SUSE-SU-2020:1353-1: moderate: Security update for freetype2

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed May 20 10:14:43 MDT 2020


   SUSE Security Update: Security update for freetype2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:1353-1
Rating:             moderate
References:         #1079603 #1091109 
Cross-References:   CVE-2018-6942
Affected Products:
                    SUSE Linux Enterprise Module for Basesystem 15-SP1
______________________________________________________________________________

   An update that solves one vulnerability and has one errata
   is now available.

Description:

   This update for freetype2 to version 2.10.1 fixes the following issues:

   Security issue fixed:

   - CVE-2018-6942: Fixed a NULL pointer dereference within ttinerp.c
     (bsc#1079603).

   Non-security issues fixed:

   - Update to version 2.10.1
     * The bytecode hinting of OpenType variation fonts was flawed, since the
       data in the `CVAR' table wasn't correctly applied.
     * Auto-hinter support for Mongolian.
     * The handling of  the default character in PCF fonts as  introduced in
       version 2.10.0 was partially broken, causing premature abortion
       of charmap iteration for many fonts.
     * If  `FT_Set_Named_Instance' was  called  with  the same  arguments
       twice in a row, the function  returned an incorrect error code the
       second time.
     * Direct   rendering   using  FT_RASTER_FLAG_DIRECT   crashed   (bug
       introduced in version 2.10.0).
     * Increased  precision  while  computing  OpenType  font   variation
       instances.
     * The  flattening  algorithm of  cubic  Bezier  curves was  slightly
       changed to make  it faster.  This can cause  very subtle rendering
       changes, which aren't noticeable by the eye, however.
     * The  auto-hinter  now  disables hinting  if there  are blue  zones
       defined for a `style' (i.e., a certain combination of a script and its
       related typographic features) but the font doesn't contain any
       characters needed to set up at least one blue zone.
   - Add tarball signatures and freetype2.keyring

   - Update to version 2.10.0
     * A bunch of new functions has been added to access and process
       COLR/CPAL data of OpenType fonts with color-layered glyphs.
     * As a GSoC 2018 project, Nikhil Ramakrishnan completely
       overhauled and modernized the API reference.
     * The logic for computing the global ascender, descender, and height of
       OpenType fonts has been slightly adjusted for consistency.
     * `TT_Set_MM_Blend' could fail if called repeatedly with the same
       arguments.
     * The precision of handling deltas in Variation Fonts has been
       increased.The problem did only show up with multidimensional
       designspaces.
     * New function `FT_Library_SetLcdGeometry' to set up the geometry
       of LCD subpixels.
     * FreeType now uses the `defaultChar' property of PCF fonts to set the
       glyph for  the undefined  character  at glyph  index 0  (as FreeType
       already does for all other supported font formats).  As a consequence,
       the order of glyphs of a PCF font if accessed with  FreeType can be
       different now compared to previous versions. This change doesn't
       affect PCF font access with cmaps.
     * `FT_Select_Charmap' has been changed to allow  parameter value
       `FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT
       formats to access built-in cmaps that don't have a predefined
       `FT_Encoding' value.
     * A previously reserved field in the `FT_GlyphSlotRec' structure now
       holds the glyph index.
     * The usual round of fuzzer bug fixes to better reject malformed fonts.
     * `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have been
       removed.These two functions were public by oversight only and were
       never documented.
     * A new function `FT_Error_String' returns descriptions of error codes
       if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is defined.
     * `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new
       functions limited to Adobe MultiMaster fonts to directly set and get
       the weight vector.

   - Enable subpixel rendering with infinality config:

   - Re-enable freetype-config, there is just too many fallouts.

   - Update to version 2.9.1
     * Type 1 fonts containing flex features were not rendered correctly (bug
       introduced in version 2.9).
     * CVE-2018-6942: Older FreeType versions can crash with certain
       malformed variation fonts.
     * Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage.
     * Emboldening of bitmaps didn't work correctly sometimes, showing
       various artifacts (bug introduced in version 2.8.1).
     * The auto-hinter script ranges have  been updated for Unicode 11. No
       support for new scripts have been added, however,  with the exception
       of Georgian Mtavruli.
   - freetype-config is now deprecated by upstream and not enabled by default.

   - Update to version 2.10.1
     * The `ftmulti' demo program now  supports multiple hidden axes with the
       same name tag.
     * `ftview', `ftstring', and `ftgrid' got  a `-k' command line option to
       emulate a sequence of keystrokes at start-up.
     * `ftview', `ftstring', and `ftgrid' now support screen dumping to a PNG
       file.
     * The bytecode debugger, `ttdebug',  now supports variation TrueType
       fonts; a variation font instance can be selected with the new `-d'
       command line option.
   - Add tarball signatures and freetype2.keyring

   - Update to version 2.10.0
     * The  `ftdump' demo  program has new options `-c'  and `-C'  to display
       charmaps in compact and detailed format, respectively. Option `-V' has
       been removed.
     * The `ftview', `ftstring', and `ftgrid' demo programs use a new command
       line option `-d' to specify the program window's width, height, and
       color depth.
     * The `ftview' demo program now displays red boxes for zero-width glyphs.
     * `ftglyph' has limited support to display fonts with color-layered
       glyphs.This will be improved later on.
     * `ftgrid' can now display bitmap fonts also.
     * The `ttdebug' demo program has a new option `-f' to select a member of
       a TrueType collection (TTC).
     * Other various improvements to the demo programs.

   - Remove "Supplements: fonts-config" to avoid accidentally pulling in Qt
     dependencies on some non-Qt based desktops.(bsc#1091109) fonts-config is
     fundamental but ft2demos seldom installs by end users.
     only fonts-config maintainers/debuggers may use ft2demos along to debug
      some issues.

   - Update to version 2.9.1
     * No changelog upstream.


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Basesystem 15-SP1:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1353=1



Package List:

   - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64):

      freetype2-debugsource-2.10.1-4.3.1
      freetype2-devel-2.10.1-4.3.1
      libfreetype6-2.10.1-4.3.1
      libfreetype6-debuginfo-2.10.1-4.3.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64):

      libfreetype6-32bit-2.10.1-4.3.1
      libfreetype6-32bit-debuginfo-2.10.1-4.3.1


References:

   https://www.suse.com/security/cve/CVE-2018-6942.html
   https://bugzilla.suse.com/1079603
   https://bugzilla.suse.com/1091109



More information about the sle-security-updates mailing list