[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Vulnerability warning (CVE-2020-15999)
From: |
Werner LEMBERG |
Subject: |
Re: Vulnerability warning (CVE-2020-15999) |
Date: |
Tue, 20 Oct 2020 07:02:15 +0200 (CEST) |
>> Does this vulnerability affect older (< 2.10.3) versions of
>> FreeType as well?
Yes, down to 2.6, AFAICS.
> It appears that something like this was fixed with 54abd22891 but
> the fix there came too late (after a narrowing conversion) leaving
> some values unchecked.
I think the problem is rather commit 01f0842eb0, which changes the
cast to `unsigned short`.
> Werner, I see a commit in the FreeType repo, but it seems to be just
> a change log entry, probably just didn't 'git add' pngshim.c? (I do
> things like that embarrassingly frequently.)
Nope. Everything should be fine in the git repository.
Werner