Bug 31887 - freetype2 new security issue CVE-2023-2004
Summary: freetype2 new security issue CVE-2023-2004
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-05-07 00:48 CEST by David Walser
Modified: 2023-05-21 10:44 CEST (History)
5 users (show)

See Also:
Source RPM: freetype2-2.10.4-2.2.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-05-07 00:48:18 CEST 
Fedora has issued an advisory on April 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KDNGTGQAUZJ6YQDI2AVGYIFFPUMMZLKS/

The issue is fixed upstream in 2.13.0.
David Walser 2023-05-07 00:48:33 CEST

Status comment: (none) => Fixed upstream in 2.13.0

Comment 1 Lewis Smith 2023-05-07 21:15:11 CEST 
We already have 2.13.0 in Cauldron, leaving just M8 to catch up.
Is it OK to assign this to you, Stig, for M8, as you did that Cauldron update?

Assignee: bugsquad => smelror

Comment 2 David Walser 2023-05-09 17:32:40 CEST 
Ubuntu has issued an advisory for this today (May 9):
https://ubuntu.com/security/notices/USN-6062-1

They patched freetype2 2.10.x in Ubuntu 20.04.
Comment 3 David GEIGER 2023-05-09 19:56:15 CEST 
Done for mga8!

CC: (none) => geiger.david68210

Comment 4 David Walser 2023-05-10 04:20:37 CEST 
*** Note that there are core and tainted builds for this package ***

freetype2-demos-2.10.4-2.3.mga8
libfreetype6-2.10.4-2.3.mga8
libfreetype2-devel-2.10.4-2.3.mga8

from freetype2-2.10.4-2.3.mga8.src.rpm

Status comment: Fixed upstream in 2.13.0 => (none)
Assignee: smelror => qa-bugs

Comment 5 Len Lawrence 2023-05-16 22:37:33 CEST 
mga8, x64

Updated the packages.  Used ftview to examine a few TrueType fonts.
$ ftview 60 runningshoe.ttf
Execution completed successfully.
Fails = 0
$ ftview 40 cowboys.ttf
......
$ ftview 30 Saxon.ttf
.....
$ ftview 40 guanine.ttf
....

All displayed correctly at the specified size.

Following bug 22611 comment 7:
Restarted falkon, ran okular, calibre and the gimp without seeing any thing different from usual.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2023-05-16 23:13:32 CEST 
Updated to the tainted packages.

$ ftview 50 TheMixExtraLight_Plain.ttf
Execution completed successfully.
Fails = 0
$ ftview -m "Good morning QA!" 50 xclois.ttf 
Execution completed successfully.
Fails = 0
This did not run as expected but remembering previous tests does not look like a  regression.  A block of text in Saxon lower case repeated 'dn' all the way through.

$ ftview 40 Tolkien_Regular.ttf 
Execution completed successfully.
Fails = 0
That looks OK.

Falkon, firefox and okular render text correctly.

Giving this the OK.

Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2023-05-17 02:12:04 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-05-21 02:24:22 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2023-05-21 10:44:33 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0182.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.