(address . bug-guix@gnu.org)
87y2jyi4vf.fsf@gnu.org
Hello,
The 'freetype' package is vulnerable to CVE-2020-15999.
According to
an exploit already exists in the wild.
I'm busy for a couple of days and won't be able to work on it in time.
Volunteers wanted!
Forwarding a message from oss-security, we may have to patch Ghostscript
as well:
-------------------- Start of forwarded message --------------------
To: oss-security@lists.openwall.com
Cc: Werner LEMBERG <wl@gnu.org>
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Tue, 20 Oct 2020 09:49:31 -0700
Subject: [oss-security] CVE-2020-15999 fixed in FreeType 2.10.4
Before making this release, Werner said:
Toggle quote (5 lines)
> I've just fixed a heap buffer overflow that can happen for some
> malformed `.ttf` files with PNG sbit glyphs. It seems that this
> vulnerability gets already actively used in the wild, so I ask all
> users to apply the corresponding commit as soon as possible.
But distros should be warned that 2.10.3 and later may break the build
of ghostscript, due to ghostscript's use of a withdrawn macro that
wasn't intended for external usage:
Ghostscript's fix for that is at:
-Alan Coopersmith- alan.coopersmith@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/alanc
-------- Forwarded Message --------
Subject: [ft-announce] Announcing FreeType 2.10.4
Date: Tue, 20 Oct 2020 07:47:31 +0200 (CEST)
From: Werner LEMBERG <wl@gnu.org>
To: freetype-announce@nongnu.org, freetype-devel@nongnu.org, freetype@nongnu.org
FreeType 2.10.4 has been released.
It is available from
or
The latter site also holds older versions of the FreeType library.
See below for the relevant snippet from the CHANGES file.
Enjoy!
Werner
PS: Downloads from savannah.nongnu.org will redirect to your nearest
mirror site. Files on mirrors may be subject to a replication
delay of up to 24 hours. In case of problems use
----------------------------------------------------------------------
FreeType 2 is a software font engine that is designed to be small,
efficient, highly customizable, and portable while capable of
producing high-quality output (glyph images) of most vector and bitmap
font formats.
Note that FreeType 2 is a font service and doesn't provide APIs to
perform higher-level features, like text layout or graphics processing
(e.g., colored text rendering, `hollowing', etc.). However, it
greatly simplifies these tasks by providing a simple, easy to use, and
uniform interface to access the content of font files.
FreeType 2 is released under two open-source licenses: our own
BSD-like FreeType License and the GPL. It can thus be used by any
kind of projects, be they proprietary or not.
----------------------------------------------------------------------
CHANGES BETWEEN 2.10.3 and 2.10.4
I. IMPORTANT BUG FIXES
- A heap buffer overflow has been found in the handling of embedded
PNG bitmaps, introduced in FreeType version 2.6.
If you use option FT_CONFIG_OPTION_USE_PNG you should upgrade
immediately.
_______________________________________________
Freetype-announce mailing list
Freetype-announce@nongnu.org
-------------------- End of forwarded message --------------------
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+Rt9QPHG1hcml1c0Bn
bnUub3JnAAoJEKKgbfKjOlT6YwAIALlu6NLnR6wZ+Cgz4Ny/kuzGl5HLFIsMBiaT
T3/wgqgPXNJ/N/efrNALjgJ0WRXf3BgqgYmsqLkzBpqB7LnEC13Z37sLerf1pMHx
Y1pcCISwMwnBnY1iVPRBopaZWhqFW1mlbB2RozW8kHeRYu3FHhRi27gTEFwKX1tt
hXZWLb7jD383VxLkubVaG+odgZfR1gk5fbkaj1fSEjm1DTgwfFX7X5hKPv+mc/jQ
Uk5peC1kg7omeAhVPi3ApE3y/1yoD0CeHKyLeBGGIr0FsUOOh7CVWmwibA4bdRP6
a4N5uKBrdRDTcW6+cZQ3Uxf0kK9bUuKW5lxp8B4NwExEdT9LLCI=
=HKh+
-----END PGP SIGNATURE-----