| Summary: | freetype2 new security issue CVE-2020-15999 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | davidwhodgins, nicolas.salguero, smelror, sysadmin-bugs, tarazed25 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | freetype2-2.9.1-4.mga7.src.rpm | CVE: | CVE-2020-15999 |
| Status comment: | |||
|
Description
David Walser
2020-10-20 04:07:46 CEST
David Walser
2020-10-20 04:07:53 CEST
Whiteboard:
(none) =>
MGA7TOO freetype2-2.10.4-1.mga8 uploaded for Cauldron by Stig-Ørjan. Arch has issued an advisory for this today (October 20): https://security.archlinux.org/ASA-202010-10/generate Version:
Cauldron =>
7 Suggested advisory: ======================== The updated packages fix a security vulnerability: A heap buffer overflow has been found in freetype2 before 2.10.4. Malformed TTF files with PNG sbit glyphs can cause a heap buffer overflow in Load_SBit_Png as libpng uses the original 32-bit values, which are saved in png_struct. If the original width and/or height are greater than 65535, the allocated buffer won't be able to fit the bitmap. (CVE-2020-15999) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999 https://savannah.nongnu.org/bugs/?59308 https://security.archlinux.org/ASA-202010-10/generate ======================== Updated packages in core/updates_testing: ======================== lib(64)freetype6-2.9.1-4.1.mga7 lib(64)freetype2-devel-2.9.1-4.1.mga7 freetype2-demos-2.9.1-4.1.mga7 from SRPM: freetype2-2.9.1-4.1.mga7.src.rpm Updated packages in tainted/updates_testing: ======================== lib(64)freetype6-2.9.1-4.1.mga7.tainted lib(64)freetype2-devel-2.9.1-4.1.mga7.tainted freetype2-demos-2.9.1-4.1.mga7.tainted from SRPM: freetype2-2.9.1-4.1.mga7.tainted.src.rpm CC:
(none) =>
nicolas.salguero Advisory committed to svn. Testing of tainted version complete by restarted X11 after installing the update and confirming opera, firefox, etc still display text ok. Will test core version shortly. CC:
(none) =>
davidwhodgins Disabled the tainted repos, used rpm -e --nodeps to uninstall the packages and then reinstalled them. Restarted x11 and confirmed applications are displaying text ok. Validating the update. CC:
(none) =>
sysadmin-bugs With reference to comment 4: This is a sticky one. The tainted versions were already installed. The PoC was run but the result was not helpful without an ASAN framework. Trying to remove the tainted packages in favour of the free version threatened to break the system so --force is not an option. $ urpmq --whatrequires lib64freetype6 | uniq | wc -l 269 How should QA handle this type of situation, for future reference? Vague memory of something similar in the case of vlc. CC:
(none) =>
tarazed25 I wasn't aware there was a poc available. If it's not obvious how to test it, I'm ok with skipping testing the poc for a critical security update. Yes, the PoC does not help much. Before updates: CVE-2020-15999 https://savannah.nongnu.org/bugs/?59308 $ ftview 150 font.ttf Execution completed successfully. Fails = 4 Upstream ASAN version resulted in an Abort. An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0389.html Status:
ASSIGNED =>
RESOLVED Ubuntu has issued an advisory for this today (October 20): https://ubuntu.com/security/notices/USN-4593-1 |