Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 750275 - <media-libs/freetype-2.10.3-r1: Heap buffer overflow in malformed ttf files (CVE-2020-15999)
Summary: <media-libs/freetype-2.10.3-r1: Heap buffer overflow in malformed ttf files (...
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://lists.nongnu.org/archive/html...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2020-15999
  Show dependency tree
 
Reported: 2020-10-20 01:16 UTC by Sam James
Modified: 2020-11-18 07:36 UTC (History)
2 users (show)

See Also:
Package list:
media-libs/freetype-2.10.4
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-10-20 01:16:38 UTC
"I've just fixed a heap buffer overflow that can happen for some
malformed `.ttf` files with PNG sbit glyphs.  It seems that this
vulnerability gets already actively used in the wild, so I ask all
users to apply the corresponding commit as soon as possible.

Tomorrow I will do a 2.10.4 release."
Comment 2 Larry the Git Cow gentoo-dev 2020-10-20 01:37:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=220bae77e549123e9a257f40ba3db9e0f6ccabc0

commit 220bae77e549123e9a257f40ba3db9e0f6ccabc0
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-10-20 01:36:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-10-20 01:37:17 +0000

    media-libs/freetype: security bump for CVE-2020-15999
    
    This vulnerability is being exploited in the wild;
    this fix is identical to that being used in Chromium
    as a band-aid for now (also in upstream git).
    
    See upstream bug for more information.
    
    Bug: https://bugs.gentoo.org/750275
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/freetype-2.10.3-CVE-2020-15999.patch     |  51 +++++
 media-libs/freetype/freetype-2.10.3-r1.ebuild      | 243 +++++++++++++++++++++
 2 files changed, 294 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2020-10-20 07:05:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d93a975c694a048359086224a27dba08d4633d23

commit d93a975c694a048359086224a27dba08d4633d23
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-10-20 07:04:33 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-10-20 07:04:56 +0000

    media-libs/freetype: Security bump to version 2.10.4. Removed old
    
    Bug: https://bugs.gentoo.org/750275
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 media-libs/freetype/Manifest                       |  3 ++
 .../files/freetype-2.10.3-CVE-2020-15999.patch     | 51 ----------------------
 ...ype-2.10.3-r1.ebuild => freetype-2.10.4.ebuild} |  1 -
 3 files changed, 3 insertions(+), 52 deletions(-)
Comment 4 Sam James archtester gentoo-dev Security 2020-10-20 08:34:15 UTC
amd64 done
Comment 5 Sam James archtester gentoo-dev Security 2020-10-20 08:49:21 UTC
arm64 done
Comment 6 Sam James archtester gentoo-dev Security 2020-10-20 08:50:02 UTC
arm done
Comment 7 Sam James archtester gentoo-dev Security 2020-10-20 09:02:08 UTC
sparc done
Comment 8 Larry the Git Cow gentoo-dev 2020-10-20 09:26:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9bb23682332a5a110b4e867cff9c539a015ee5b3

commit 9bb23682332a5a110b4e867cff9c539a015ee5b3
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2020-10-20 09:25:42 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-10-20 09:25:42 +0000

    media-libs/freetype: stabilize 2.10.4 on x86
    
    Bug: https://bugs.gentoo.org/750275
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 media-libs/freetype/freetype-2.10.4.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 9 Joonas Niilola gentoo-dev 2020-10-20 09:26:40 UTC
x86 done.
Comment 10 Sam James archtester gentoo-dev Security 2020-10-20 09:44:51 UTC
ppc{,64} stable
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-10-23 03:43:23 UTC
This issue was resolved and addressed in
 GLSA 202010-07 at https://security.gentoo.org/glsa/202010-07
by GLSA coordinator Sam James (sam_c).
Comment 12 Sam James archtester gentoo-dev Security 2020-10-23 03:43:41 UTC
Reopening for remaining arches.
Comment 13 Rolf Eike Beer 2020-10-24 19:58:33 UTC
hppa stable
Comment 14 Agostino Sarubbo gentoo-dev 2020-11-17 19:06:53 UTC
s390 stable.

Maintainer(s), please cleanup.
Comment 15 Larry the Git Cow gentoo-dev 2020-11-18 07:36:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=209ba4903e93f9e05e998511bd895e05b66282fa

commit 209ba4903e93f9e05e998511bd895e05b66282fa
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-11-18 07:36:00 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-11-18 07:36:00 +0000

    media-libs/freetype: Security cleanup
    
    Bug: https://bugs.gentoo.org/750275
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 media-libs/freetype/Manifest                       |   6 -
 .../files/freetype-2.4.11-sizeof-types.patch       |  31 ---
 media-libs/freetype/freetype-2.10.2-r1.ebuild      | 242 ---------------------
 media-libs/freetype/freetype-2.10.3.ebuild         | 242 ---------------------
 4 files changed, 521 deletions(-)