> -----Original Message----- > From: [email protected] <[email protected]> > Sent: 11 November 2020 10:06 > To: Diego Santa Cruz <[email protected]> > Cc: [email protected] > Subject: Re: [OE-core] FreeType CVE-2020-15999 > > Hi, > > On Wed, Nov 11, 2020 at 08:06:44AM +0000, Diego Santa Cruz via > lists.openembedded.org wrote: > > Hi all, > > > > It was brought to my attention that FreeType < 2.10.4 is affected by a > buffer overflow with PNG bitmaps as per > https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/, > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999 > > > > This does not appear in the CVE metrics which have been posted recently, > apparently because it is tagged as google:chrome in the NVD database. > > > > In master freetype is already at 2.10.4, but on gatesgarth it is 2.10.2 and > dunfell 2.10.1. What is the strategy regarding FreeType updates in OE-Core > releases? Should I send a patch to update freetype to 2.10.4 in both branches > or backport the fix for the buffer overrun? > > Safe approach would be to pick the patch from Debian and with some luck > it would apply as is to gatesgarth and dunfell versions. > > Patch from Debian is > https://security-tracker.debian.org/tracker/CVE-2020-15999 > -> https://sources.debian.org/patches/freetype/2.10.2+dfsg-4/cve-2020- > 15999.patch/ > > 2.10.4 from master could be ABI compatible according to > https://abi-laboratory.pro/index.php?view=timeline&l=freetype > but https://www.freetype.org/index.html#news does list > possible API break in 2.10.3: > > "A warning for distribution maintainers: Version 2.10.3 and later may break > the build of ghostscript, due to ghostscript's use of a withdrawn macro that > wasn't intended for external usage. A fix is available here." >
[Diego Santa Cruz] OK, thanks, I will prepare and post patches with the backported fix then. -- Diego Santa Cruz, PhD Technology Architect spinetix.com
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#144475): https://lists.openembedded.org/g/openembedded-core/message/144475 Mute This Topic: https://lists.openembedded.org/mt/78178777/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
