Comment 1 Antoine Brodin 2020-10-19 09:10:13 UTC

New failure logs on 12.1 i386:

http://pb2.nyi.freebsd.org/data/121i386-default-PR244494/2020-10-19_08h11m44s/logs/errors/upp-14429.log
http://pb2.nyi.freebsd.org/data/121i386-default-PR244494/2020-10-19_08h11m44s/logs/errors/ft2demos-2.10.2.log
http://pb2.nyi.freebsd.org/data/121i386-default-PR244494/2020-10-19_08h11m44s/logs/errors/ghostscript9-agpl-base-9.52_10.log
http://pb2.nyi.freebsd.org/data/121i386-default-PR244494/2020-10-19_08h11m44s/logs/errors/ghostscript9-base-9.06_14.log

Due to ghostscript9 failure, a large number of ports were skipped

Comment 2 Antoine Brodin 2020-10-19 17:20:13 UTC

Same 4 failures on 12.1 amd64

Comment 3 Vladimir Druzenko 2020-10-20 16:00:05 UTC

FreeType 2.10.4
2020-10-20

This is an emergency release, fixing a severe vulnerability in embedded PNG bitmap handling (see here for more).

All users should update immediately.

https://www.freetype.org/index.html#news

Comment 4 Antoine Brodin 2020-10-20 16:13:35 UTC

(In reply to VVD from comment #3)
vulnerability or not,  if it generates 2k ports skipped it's not going to be committed.

Comment 5 Vladimir Druzenko 2020-10-20 16:24:49 UTC

(In reply to Antoine Brodin from comment #4)
This is for information only.

Comment 6 Niclas Zeising 2020-10-21 06:07:29 UTC

https://www.openwall.com/lists/oss-security/2020/10/20/7 That one is relevant, there are links in there to patches for ghostscript.  It is apparently a known issue, ghostscript was using a macro that was internal to FreeType and that has been removed.

Comment 7 Tobias C. Berner 2020-10-21 06:18:15 UTC

(In reply to Niclas Zeising from comment #6)
Thanks for digging that up.

mfg Tobias

fyi: the freetype vulnerability is actively exploited in the wild via chromium ... https://twitter.com/benhawkes/status/1318640422571266048

Comment 9 commit-hook 2020-10-22 05:51:35 UTC

A commit references this bug:

Author: tcberner
Date: Thu Oct 22 05:51:05 UTC 2020
New revision: 552930
URL: https://svnweb.freebsd.org/changeset/ports/552930

Log:
  print/ghostscript9-agpl-base: prepare for freetype2 update

  PR:		250375
  Obtained from:	https://www.openwall.com/lists/oss-security/2020/10/20/7
  MFH:		2020Q4
  Security:	CVE-2020-15999

Changes:
  head/print/ghostscript9-agpl-base/files/patch-git_41ef9a0

Comment 10 commit-hook 2020-10-22 06:10:47 UTC

A commit references this bug:

Author: tcberner
Date: Thu Oct 22 06:10:12 UTC 2020
New revision: 552936
URL: https://svnweb.freebsd.org/changeset/ports/552936

Log:
  print/ghostscript9-base: prepare for freetype2 update

  - Backport of the same patch applied to print/ghostscript9-agpl-base

  PR:		250375
  Obtained from:	https://www.openwall.com/lists/oss-security/2020/10/20/7
  MFH:		2020Q4
  Security:	CVE-2020-15999

Changes:
  head/print/ghostscript9-base/files/patch-git_41ef9a0_backport

Comment 11 commit-hook 2020-10-22 08:39:11 UTC

A commit references this bug:

Author: tcberner
Date: Thu Oct 22 08:38:23 UTC 2020
New revision: 552950
URL: https://svnweb.freebsd.org/changeset/ports/552950

