CVE-2020-15999 in FreeType

  • Done
  • quality assurance status badge
Details
4 participants
  • Ludovic Courtès
  • Marius Bakke
  • Maxim Cournoyer
  • Tobias Geerinckx-Rice
Owner
unassigned
Submitted by
Marius Bakke
Severity
normal
M
M
Marius Bakke wrote on 22 Oct 2020 18:48
(address . bug-guix@gnu.org)
87y2jyi4vf.fsf@gnu.org
Hello,

The 'freetype' package is vulnerable to CVE-2020-15999.

According to
an exploit already exists in the wild.

I'm busy for a couple of days and won't be able to work on it in time.
Volunteers wanted!

Forwarding a message from oss-security, we may have to patch Ghostscript
as well:

-------------------- Start of forwarded message --------------------
To: oss-security@lists.openwall.com
Cc: Werner LEMBERG <wl@gnu.org>
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Tue, 20 Oct 2020 09:49:31 -0700
Subject: [oss-security] CVE-2020-15999 fixed in FreeType 2.10.4

Before making this release, Werner said:

Toggle quote (5 lines)
> I've just fixed a heap buffer overflow that can happen for some
> malformed `.ttf` files with PNG sbit glyphs. It seems that this
> vulnerability gets already actively used in the wild, so I ask all
> users to apply the corresponding commit as soon as possible.

But distros should be warned that 2.10.3 and later may break the build
of ghostscript, due to ghostscript's use of a withdrawn macro that
wasn't intended for external usage:


Ghostscript's fix for that is at:

-Alan Coopersmith- alan.coopersmith@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/alanc

-------- Forwarded Message --------
Subject: [ft-announce] Announcing FreeType 2.10.4
Date: Tue, 20 Oct 2020 07:47:31 +0200 (CEST)
From: Werner LEMBERG <wl@gnu.org>
To: freetype-announce@nongnu.org, freetype-devel@nongnu.org, freetype@nongnu.org


FreeType 2.10.4 has been released.

It is available from


or


The latter site also holds older versions of the FreeType library.

See below for the relevant snippet from the CHANGES file.

Enjoy!


Werner


PS: Downloads from savannah.nongnu.org will redirect to your nearest
mirror site. Files on mirrors may be subject to a replication
delay of up to 24 hours. In case of problems use


----------------------------------------------------------------------




FreeType 2 is a software font engine that is designed to be small,
efficient, highly customizable, and portable while capable of
producing high-quality output (glyph images) of most vector and bitmap
font formats.

Note that FreeType 2 is a font service and doesn't provide APIs to
perform higher-level features, like text layout or graphics processing
(e.g., colored text rendering, `hollowing', etc.). However, it
greatly simplifies these tasks by providing a simple, easy to use, and
uniform interface to access the content of font files.

FreeType 2 is released under two open-source licenses: our own
BSD-like FreeType License and the GPL. It can thus be used by any
kind of projects, be they proprietary or not.


----------------------------------------------------------------------


CHANGES BETWEEN 2.10.3 and 2.10.4

I. IMPORTANT BUG FIXES

- A heap buffer overflow has been found in the handling of embedded
PNG bitmaps, introduced in FreeType version 2.6.


If you use option FT_CONFIG_OPTION_USE_PNG you should upgrade
immediately.

_______________________________________________
Freetype-announce mailing list
Freetype-announce@nongnu.org

-------------------- End of forwarded message --------------------
-----BEGIN PGP SIGNATURE-----

iQFDBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl+Rt9QPHG1hcml1c0Bn
bnUub3JnAAoJEKKgbfKjOlT6YwAIALlu6NLnR6wZ+Cgz4Ny/kuzGl5HLFIsMBiaT
T3/wgqgPXNJ/N/efrNALjgJ0WRXf3BgqgYmsqLkzBpqB7LnEC13Z37sLerf1pMHx
Y1pcCISwMwnBnY1iVPRBopaZWhqFW1mlbB2RozW8kHeRYu3FHhRi27gTEFwKX1tt
hXZWLb7jD383VxLkubVaG+odgZfR1gk5fbkaj1fSEjm1DTgwfFX7X5hKPv+mc/jQ
Uk5peC1kg7omeAhVPi3ApE3y/1yoD0CeHKyLeBGGIr0FsUOOh7CVWmwibA4bdRP6
a4N5uKBrdRDTcW6+cZQ3Uxf0kK9bUuKW5lxp8B4NwExEdT9LLCI=
=HKh+
-----END PGP SIGNATURE-----

T
T
Tobias Geerinckx-Rice wrote on 22 Oct 2020 21:30
(name . Marius Bakke)(address . marius@gnu.org)
874kmmawix.fsf@nckx
Marius,

Marius Bakke ???
Toggle quote (2 lines)
> The 'freetype' package is vulnerable to CVE-2020-15999.

Oh dear. 'Thanks' for breaking the news.

Toggle quote (4 lines)
> I'm busy for a couple of days and won't be able to work on it in
> time.
> Volunteers wanted!

It feels like it shouldn't work (what with the different .so
version & all) but I've been unable to break a ghostscript grafted
to use 2.10.4.

I'm currently reconfiguring my system with it; if it works, I'll
push it.

Whatever happens, I won't have time to apply the core-updates half
tonight.

Toggle quote (4 lines)
> Forwarding a message from oss-security, we may have to patch
> Ghostscript
> as well:

I don't know enough about FT/GS's internals to really understand
what's going on, but being a C(ompile-time) macro, this *could* be
safe to graft, right?

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCX5Hd1g0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15RIcBAO3/Uo4C+Y26XZIPoqvmrk5zoKt5A7AXlMxdHHEn
p4dfAQDz+IpiqE1SS9+juAG66I8l2zuIpEyuWeLTgX/TikNtBQ==
=93kl
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 31 Oct 2020 23:20
control message for bug #44146
(address . control@debbugs.gnu.org)
87a6w2rqar.fsf@gnu.org
tags 44146 + security
quit
M
M
Maxim Cournoyer wrote on 10 Nov 2020 21:21
Re: bug#44146: CVE-2020-15999 in FreeType
(name . Marius Bakke)(address . marius@gnu.org)(address . 44146-done@debbugs.gnu.org)
874klxgdyr.fsf@gmail.com
Hello,

Marius Bakke <marius@gnu.org> writes:

Toggle quote (11 lines)
> Hello,
>
> The 'freetype' package is vulnerable to CVE-2020-15999.
>
> According to
> https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html,
> an exploit already exists in the wild.
>
> I'm busy for a couple of days and won't be able to work on it in time.
> Volunteers wanted!

This was fixed by Tobias in commit
d32b210f282ef74caf9890e1d4ffe8eb04bd64e5.

Closing.

Thank you for the report!

Maxim
Closed
?