A security issue in freetype2 has been announced today (October 19): https://savannah.nongnu.org/bugs/?59308 It was fixed in this commit: https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd and there's supposed to be a new release containing the fix tomorrow. This issue is reportedly being exploited in the wild. Mageia 7 is probably also affected.
Whiteboard: (none) => MGA7TOO
freetype2-2.10.4-1.mga8 uploaded for Cauldron by Stig-Ørjan. Arch has issued an advisory for this today (October 20): https://security.archlinux.org/ASA-202010-10/generate
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)CC: (none) => smelrorAssignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: A heap buffer overflow has been found in freetype2 before 2.10.4. Malformed TTF files with PNG sbit glyphs can cause a heap buffer overflow in Load_SBit_Png as libpng uses the original 32-bit values, which are saved in png_struct. If the original width and/or height are greater than 65535, the allocated buffer won't be able to fit the bitmap. (CVE-2020-15999) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999 https://savannah.nongnu.org/bugs/?59308 https://security.archlinux.org/ASA-202010-10/generate ======================== Updated packages in core/updates_testing: ======================== lib(64)freetype6-2.9.1-4.1.mga7 lib(64)freetype2-devel-2.9.1-4.1.mga7 freetype2-demos-2.9.1-4.1.mga7 from SRPM: freetype2-2.9.1-4.1.mga7.src.rpm Updated packages in tainted/updates_testing: ======================== lib(64)freetype6-2.9.1-4.1.mga7.tainted lib(64)freetype2-devel-2.9.1-4.1.mga7.tainted freetype2-demos-2.9.1-4.1.mga7.tainted from SRPM: freetype2-2.9.1-4.1.mga7.tainted.src.rpm
CC: (none) => nicolas.salgueroSource RPM: freetype2-2.10.3-1.mga8.src.rpm => freetype2-2.9.1-4.mga7.src.rpmStatus: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2020-15999
Advisory committed to svn. Testing of tainted version complete by restarted X11 after installing the update and confirming opera, firefox, etc still display text ok. Will test core version shortly.
CC: (none) => davidwhodginsKeywords: (none) => advisory
Disabled the tainted repos, used rpm -e --nodeps to uninstall the packages and then reinstalled them. Restarted x11 and confirmed applications are displaying text ok. Validating the update.
CC: (none) => sysadmin-bugsWhiteboard: (none) => MGA7-64-OKKeywords: (none) => validated_update
With reference to comment 4: This is a sticky one. The tainted versions were already installed. The PoC was run but the result was not helpful without an ASAN framework. Trying to remove the tainted packages in favour of the free version threatened to break the system so --force is not an option. $ urpmq --whatrequires lib64freetype6 | uniq | wc -l 269 How should QA handle this type of situation, for future reference? Vague memory of something similar in the case of vlc.
CC: (none) => tarazed25
Thanks Dave - comment 4 is the solution.
I wasn't aware there was a poc available. If it's not obvious how to test it, I'm ok with skipping testing the poc for a critical security update.
Yes, the PoC does not help much. Before updates: CVE-2020-15999 https://savannah.nongnu.org/bugs/?59308 $ ftview 150 font.ttf Execution completed successfully. Fails = 4 Upstream ASAN version resulted in an Abort.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0389.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
Ubuntu has issued an advisory for this today (October 20): https://ubuntu.com/security/notices/USN-4593-1