All of lore.kernel.org
 help / color / mirror / Atom feed
* FreeType CVE-2020-15999
@ 2020-11-11  8:06 Diego Santa Cruz
  2020-11-11  9:06 ` [OE-core] " Mikko Rapeli
  2020-11-11 10:46 ` Ross Burton
  0 siblings, 2 replies; 5+ messages in thread
From: Diego Santa Cruz @ 2020-11-11  8:06 UTC (permalink / raw)
  To: openembedded-core

[-- Attachment #1: Type: text/plain, Size: 820 bytes --]

Hi all,

It was brought to my attention that FreeType < 2.10.4 is affected by a buffer overflow with PNG bitmaps as per https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999

This does not appear in the CVE metrics which have been posted recently, apparently because it is tagged as google:chrome in the NVD database.

In master freetype is already at 2.10.4, but on gatesgarth it is 2.10.2 and dunfell 2.10.1. What is the strategy regarding FreeType updates in OE-Core releases? Should I send a patch to update freetype to 2.10.4 in both branches or backport the fix for the buffer overrun?

Also, how should one report problems in the NVD database?

Thanks,

Diego
--
Diego Santa Cruz, PhD
Technology Architect
spinetix.com


[-- Attachment #2: Type: text/html, Size: 3364 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [OE-core] FreeType CVE-2020-15999
  2020-11-11  8:06 FreeType CVE-2020-15999 Diego Santa Cruz
@ 2020-11-11  9:06 ` Mikko Rapeli
  2020-11-11 11:49   ` Diego Santa Cruz
  2020-11-11 10:46 ` Ross Burton
  1 sibling, 1 reply; 5+ messages in thread
From: Mikko Rapeli @ 2020-11-11  9:06 UTC (permalink / raw)
  To: diego.santacruz; +Cc: openembedded-core

Hi,

On Wed, Nov 11, 2020 at 08:06:44AM +0000, Diego Santa Cruz via lists.openembedded.org wrote:
> Hi all,
> 
> It was brought to my attention that FreeType < 2.10.4 is affected by a buffer overflow with PNG bitmaps as per https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
> 
> This does not appear in the CVE metrics which have been posted recently, apparently because it is tagged as google:chrome in the NVD database.
> 
> In master freetype is already at 2.10.4, but on gatesgarth it is 2.10.2 and dunfell 2.10.1. What is the strategy regarding FreeType updates in OE-Core releases? Should I send a patch to update freetype to 2.10.4 in both branches or backport the fix for the buffer overrun?

Safe approach would be to pick the patch from Debian and with some luck
it would apply as is to gatesgarth and dunfell versions.

Patch from Debian is
https://security-tracker.debian.org/tracker/CVE-2020-15999
-> https://sources.debian.org/patches/freetype/2.10.2+dfsg-4/cve-2020-15999.patch/

2.10.4 from master could be ABI compatible according to
https://abi-laboratory.pro/index.php?view=timeline&l=freetype
but https://www.freetype.org/index.html#news does list
possible API break in 2.10.3:

"A warning for distribution maintainers: Version 2.10.3 and later may break the build of ghostscript, due to ghostscript's use of a withdrawn macro that wasn't intended for external usage. A fix is available here."
 
> Also, how should one report problems in the NVD database?

https://nvd.nist.gov/vuln/detail/CVE-2020-15999#VulnChangeHistorySection
should have more generic freetype CPE with vendor "freetype" and product "freetype"
and then the correct version range. CVE comes from chrome-cve-admin@google.com
so I don't know how to change that. Maybe chrome team could change this after email
notification?

Cheers,

-Mikko

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [OE-core] FreeType CVE-2020-15999
  2020-11-11  8:06 FreeType CVE-2020-15999 Diego Santa Cruz
  2020-11-11  9:06 ` [OE-core] " Mikko Rapeli
@ 2020-11-11 10:46 ` Ross Burton
  2020-11-11 11:50   ` Diego Santa Cruz
  1 sibling, 1 reply; 5+ messages in thread
From: Ross Burton @ 2020-11-11 10:46 UTC (permalink / raw)
  To: diego.santacruz; +Cc: openembedded-core

On Wed, 11 Nov 2020 at 08:06, Diego Santa Cruz via
lists.openembedded.org
<diego.santacruz=spinetix.com@lists.openembedded.org> wrote:
> Also, how should one report problems in the NVD database?

