Re: Vulnerability warning (CVE-2020-15999)

freetype-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vulnerability warning (CVE-2020-15999)

From:	Werner LEMBERG
Subject:	Re: Vulnerability warning (CVE-2020-15999)
Date:	Tue, 20 Oct 2020 07:02:15 +0200 (CEST)

>> Does this vulnerability affect older (< 2.10.3) versions of
>> FreeType as well?

Yes, down to 2.6, AFAICS.

> It appears that something like this was fixed with 54abd22891 but
> the fix there came too late (after a narrowing conversion) leaving
> some values unchecked.

I think the problem is rather commit 01f0842eb0, which changes the
cast to `unsigned short`.

> Werner, I see a commit in the FreeType repo, but it seems to be just
> a change log entry, probably just didn't 'git add' pngshim.c? (I do
> things like that embarrassingly frequently.)

Nope.  Everything should be fine in the git repository.


   Werner

[Prev in Thread]

Current Thread

[Next in Thread]

Vulnerability warning (CVE-2020-15999), Werner LEMBERG, 2020/10/19
- Re: Vulnerability warning (CVE-2020-15999), Hugh McMaster, 2020/10/19
  - Re: Vulnerability warning (CVE-2020-15999), Ben Wagner, 2020/10/19
    - Re: Vulnerability warning (CVE-2020-15999), Werner LEMBERG <=

Prev by Date: Re: Vulnerability warning (CVE-2020-15999)
Next by Date: Announcing FreeType 2.10.4
Previous by thread: Re: Vulnerability warning (CVE-2020-15999)
Next by thread: Announcing FreeType 2.10.4
Index(es):
- Date
- Thread