Bug#972586: marked as done (freetype: CVE-2020-15999: buffer overflow in Load_SBit_Png)

[Debian Bug Tracking System]

Your message dated Sat, 24 Oct 2020 10:19:20 +0000
with message-id <e1kwgds-000akh...@fasolo.debian.org>
and subject line Bug#972586: fixed in freetype 2.9.1-3+deb10u2
has caused the Debian Bug report #972586,
regarding freetype: CVE-2020-15999: buffer overflow in Load_SBit_Png
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
972586: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972586
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: freetype
Version: 2.10.2+dfsg-3
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://savannah.nongnu.org/bugs/?59308
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for freetype.

CVE-2020-15999[0]:
| heap buffer overflow in Load_SBit_Png

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-15999
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
[1] https://savannah.nongnu.org/bugs/?59308

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: freetype
Source-Version: 2.9.1-3+deb10u2
Done: Salvatore Bonaccorso <car...@debian.org>

We believe that the bug you reported is fixed in the latest version of
freetype, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 972...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated freetype package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 20 Oct 2020 21:15:41 +0200
Source: freetype
Architecture: source
Version: 2.9.1-3+deb10u2
Distribution: buster-security
Urgency: high
Maintainer: Hugh McMaster <hugh.mcmas...@outlook.com>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 972586
Changes:
 freetype (2.9.1-3+deb10u2) buster-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix heap buffer overflow (CVE-2020-15999) (Closes: #972586)
Checksums-Sha1:
 f3bbe30d79a1775eb1ac69203e04fb17dbff61e6 3845 freetype_2.9.1-3+deb10u2.dsc
 b8601da0293422a7389582cba93031969f72fb80 294850 
freetype_2.9.1.orig-ft2demos.tar.gz
 be7145344a3dc7d052aeaa9d2b88993c1b68189f 359 
freetype_2.9.1.orig-ft2demos.tar.gz.asc
 a2942b8626ec49bfee481625d4aa9f369f62b632 2123920 
freetype_2.9.1.orig-ft2docs.tar.gz
 9515a52600279270c431ccf55cd0117ab54092e6 359 
freetype_2.9.1.orig-ft2docs.tar.gz.asc
 7498739e34e5dca4c61d05efdde6191ba69a2df0 2533956 freetype_2.9.1.orig.tar.gz
 72a6d90c3755d710c8c598d6f50d8fc39f433b8b 359 freetype_2.9.1.orig.tar.gz.asc
 86f24f1b69ea8f938de45d325563003796f56c02 112652 
freetype_2.9.1-3+deb10u2.debian.tar.xz
 0fca1f86384280dbd9472fec976c4738d932b852 6837 
freetype_2.9.1-3+deb10u2_source.buildinfo
Checksums-Sha256:
 374330a49a699ec8dc4fff06b3270ae4d236d5b68a1258d60512f6edc9ddd1d1 3845 
freetype_2.9.1-3+deb10u2.dsc
 3d440aad3481285c7455f1593577e375c9d5792c800bbaba68d46fd75130fab9 294850 
freetype_2.9.1.orig-ft2demos.tar.gz
 665b8357378dc715fbac964d05cdcc2a2f7fd1e9d7918a27bf50f4d0a17f0d30 359 
freetype_2.9.1.orig-ft2demos.tar.gz.asc
 f57c1297f5ad2ad4764f491317fa0f548bd307c4513185d4a0602412e83b1dc9 2123920 
freetype_2.9.1.orig-ft2docs.tar.gz
 c4c674db43603f719018716970569d1722d0de46fa94757eb7f39266d72cdbd1 359 
freetype_2.9.1.orig-ft2docs.tar.gz.asc
 ec391504e55498adceb30baceebd147a6e963f636eb617424bcfc47a169898ce 2533956 
freetype_2.9.1.orig.tar.gz
 2c2c5ae3b3838053b94366639e802b18bc4761003ea15ce73402d276baec424d 359 
freetype_2.9.1.orig.tar.gz.asc
 0fdd4dc35e232a9dc09450fc0b961e0642c6a54135abea53be64991f26d31cc6 112652 
freetype_2.9.1-3+deb10u2.debian.tar.xz
 a4b8de2290e1a500101a6cb7a811493f7e39b042b8c491b83681dcc1126d82d8 6837 
freetype_2.9.1-3+deb10u2_source.buildinfo
Files:
 852cf88b2251568b10dd2207fecbe736 3845 libs optional 
freetype_2.9.1-3+deb10u2.dsc
 231ba937e032507793a711837ccd2aaf 294850 libs optional 
freetype_2.9.1.orig-ft2demos.tar.gz
 1de2dd441232fd3e5c606a6162dc03c9 359 libs optional 
freetype_2.9.1.orig-ft2demos.tar.gz.asc
 9c29bae3524496ace5f617a8321dc10e 2123920 libs optional 
freetype_2.9.1.orig-ft2docs.tar.gz
 f0f571928110532ce2d2fac7d95495fc 359 libs optional 
freetype_2.9.1.orig-ft2docs.tar.gz.asc
 3adb0e35d3c100c456357345ccfa8056 2533956 libs optional 
freetype_2.9.1.orig.tar.gz
 f1135f0a946138fb068838c1eb142a45 359 libs optional 
freetype_2.9.1.orig.tar.gz.asc
 ce20ece0e7d4dabcadd2feedabb99f21 112652 libs optional 
freetype_2.9.1-3+deb10u2.debian.tar.xz
 0360a9947d2b174808c51ded968b0780 6837 libs optional 
freetype_2.9.1-3+deb10u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl+POApfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E2uwP/jq4ZbO81hTCSbF96oNi+zA8eSlxfI5p
jGnu9NCGT1ZyzleFlNUhoO427rmf2sPsBkW9hrp78WFUhxhE6YqTGVqrgIiMumUZ
BdvD2KPoP02oZ7V2XJMEnGDMXfkv78biC9EzkyRJ4IgFz/xT2028/g+u05Pe/37f
de5dE29oU5cs1KLxJrXPkV57IeD7MbU9ECSYZzetjduGgYjnrM1tvlBIKJ8sVxGR
cuP8bZZdceygam9hBXzGz8D2/A0Z7JAz2RxNT29pFsjCVMtWiBoOSjkaC1jbBu4K
anDIyBiFnKWsQGXFpzsRQ12BxwpRa//l3fwCxas6hnT+VY3+FkuJJ3x4h/oyqaSt
lrKosHu3BimVf1jbC6RCNi2ac71Qv7WQHRTNOB2WBU44k1Y6vvV9aCx5yxR3SPnY
83vYHb9+3JHplTAd/0ohnsIXikZgS4VrcAIjByWBDlMB4bifNOAB/J2EdR//w+TC
XLDsi4KSPQYrkviyA8KYhVD0fXu5cWHDzO+Mp1FDmRAFMjD6uGhLDpXMaWXy32sC
kChv/pzslV5rBNANsfq36QIYG65o18pYr6NBu30X7RDI2k8x2q1YP1BjOSlhMo2J
w+NihEHIJPJSlMHOCugdOWmcX7wAobmI1PEupQkqTNidrLHnaPrQp9qd2D219HQK
y/szn3f9IifT
=bm48
-----END PGP SIGNATURE-----

--- End Message ---