Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

freetype: 2.10.2 -> 2.10.4 (CVE-2020-15999) #101199

Merged
merged 1 commit into from Oct 20, 2020
Merged

freetype: 2.10.2 -> 2.10.4 (CVE-2020-15999) #101199

merged 1 commit into from Oct 20, 2020

Conversation

TredwellGit
Copy link
Member

Motivation for this change

https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/

Things done

@TredwellGit TredwellGit mentioned this pull request Oct 20, 2020
Closed
10 tasks
@ofborg ofborg bot requested a review from ttuegel October 20, 2020 18:34
@FRidh FRidh merged commit 3775af7 into NixOS:staging Oct 20, 2020
@TredwellGit TredwellGit deleted the freetype branch October 20, 2020 19:06
@TredwellGit TredwellGit mentioned this pull request Oct 20, 2020
Merged
10 tasks
@jtojnar
Copy link
Contributor

jtojnar commented Oct 21, 2020

Cool, it supports building with Meson now: https://sourceforge.net/projects/freetype/files/freetype2/2.10.3/

@jtojnar jtojnar added the 8.has: upstream changes reviewed Reviewer checked the changelogs/commit logs associated with the release and did not find any issues. label Oct 21, 2020
@erictapen
Copy link
Member

Qutebrowser dev says that CVE-2020-15999 is already exploited in the wild. As there seems to be no patch available, I backported the bump:
nixos-20.09 a583a60
nixos-20.03 3f8fd69

Please shout at me if you think this was a bad idea.

@TredwellGit
Copy link
Member Author

@erictapen, you might need to backport #101215 as well.

@TredwellGit TredwellGit mentioned this pull request Oct 22, 2020
Merged
3 tasks
@erictapen
Copy link
Member

Just reverted my backports in e9600da, 9641db6, as they broke at least ghostscript and therefore broke basically anything desktop related…

@erictapen erictapen mentioned this pull request Oct 22, 2020
Closed
@erictapen
Copy link
Member

@TredwellGit Damn I should have read your comment before reverting. I'm somewhat anxious of backporting #101215, as I'm afraid bumping ghostscript will break even more stuff.

Just discovered, that the Archlinux page about CVE-2020-15999 links a patch.

I'll investigate into wether we could just backport this patch without breaking freetype API.

erictapen added a commit that referenced this pull request Oct 22, 2020
@erictapen
freetype: patch CVE-2020-15999
259b0ce 
We can't backport #101199 as it
would break freetype API, but this patch should fix the issue.
@erictapen
Copy link
Member

So I decided to apply the mentioned patch to release-20.03 and release-20.09, as

  • I'm very confident that this patch actually fixes CVE-2020-15999, due to the commit message and the way it is mentioned in freetype Changelog
  • I'm very confident that this doesn't break freetype API, as the patch is very simple and doesn't touch function signatures.
  • I managed to build ghostscript with it.

I commited directly to the release branches as I guess we have to find out wether anything breaks anyway and it should happen fast, as this issue seems to get exploited in the wild.

259b0ce, afcf353

erictapen added a commit that referenced this pull request Oct 22, 2020
@erictapen
freetype: patch CVE-2020-15999
afcf353 
We can't backport #101199 as it
would break freetype API, but this patch should fix the issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ttuegel ttuegel Awaiting requested review from ttuegel

Assignees
No one assigned
Labels
8.has: upstream changes reviewed Reviewer checked the changelogs/commit logs associated with the release and did not find any issues. 10.rebuild-darwin: 501+ 10.rebuild-darwin: 2501-5000 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@TredwellGit @jtojnar @erictapen @FRidh