
Date: Tue, 20 Oct 2020 07:47:31 +0200 (CEST)
From: Werner LEMBERG <wl@gnu.org>
To: freetype-announce@nongnu.org, freetype-devel@nongnu.org, freetype@nongnu.org
FreeType 2.10.4 has been released.
It is available from
http://savannah.nongnu.org/download/freetype/
or
http://sourceforge.net/projects/freetype/files/
The latter site also holds older versions of the FreeType library.
See below for the relevant snippet from the CHANGES file.
Enjoy!
Werner
PS: Downloads from savannah.nongnu.org will redirect to your nearest
mirror site. Files on mirrors may be subject to a replication
delay of up to 24 hours. In case of problems use
http://download-mirror.savannah.gnu.org/releases/
----------------------------------------------------------------------
http://www.freetype.org
FreeType 2 is a software font engine that is designed to be small,
efficient, highly customizable, and portable while capable of
producing high-quality output (glyph images) of most vector and bitmap
font formats.
Note that FreeType 2 is a font service and doesn't provide APIs to
perform higher-level features, like text layout or graphics processing
(e.g., colored text rendering, `hollowing', etc.). However, it
greatly simplifies these tasks by providing a simple, easy to use, and
uniform interface to access the content of font files.
FreeType 2 is released under two open-source licenses: our own
BSD-like FreeType License and the GPL. It can thus be used by any
kind of projects, be they proprietary or not.
----------------------------------------------------------------------
CHANGES BETWEEN 2.10.3 and 2.10.4
I. IMPORTANT BUG FIXES
- A heap buffer overflow has been found in the handling of embedded
PNG bitmaps, introduced in FreeType version 2.6.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
If you use option FT_CONFIG_OPTION_USE_PNG you should upgrade
immediately.
_______________________________________________
Freetype-announce mailing list
Freetype-announce@nongnu.org
https://lists.nongnu.org/mailman/listinfo/freetype-announce
-------------------- End of forwarded message --------------------
signature.asc
Description: PGP signature
--- End Message ---