Bug 1890210 (CVE-2020-15999)
Summary: | CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | ajax, caillon+fedoraproject, erack, fonts-bugs, gecko-bugs-nobody, gghezzo, gnome-sig, gparvin, jhorak, john.j5live, jramanat, jweiser, kevin, mclasen, mkasik, rhughes, rstrode, sandmann, scorneli, stcannon, stransky, thee, tpopela, yozone |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | freetype 2.10.4 | Doc Type: | If docs needed, set a value |
Doc Text: |
A heap buffer overflow leading to out-of-bounds write was found in freetype. Memory allocation based on truncated PNG width and height values allows for an out-of-bounds write to occur in application memory when an attacker supplies a specially crafted TTF file.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-10-27 02:21:15 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1890211, 1890271, 1891635, 1891902, 1891903, 1891904, 1891905, 1891906, 2048292 | ||
Bug Blocks: | 1890212 |
Description
Guilherme de Almeida Suckevicz
2020-10-21 16:58:24 UTC
Created freetype tracking bugs for this issue: Affects: fedora-all [bug 1890211] This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2020:4351 https://access.redhat.com/errata/RHSA-2020:4351 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15999 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15999 Statement: Although firefox and thunderbird, as shipped with Red Hat Enterprise Linux 6, bundle a version (2.4.11) of freetype in gtk3-private, the version is not affected by this flaw because the vulnerable code was introduced in a subsequent version of freetype. The freetype package shipped with Red Hat Enterprise Linux 5 and 6 is not affected as the vulnerable code was introduced in a subsequent version of freetype. go-freetype as shipped with Red Hat Advanced Cluster Management for Kubernetes is not affected by this flaw because it ships a pure go implementation of freetype which does not include the vulnerable code. Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4907 https://access.redhat.com/errata/RHSA-2020:4907 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:4949 https://access.redhat.com/errata/RHSA-2020:4949 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:4950 https://access.redhat.com/errata/RHSA-2020:4950 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4952 https://access.redhat.com/errata/RHSA-2020:4952 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2020:4951 https://access.redhat.com/errata/RHSA-2020:4951 |