Opened 3 years ago

Closed 3 years ago

#14153 closed enhancement (fixed)

freetype-2.10.4

Reported by: ken@… Owned by: ken@…
Priority: high Milestone: 10.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New release: per https://www.freetype.org/

FreeType 2.10.4

2020-10-20

This is an emergency release, fixing a severe vulnerability in embedded PNG bitmap handling (see here for more).

All users should update immediately.

According to phoronix this is for CVE-2020-15999 which is apparently a heap buffer overflow and has been present since freetype-2.6 (which was 5 years ago).

Change History (5)

comment:1 by ken@…, 3 years ago

Owner: changed from blfs-book to ken@…
Status: newassigned

comment:2 by Douglas R. Reno, 3 years ago

Before making this release, Werner said:

> I've just fixed a heap buffer overflow that can happen for some
> malformed `.ttf` files with PNG sbit glyphs.  It seems that this
> vulnerability gets already actively used in the wild, so I ask all
> users to apply the corresponding commit as soon as possible.

But distros should be warned that 2.10.3 and later may break the build
of ghostscript, due to ghostscript's use of a withdrawn macro that
wasn't intended for external usage:

https://bugs.ghostscript.com/show_bug.cgi?id=702985
https://lists.nongnu.org/archive/html/freetype-devel/2020-10/msg00002.html

Ghostscript's fix for that is at:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b

    -Alan Coopersmith-               alan.coopersmith@oracle.com
     Oracle Solaris Engineering - https://blogs.oracle.com/alanc

-------- Forwarded Message --------
Subject: [ft-announce] Announcing FreeType 2.10.4
Date: Tue, 20 Oct 2020 07:47:31 +0200 (CEST)
From: Werner LEMBERG <wl@gnu.org>
To: freetype-announce@nongnu.org, freetype-devel@nongnu.org, freetype@nongnu.org


FreeType 2.10.4 has been released.

It is available from

    http://savannah.nongnu.org/download/freetype/

or

    http://sourceforge.net/projects/freetype/files/

The latter site also holds older versions of the FreeType library.

See below for the relevant snippet from the CHANGES file.

Enjoy!


   Werner


PS: Downloads from  savannah.nongnu.org  will redirect to your nearest
    mirror site.   Files on  mirrors may  be subject to  a replication
    delay   of   up   to   24   hours.   In   case   of  problems  use
    http://download-mirror.savannah.gnu.org/releases/


----------------------------------------------------------------------


http://www.freetype.org


FreeType 2  is a software  font engine that  is designed to  be small,
efficient,  highly   customizable,  and  portable   while  capable  of
producing high-quality output (glyph images) of most vector and bitmap
font formats.

Note that  FreeType 2 is  a font service  and doesn't provide  APIs to
perform higher-level features, like text layout or graphics processing
(e.g.,  colored  text  rendering,  `hollowing',  etc.).   However,  it
greatly simplifies these tasks by providing a simple, easy to use, and
uniform interface to access the content of font files.

FreeType  2  is  released  under  two open-source  licenses:  our  own
BSD-like FreeType  License and the  GPL.  It can  thus be used  by any
kind of projects, be they proprietary or not.


----------------------------------------------------------------------


CHANGES BETWEEN 2.10.3 and 2.10.4

  I. IMPORTANT BUG FIXES

  - A heap buffer overflow has been found  in the handling of embedded
    PNG bitmaps, introduced in FreeType version 2.6.

      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999

    If you  use option  FT_CONFIG_OPTION_USE_PNG  you  should  upgrade
    immediately.

_______________________________________________
Freetype-announce mailing list
Freetype-announce@nongnu.org
https://lists.nongnu.org/mailman/listinfo/freetype-announce

We're going to need a fix for Ghostscript too. Please put that in with this update.

comment:3 by ken@…, 3 years ago

Ah, thanks for that - I was not aware.

comment:5 by ken@…, 3 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.