Bug 250375 (freetype-2.10.3) - [exp-run] Upgrad print/freetype2 to 2.10.4
Summary: [exp-run] Upgrad print/freetype2 to 2.10.4
Status: In Progress
Alias: freetype-2.10.3
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Port Management Team
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-15 17:34 UTC by Tobias C. Berner
Modified: 2020-10-26 07:59 UTC (History)
5 users (show)

See Also:
tcberner: exp-run?


Attachments
v1 (2.44 KB, patch)
2020-10-15 17:34 UTC, Tobias C. Berner
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias C. Berner freebsd_committer 2020-10-15 17:34:24 UTC
Created attachment 218770 [details]
v1

Moin moin 

desktop@ would like to ask for an exp-run to upgrade freetype2 to 2.10.3.

The patch is attached, but can also be found here:
https://people.freebsd.org/~tcberner/patches/freetype2-2.10.3.v1.diff


mfg Tobias
Comment 2 Antoine Brodin freebsd_committer 2020-10-19 17:20:13 UTC
Same 4 failures on 12.1 amd64
Comment 3 VVD 2020-10-20 16:00:05 UTC
FreeType 2.10.4
2020-10-20

This is an emergency release, fixing a severe vulnerability in embedded PNG bitmap handling (see here for more).

All users should update immediately.

https://www.freetype.org/index.html#news
Comment 4 Antoine Brodin freebsd_committer 2020-10-20 16:13:35 UTC
(In reply to VVD from comment #3)
vulnerability or not,  if it generates 2k ports skipped it's not going to be committed.
Comment 5 VVD 2020-10-20 16:24:49 UTC
(In reply to Antoine Brodin from comment #4)
This is for information only.
Comment 6 Niclas Zeising freebsd_committer 2020-10-21 06:07:29 UTC
https://www.openwall.com/lists/oss-security/2020/10/20/7 That one is relevant, there are links in there to patches for ghostscript.  It is apparently a known issue, ghostscript was using a macro that was internal to FreeType and that has been removed.
Comment 7 Tobias C. Berner freebsd_committer 2020-10-21 06:18:15 UTC
(In reply to Niclas Zeising from comment #6)
Thanks for digging that up.

mfg Tobias
Comment 8 rob2g2 2020-10-21 20:51:41 UTC
fyi: the freetype vulnerability is actively exploited in the wild via chromium ... https://twitter.com/benhawkes/status/1318640422571266048
Comment 9 commit-hook freebsd_committer 2020-10-22 05:51:35 UTC
A commit references this bug:

Author: tcberner
Date: Thu Oct 22 05:51:05 UTC 2020
New revision: 552930
URL: https://svnweb.freebsd.org/changeset/ports/552930

Log:
  print/ghostscript9-agpl-base: prepare for freetype2 update

  PR:		250375
  Obtained from:	https://www.openwall.com/lists/oss-security/2020/10/20/7
  MFH:		2020Q4
  Security:	CVE-2020-15999

Changes:
  head/print/ghostscript9-agpl-base/files/patch-git_41ef9a0
Comment 10 commit-hook freebsd_committer 2020-10-22 06:10:47 UTC
A commit references this bug:

Author: tcberner
Date: Thu Oct 22 06:10:12 UTC 2020
New revision: 552936
URL: https://svnweb.freebsd.org/changeset/ports/552936

Log:
  print/ghostscript9-base: prepare for freetype2 update

  - Backport of the same patch applied to print/ghostscript9-agpl-base

  PR:		250375
  Obtained from:	https://www.openwall.com/lists/oss-security/2020/10/20/7
  MFH:		2020Q4
  Security:	CVE-2020-15999

Changes:
  head/print/ghostscript9-base/files/patch-git_41ef9a0_backport
Comment 11 commit-hook freebsd_committer 2020-10-22 08:39:11 UTC
A commit references this bug:

Author: tcberner
Date: Thu Oct 22 08:38:23 UTC 2020
New revision: 552950
URL: https://svnweb.freebsd.org/changeset/ports/552950

Log:
  print/freetype2: document vulnerability

  PR:		250375
  Security:	CVE-2020-15999

Changes:
  head/security/vuxml/vuln.xml
Comment 12 Tobias C. Berner freebsd_committer 2020-10-22 08:44:16 UTC
Moin moin 

Here's the updated patch for freetype-2.10.4 including the security fix:

https://people.freebsd.org/~tcberner/patches/freetype2-2.10.4.v1.diff

ghostscript9* is fixed already -- I'm willing to commit this update and fix fallout as soon as my machine or the builders hit them. 

antoine:
Please let me know whether I should do so -- I think the other two known fallouts are small enough to justify a direct commit, and I would gamble on them being the only ones :D 


mfg Tobias
Comment 13 commit-hook freebsd_committer 2020-10-22 16:04:36 UTC
A commit references this bug:

Author: tcberner
Date: Thu Oct 22 16:04:28 UTC 2020
New revision: 552990
URL: https://svnweb.freebsd.org/changeset/ports/552990

Log:
  math/vtk8: fix build against freetype 2.10.4

  - similar to the patch applied to print/ghostcript9*

  PR:		250375

Changes:
  head/math/vtk8/files/patch-Rendering_FreeType_vtkFreeTypeTools.cxx
Comment 14 Antoine Brodin freebsd_committer 2020-10-22 16:09:04 UTC
@tcberner : you can go ahead,  the most depended-upon ports seem to build fine
Comment 15 commit-hook freebsd_committer 2020-10-22 16:19:42 UTC
A commit references this bug:

Author: tcberner
Date: Thu Oct 22 16:19:24 UTC 2020
New revision: 552991
URL: https://svnweb.freebsd.org/changeset/ports/552991

Log:
  print/freetype2: Security fix release  2.10.4

  From: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/"

    I. IMPORTANT BUG FIXES

    - A heap buffer overflow has been found  in the handling of embedded
      PNG bitmaps, introduced in FreeType version 2.6.

        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999

      If you  use option  FT_CONFIG_OPTION_USE_PNG  you  should  upgrade
      immediately.

  Partial exp-run by:	antoine
  PR:		250375
  MFH:		2020Q4
  Security:	CVE-2020-15999

Changes:
  head/print/freetype2/Makefile
  head/print/freetype2/distinfo
  head/print/freetype2/pkg-plist
Comment 16 commit-hook freebsd_committer 2020-10-22 16:23:44 UTC
A commit references this bug:

Author: tcberner
Date: Thu Oct 22 16:22:51 UTC 2020
New revision: 552992
URL: https://svnweb.freebsd.org/changeset/ports/552992

Log:
  MFH: r552930

  print/ghostscript9-agpl-base: prepare for freetype2 update

  PR:		250375
  Obtained from:	https://www.openwall.com/lists/oss-security/2020/10/20/7
  Security:	CVE-2020-15999

  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2020Q4/
  branches/2020Q4/print/ghostscript9-agpl-base/files/patch-git_41ef9a0
Comment 17 commit-hook freebsd_committer 2020-10-22 16:23:46 UTC
A commit references this bug:

Author: tcberner
Date: Thu Oct 22 16:23:42 UTC 2020
New revision: 552993
URL: https://svnweb.freebsd.org/changeset/ports/552993

Log:
  MFH: r552936

  print/ghostscript9-base: prepare for freetype2 update

  - Backport of the same patch applied to print/ghostscript9-agpl-base

  PR:		250375
  Obtained from:	https://www.openwall.com/lists/oss-security/2020/10/20/7
  Security:	CVE-2020-15999

  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2020Q4/
  branches/2020Q4/print/ghostscript9-base/files/patch-git_41ef9a0_backport
Comment 18 commit-hook freebsd_committer 2020-10-22 16:24:48 UTC
A commit references this bug:

Author: tcberner
Date: Thu Oct 22 16:24:26 UTC 2020
New revision: 552994
URL: https://svnweb.freebsd.org/changeset/ports/552994

Log:
  MFH: r552990

  math/vtk8: fix build against freetype 2.10.4

  - similar to the patch applied to print/ghostcript9*

  PR:		250375

  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2020Q4/
  branches/2020Q4/math/vtk8/files/patch-Rendering_FreeType_vtkFreeTypeTools.cxx
Comment 19 commit-hook freebsd_committer 2020-10-22 16:25:50 UTC
A commit references this bug:

Author: tcberner
Date: Thu Oct 22 16:25:19 UTC 2020
New revision: 552995
URL: https://svnweb.freebsd.org/changeset/ports/552995

Log:
  MFH: r552991

  print/freetype2: Security fix release  2.10.4

  From: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/"

    I. IMPORTANT BUG FIXES

    - A heap buffer overflow has been found  in the handling of embedded
      PNG bitmaps, introduced in FreeType version 2.6.

        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999

      If you  use option  FT_CONFIG_OPTION_USE_PNG  you  should  upgrade
      immediately.

  Partial exp-run by:	antoine
  PR:		250375
  Security:	CVE-2020-15999

  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2020Q4/
  branches/2020Q4/print/freetype2/Makefile
  branches/2020Q4/print/freetype2/distinfo
  branches/2020Q4/print/freetype2/pkg-plist
Comment 20 Tobias C. Berner freebsd_committer 2020-10-22 16:26:17 UTC
(In reply to Antoine Brodin from comment #14)
Thanks -- all committed, and mfh'ed -- I'll keep this open to keep track of fallout.