Log:
  print/freetype2: document vulnerability

  PR:		250375
  Security:	CVE-2020-15999

Changes:
  head/security/vuxml/vuln.xml

Comment 12 Tobias C. Berner 2020-10-22 08:44:16 UTC

Moin moin 

Here's the updated patch for freetype-2.10.4 including the security fix:

https://people.freebsd.org/~tcberner/patches/freetype2-2.10.4.v1.diff

ghostscript9* is fixed already -- I'm willing to commit this update and fix fallout as soon as my machine or the builders hit them. 

antoine:
Please let me know whether I should do so -- I think the other two known fallouts are small enough to justify a direct commit, and I would gamble on them being the only ones :D 


mfg Tobias

Comment 13 commit-hook 2020-10-22 16:04:36 UTC

A commit references this bug:

Author: tcberner
Date: Thu Oct 22 16:04:28 UTC 2020
New revision: 552990
URL: https://svnweb.freebsd.org/changeset/ports/552990

Log:
  math/vtk8: fix build against freetype 2.10.4

  - similar to the patch applied to print/ghostcript9*

  PR:		250375

Changes:
  head/math/vtk8/files/patch-Rendering_FreeType_vtkFreeTypeTools.cxx

Comment 14 Antoine Brodin 2020-10-22 16:09:04 UTC

@tcberner : you can go ahead,  the most depended-upon ports seem to build fine

Comment 15 commit-hook 2020-10-22 16:19:42 UTC

A commit references this bug:

Author: tcberner
Date: Thu Oct 22 16:19:24 UTC 2020
New revision: 552991
URL: https://svnweb.freebsd.org/changeset/ports/552991

Log:
  print/freetype2: Security fix release  2.10.4

  From: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/"

    I. IMPORTANT BUG FIXES

    - A heap buffer overflow has been found  in the handling of embedded
      PNG bitmaps, introduced in FreeType version 2.6.

        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999

      If you  use option  FT_CONFIG_OPTION_USE_PNG  you  should  upgrade
      immediately.

  Partial exp-run by:	antoine
  PR:		250375
  MFH:		2020Q4
  Security:	CVE-2020-15999

Changes:
  head/print/freetype2/Makefile
  head/print/freetype2/distinfo
  head/print/freetype2/pkg-plist

Comment 16 commit-hook 2020-10-22 16:23:44 UTC

A commit references this bug:

Author: tcberner
Date: Thu Oct 22 16:22:51 UTC 2020
New revision: 552992
URL: https://svnweb.freebsd.org/changeset/ports/552992

Log:
  MFH: r552930

  print/ghostscript9-agpl-base: prepare for freetype2 update

  PR:		250375
  Obtained from:	https://www.openwall.com/lists/oss-security/2020/10/20/7
  Security:	CVE-2020-15999

  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2020Q4/
  branches/2020Q4/print/ghostscript9-agpl-base/files/patch-git_41ef9a0

Comment 17 commit-hook 2020-10-22 16:23:46 UTC

A commit references this bug:

Author: tcberner
Date: Thu Oct 22 16:23:42 UTC 2020
New revision: 552993
URL: https://svnweb.freebsd.org/changeset/ports/552993

Log:
  MFH: r552936

  print/ghostscript9-base: prepare for freetype2 update

  - Backport of the same patch applied to print/ghostscript9-agpl-base

  PR:		250375
  Obtained from:	https://www.openwall.com/lists/oss-security/2020/10/20/7
  Security:	CVE-2020-15999

  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2020Q4/
  branches/2020Q4/print/ghostscript9-base/files/patch-git_41ef9a0_backport

Comment 18 commit-hook 2020-10-22 16:24:48 UTC

A commit references this bug:

Author: tcberner
Date: Thu Oct 22 16:24:26 UTC 2020
New revision: 552994
URL: https://svnweb.freebsd.org/changeset/ports/552994

