Hi all, It was brought to my attention that FreeType < 2.10.4 is affected by a buffer overflow with PNG bitmaps as per https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
This does not appear in the CVE metrics which have been posted recently, apparently because it is tagged as google:chrome in the NVD database. In master freetype is already at 2.10.4, but on gatesgarth it is 2.10.2 and dunfell 2.10.1. What is the strategy regarding FreeType updates in OE-Core releases? Should I send a patch to update freetype to 2.10.4 in both branches or backport the fix for the buffer overrun? Also, how should one report problems in the NVD database? Thanks, Diego -- Diego Santa Cruz, PhD Technology Architect spinetix.com
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#144469): https://lists.openembedded.org/g/openembedded-core/message/144469 Mute This Topic: https://lists.openembedded.org/mt/78178777/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
