Hi, On Wed, Nov 11, 2020 at 08:06:44AM +0000, Diego Santa Cruz via lists.openembedded.org wrote: > Hi all, > > It was brought to my attention that FreeType < 2.10.4 is affected by a buffer > overflow with PNG bitmaps as per > https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/, > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999 > > This does not appear in the CVE metrics which have been posted recently, > apparently because it is tagged as google:chrome in the NVD database. > > In master freetype is already at 2.10.4, but on gatesgarth it is 2.10.2 and > dunfell 2.10.1. What is the strategy regarding FreeType updates in OE-Core > releases? Should I send a patch to update freetype to 2.10.4 in both branches > or backport the fix for the buffer overrun?
Safe approach would be to pick the patch from Debian and with some luck it would apply as is to gatesgarth and dunfell versions. Patch from Debian is https://security-tracker.debian.org/tracker/CVE-2020-15999 -> https://sources.debian.org/patches/freetype/2.10.2+dfsg-4/cve-2020-15999.patch/ 2.10.4 from master could be ABI compatible according to https://abi-laboratory.pro/index.php?view=timeline&l=freetype but https://www.freetype.org/index.html#news does list possible API break in 2.10.3: "A warning for distribution maintainers: Version 2.10.3 and later may break the build of ghostscript, due to ghostscript's use of a withdrawn macro that wasn't intended for external usage. A fix is available here." > Also, how should one report problems in the NVD database? https://nvd.nist.gov/vuln/detail/CVE-2020-15999#VulnChangeHistorySection should have more generic freetype CPE with vendor "freetype" and product "freetype" and then the correct version range. CVE comes from chrome-cve-ad...@google.com so I don't know how to change that. Maybe chrome team could change this after email notification? Cheers, -Mikko
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#144470): https://lists.openembedded.org/g/openembedded-core/message/144470 Mute This Topic: https://lists.openembedded.org/mt/78178777/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