Log:
  MFH: r552990

  math/vtk8: fix build against freetype 2.10.4

  - similar to the patch applied to print/ghostcript9*

  PR:		250375

  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2020Q4/
  branches/2020Q4/math/vtk8/files/patch-Rendering_FreeType_vtkFreeTypeTools.cxx

Comment 19 commit-hook 2020-10-22 16:25:50 UTC

A commit references this bug:

Author: tcberner
Date: Thu Oct 22 16:25:19 UTC 2020
New revision: 552995
URL: https://svnweb.freebsd.org/changeset/ports/552995

Log:
  MFH: r552991

  print/freetype2: Security fix release  2.10.4

  From: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/"

    I. IMPORTANT BUG FIXES

    - A heap buffer overflow has been found  in the handling of embedded
      PNG bitmaps, introduced in FreeType version 2.6.

        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999

      If you  use option  FT_CONFIG_OPTION_USE_PNG  you  should  upgrade
      immediately.

  Partial exp-run by:	antoine
  PR:		250375
  Security:	CVE-2020-15999

  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2020Q4/
  branches/2020Q4/print/freetype2/Makefile
  branches/2020Q4/print/freetype2/distinfo
  branches/2020Q4/print/freetype2/pkg-plist

Comment 20 Tobias C. Berner 2020-10-22 16:26:17 UTC

(In reply to Antoine Brodin from comment #14)
Thanks -- all committed, and mfh'ed -- I'll keep this open to keep track of fallout.

Comment 21 Antoine Brodin 2020-10-25 18:03:11 UTC

New failure logs on 12.1 i386:

http://beefy4.nyi.freebsd.org/data/121i386-quarterly/553140/logs/upp-14429.log
http://beefy4.nyi.freebsd.org/data/121i386-quarterly/553140/logs/vtk6-6.2.0_13.log
http://beefy4.nyi.freebsd.org/data/121i386-quarterly/553140/logs/ft2demos-2.10.2.log

Comment 22 Antoine Brodin 2020-10-26 07:59:01 UTC

New failure logs on 12.1 amd64:


http://beefy2.nyi.freebsd.org/data/121amd64-quarterly/553140/logs/upp-14429.log
http://beefy2.nyi.freebsd.org/data/121amd64-quarterly/553140/logs/vtk6-6.2.0_13.log
http://beefy2.nyi.freebsd.org/data/121amd64-quarterly/553140/logs/ft2demos-2.10.2.log

Comment 23 Tobias C. Berner 2020-10-26 19:23:25 UTC

print/ft2demos has been fixed by bofh in r553233

Comment 24 commit-hook 2020-10-27 04:20:58 UTC

A commit references this bug:

Author: tcberner
Date: Tue Oct 27 04:20:12 UTC 2020
New revision: 553411
URL: https://svnweb.freebsd.org/changeset/ports/553411

Log:
  math/vtk6: fix build against freetype 2.10.4

  - similar patch is applied to math/vtk8

  PR:		250375

Changes:
  head/math/vtk6/files/patch-Rendering_FreeType_vtkFreeTypeTools.cxx
  head/math/vtk6/files/patch-Rendering_FreeType_vtkFreeTypeUtilities.cxx

Comment 25 commit-hook 2020-10-27 04:22:00 UTC

A commit references this bug:

Author: tcberner
Date: Tue Oct 27 04:21:53 UTC 2020
New revision: 553412
URL: https://svnweb.freebsd.org/changeset/ports/553412

Log:
  MFH: r553411

  math/vtk6: fix build against freetype 2.10.4

  - similar patch is applied to math/vtk8

  PR:		250375

  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2020Q4/
  branches/2020Q4/math/vtk6/files/patch-Rendering_FreeType_vtkFreeTypeTools.cxx
  branches/2020Q4/math/vtk6/files/patch-Rendering_FreeType_vtkFreeTypeUtilities.cxx

Comment 26 Kevin Bowling 2021-07-26 05:27:50 UTC

This has been resolved.  upp remains marked broken.