Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

freetype: 2.10.2 -> 2.10.4 (CVE-2020-15999) #101199

Merged
merged 1 commit into from Oct 20, 2020
Merged

Conversation

@TredwellGit
Copy link
Member

@TredwellGit TredwellGit commented Oct 20, 2020

Motivation for this change

https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/

Things done
@ofborg ofborg bot requested a review from ttuegel Oct 20, 2020
@FRidh FRidh merged commit 3775af7 into NixOS:staging Oct 20, 2020
18 of 19 checks passed
@TredwellGit TredwellGit deleted the freetype branch Oct 20, 2020
@TredwellGit TredwellGit mentioned this pull request Oct 20, 2020
10 tasks
@jtojnar
Copy link
Contributor

@jtojnar jtojnar commented Oct 21, 2020

Cool, it supports building with Meson now: https://sourceforge.net/projects/freetype/files/freetype2/2.10.3/

@erictapen
Copy link
Member

@erictapen erictapen commented Oct 21, 2020

Qutebrowser dev says that CVE-2020-15999 is already exploited in the wild. As there seems to be no patch available, I backported the bump:
nixos-20.09 a583a60
nixos-20.03 3f8fd69

Please shout at me if you think this was a bad idea.

@TredwellGit
Copy link
Member Author

@TredwellGit TredwellGit commented Oct 22, 2020

@erictapen, you might need to backport #101215 as well.

@erictapen
Copy link
Member

@erictapen erictapen commented Oct 22, 2020

Just reverted my backports in e9600da, 9641db6, as they broke at least ghostscript and therefore broke basically anything desktop related…

@erictapen
Copy link
Member

@erictapen erictapen commented Oct 22, 2020

@TredwellGit Damn I should have read your comment before reverting. I'm somewhat anxious of backporting #101215, as I'm afraid bumping ghostscript will break even more stuff.

Just discovered, that the Archlinux page about CVE-2020-15999 links a patch.

I'll investigate into wether we could just backport this patch without breaking freetype API.

erictapen added a commit that referenced this issue Oct 22, 2020
We can't backport #101199 as it
would break freetype API, but this patch should fix the issue.
@erictapen
Copy link
Member

@erictapen erictapen commented Oct 22, 2020

So I decided to apply the mentioned patch to release-20.03 and release-20.09, as

  • I'm very confident that this patch actually fixes CVE-2020-15999, due to the commit message and the way it is mentioned in freetype Changelog
  • I'm very confident that this doesn't break freetype API, as the patch is very simple and doesn't touch function signatures.
  • I managed to build ghostscript with it.

I commited directly to the release branches as I guess we have to find out wether anything breaks anyway and it should happen fast, as this issue seems to get exploited in the wild.

259b0ce, afcf353

erictapen added a commit that referenced this issue Oct 22, 2020
We can't backport #101199 as it
would break freetype API, but this patch should fix the issue.
nlewo added a commit to nlewo/nixpkgs that referenced this issue Oct 31, 2020
We can't backport NixOS#101199 as it
would break freetype API, but this patch should fix the issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants