A security issue in freetype2 has been announced today (October 19):
It was fixed in this commit:
and there's supposed to be a new release containing the fix tomorrow.
This issue is reportedly being exploited in the wild.
Mageia 7 is probably also affected.
freetype2-2.10.4-1.mga8 uploaded for Cauldron by Stig-Ørjan.
Arch has issued an advisory for this today (October 20):
The updated packages fix a security vulnerability:
A heap buffer overflow has been found in freetype2 before 2.10.4.
Malformed TTF files with PNG sbit glyphs can cause a heap buffer
overflow in Load_SBit_Png as libpng uses the original 32-bit values,
which are saved in png_struct. If the original width and/or height are
greater than 65535, the allocated buffer won't be able to fit the
Updated packages in core/updates_testing:
Updated packages in tainted/updates_testing:
Advisory committed to svn.
Testing of tainted version complete by restarted X11 after installing the update
and confirming opera, firefox, etc still display text ok.
Will test core version shortly.
Disabled the tainted repos, used rpm -e --nodeps to uninstall the packages and
then reinstalled them. Restarted x11 and confirmed applications are displaying
Validating the update.
With reference to comment 4:
This is a sticky one. The tainted versions were already installed.
The PoC was run but the result was not helpful without an ASAN framework.
Trying to remove the tainted packages in favour of the free version threatened to break the system so --force is not an option.
$ urpmq --whatrequires lib64freetype6 | uniq | wc -l
How should QA handle this type of situation, for future reference? Vague memory of something similar in the case of vlc.
Thanks Dave - comment 4 is the solution.
I wasn't aware there was a poc available. If it's not obvious how to test it,
I'm ok with skipping testing the poc for a critical security update.
Yes, the PoC does not help much. Before updates:
$ ftview 150 font.ttf
Execution completed successfully.
Fails = 4
Upstream ASAN version resulted in an Abort.
An update for this issue has been pushed to the Mageia Updates repository.
Ubuntu has issued an advisory for this today (October 20):