Email cpe_dictionary <cpe_dictionary@nist.gov> and explain the
situation, matching the CPE vendor/product to existing freetype CVEs
and including the version information.

Ross

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [OE-core] FreeType CVE-2020-15999
  2020-11-11  9:06 ` [OE-core] " Mikko Rapeli
@ 2020-11-11 11:49   ` Diego Santa Cruz
  0 siblings, 0 replies; 5+ messages in thread
From: Diego Santa Cruz @ 2020-11-11 11:49 UTC (permalink / raw)
  To: Mikko.Rapeli; +Cc: openembedded-core

> -----Original Message-----
> From: Mikko.Rapeli@bmw.de <Mikko.Rapeli@bmw.de>
> Sent: 11 November 2020 10:06
> To: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] FreeType CVE-2020-15999
> 
> Hi,
> 
> On Wed, Nov 11, 2020 at 08:06:44AM +0000, Diego Santa Cruz via
> lists.openembedded.org wrote:
> > Hi all,
> >
> > It was brought to my attention that FreeType < 2.10.4 is affected by a
> buffer overflow with PNG bitmaps as per
> https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/,
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
> >
> > This does not appear in the CVE metrics which have been posted recently,
> apparently because it is tagged as google:chrome in the NVD database.
> >
> > In master freetype is already at 2.10.4, but on gatesgarth it is 2.10.2 and
> dunfell 2.10.1. What is the strategy regarding FreeType updates in OE-Core
> releases? Should I send a patch to update freetype to 2.10.4 in both branches
> or backport the fix for the buffer overrun?
> 
> Safe approach would be to pick the patch from Debian and with some luck
> it would apply as is to gatesgarth and dunfell versions.
> 
> Patch from Debian is
> https://security-tracker.debian.org/tracker/CVE-2020-15999
> -> https://sources.debian.org/patches/freetype/2.10.2+dfsg-4/cve-2020-
> 15999.patch/
> 
> 2.10.4 from master could be ABI compatible according to
> https://abi-laboratory.pro/index.php?view=timeline&l=freetype
> but https://www.freetype.org/index.html#news does list
> possible API break in 2.10.3:
> 
> "A warning for distribution maintainers: Version 2.10.3 and later may break
> the build of ghostscript, due to ghostscript's use of a withdrawn macro that
> wasn't intended for external usage. A fix is available here."
> 

[Diego Santa Cruz] OK, thanks, I will prepare and post patches with the backported fix then.
-- 
Diego Santa Cruz, PhD
Technology Architect
spinetix.com

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [OE-core] FreeType CVE-2020-15999
  2020-11-11 10:46 ` Ross Burton
@ 2020-11-11 11:50   ` Diego Santa Cruz
  0 siblings, 0 replies; 5+ messages in thread
From: Diego Santa Cruz @ 2020-11-11 11:50 UTC (permalink / raw)
  To: Ross Burton; +Cc: openembedded-core

> -----Original Message-----
> From: Ross Burton <ross@burtonini.com>
> Sent: 11 November 2020 11:46
> To: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] FreeType CVE-2020-15999
> 
> On Wed, 11 Nov 2020 at 08:06, Diego Santa Cruz via
> lists.openembedded.org
> <diego.santacruz=spinetix.com@lists.openembedded.org> wrote:
> > Also, how should one report problems in the NVD database?
> 
> Email cpe_dictionary <cpe_dictionary@nist.gov> and explain the
> situation, matching the CPE vendor/product to existing freetype CVEs
> and including the version information.
> 
> Ross
[Diego Santa Cruz] Done, thanks!

-- 
Diego Santa Cruz, PhD
Technology Architect
spinetix.com

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-11-11 11:50 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-11  8:06 FreeType CVE-2020-15999 Diego Santa Cruz
2020-11-11  9:06 ` [OE-core] " Mikko Rapeli
2020-11-11 11:49   ` Diego Santa Cruz
2020-11-11 10:46 ` Ross Burton
2020-11-11 11:50   ` Diego Santa Cruz

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.