Ubuntu has issued an advisory on July 20: https://ubuntu.com/security/notices/USN-5528-1 Mageia 8 is also affected.
Status comment: (none) => Patches available from upstream and UbuntuWhiteboard: (none) => MGA8TOO
Assigning to you, Stig, as you did all the more recent 'freetype2' version updates. This may be more complicated.
Assignee: bugsquad => smelror
Suggested advisory: ======================== The updated packages fix a security vulnerability: ftbench.c in FreeType Demo Programs through 2.12.1 has a heap-based buffer overflow. (CVE-2022-31782) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31782 https://ubuntu.com/security/notices/USN-5528-1 ======================== Updated packages in core/updates_testing: ======================== freetype2-demos-2.10.4-2.2.mga8 lib(64)freetype6-2.10.4-2.2.mga8 lib(64)freetype2-devel-2.10.4-2.2.mga8 from SRPM: freetype2-2.10.4-2.2.mga8.src.rpm Updated packages in tainted/updates_testing: ======================== freetype2-demos-2.10.4-2.2.mga8.tainted lib(64)freetype6-2.10.4-2.2.mga8.tainted lib(64)freetype2-devel-2.10.4-2.2.mga8.tainted from SRPM: freetype2-2.10.4-2.2.mga8.tainted.src.rpm
Source RPM: freetype2-2.12.1-1.mga9.src.rpm => freetype2-2.10.4-2.1.mga8(.tainted).src.rpmCVE: (none) => CVE-2022-31782Status comment: Patches available from upstream and Ubuntu => (none)Assignee: smelror => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)CC: (none) => nicolas.salguero
No installation issues for core version. Downloaded a free Freetype font, and extracted it. It came up as belonging to root, so as root I ran ftbench with it: [root@localhost ~]# ftbench /home/tom/CuteEasterPersonalUse-Wy8nV.ttf ftbench results for font `/home/tom/CuteEasterPersonalUse-Wy8nV.ttf' -------------------------------------------------------------------- family: Cute Easter - Personal Use style: Regular number of seconds for each test: 2.000000 glyph indices: from 0 to 236 face size: 10ppem font preloading into memory: no load flags: 0x0 render mode: 0 CFF hinting engine set to `adobe' TrueType interpreter set to version 40 maximum cache size: 1024KiByte executing tests: Load 23.863 us/op 83898 done Load_Advances (Normal) 23.725 us/op 84372 done Load_Advances (Fast) 0.074 us/op 24354594 done Load_Advances (Unscaled) 0.054 us/op 32275134 done Render 12.409 us/op 52614 done Get_Glyph 2.132 us/op 73470 done Get_Char_Index 0.069 us/op 26303919 done Iterate CMap 9.195 us/op 186250 done New_Face 47.047 us/op 40852 done Embolden 14.187 us/op 51192 done Stroke 187.129 us/op 9480 done Get_BBox 3.464 us/op 65649 done Get_CBox 1.301 us/op 71811 done New_Face & load glyph(s) 21.598 us/op 92667 done Results from the tainted version were identical. Giving this an OK, and validating. Advisory in Comment 2.
Whiteboard: (none) => MGA8-64-OKCC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0297.html
Status: NEW => RESOLVEDResolution: (none) => FIXED