New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
freetype: 2.10.2 -> 2.10.4 (CVE-2020-15999) #101199
Conversation
Cool, it supports building with Meson now: https://sourceforge.net/projects/freetype/files/freetype2/2.10.3/ |
Qutebrowser dev says that CVE-2020-15999 is already exploited in the wild. As there seems to be no patch available, I backported the bump: Please shout at me if you think this was a bad idea. |
@erictapen, you might need to backport #101215 as well. |
@TredwellGit Damn I should have read your comment before reverting. I'm somewhat anxious of backporting #101215, as I'm afraid bumping ghostscript will break even more stuff. Just discovered, that the Archlinux page about CVE-2020-15999 links a patch. I'll investigate into wether we could just backport this patch without breaking freetype API. |
We can't backport #101199 as it would break freetype API, but this patch should fix the issue.
So I decided to apply the mentioned patch to
I commited directly to the release branches as I guess we have to find out wether anything breaks anyway and it should happen fast, as this issue seems to get exploited in the wild. |
We can't backport #101199 as it would break freetype API, but this patch should fix the issue.
Motivation for this change
https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
Things done
sandbox
innix.conf
on non-NixOS linux)