[solved] How to install freetype w patch for new exploit

Forum Forums New users New Users and General Questions [solved] How to install freetype w patch for new exploit

  • This topic has 7 replies, 3 voices, and was last updated Oct 31-11:08 pm by stevesr0.
Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #44045
    Member
    stevesr0

      Hi all,

      I heard that Freetype has put out a patched version for a serious exploit. It is in the 2.10 series and the current version in the repos for my version 17 install of antiX is 2.6.

      Anybody know if the version from freetype via sourceforge is problematic for antiX 17?

      stevesr0

      • This topic was modified 2 years, 6 months ago by christophe.
      #44046
      Member
      Xecure
        Helpful
        Up
        0
        ::

        Why download it via sourceforge?

        Why not check first if it was resolved in Debian?
        Is this the bug you are refering to? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972586

        It appears to already be patched. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972586#29

        antiX Live system enthusiast.
        General Live Boot Parameters for antiX.

        #44047
        Member
        Xecure
          Helpful
          Up
          0
          ::

          Update your packages.

          antiX Live system enthusiast.
          General Live Boot Parameters for antiX.

          #44050
          Anonymous
            Helpful
            Up
            0
            ::

            due to today’s hiccups with the apt update mechanism https://www.antixforum.com/forums/topic/erros-during-the-update-process/
            I’ll mention that if you want to expedite and manually retrieve the debfiles and install via “sudo dpkg -i”

            For an antix 17 64bit system:
            http://security.debian.org/debian-security/pool/updates/main/f/freetype/libfreetype6_2.6.3-3.2+deb9u2_amd64.deb

            If the “-dev” pkg is also currently installed, on your system, install the base pkg first, THEN the dev pkg.
            http://security.debian.org/debian-security/pool/updates/main/f/freetype/libfreetype6-dev_2.6.3-3.2+deb9u2_amd64.deb

            For an antix 17 32bit system, the appropriate 2.6.3-3.2+deb9u2* debs can be downloaded here
            http://security.debian.org/debian-security/pool/updates/main/f/freetype

            For antiX 19, the suitable libfreetype6 debs are numbered v2.91xxxx*

            #44104
            Member
            stevesr0
              Helpful
              Up
              0
              ::

              Hi Xecure and skidoo,

              Thanks for responses.
              I do apt update && apt full-upgrade every day.
              I didn’t get an error message, but there is only freeetype 2.6.3-3.2+deb9u2-amd64 listed in my repos.
              It is already installed.
              I understand the patched version is 2.10.

              It appears that I need a version newer than the ones in the AntiX 17 repos. My concern is always that in installing something from a different version or from git that I will end up with an incompatibility.

              stevesr0

              • This reply was modified 2 years, 6 months ago by stevesr0.
              • This reply was modified 2 years, 6 months ago by stevesr0.
              #44113
              Anonymous
                Helpful
                Up
                0
                ::

                > antix 17
                >
                > I understand the patched version is 2.10

                .

                #44120
                Member
                Xecure
                  Helpful
                  Up
                  0
                  ::

                  All versions, be them “older or newer”, were patched in Debian, as you can see if you read the read I linked.

                  Do this in terminal:
                  apt changelog libfreetype6
                  and see the first entries in the changelog:

                  freetype (2.6.3-3.2+deb9u2) stretch-security; urgency=medium
                  
                    * Non-maintainer upload by the LTS Team.
                    * CVE-2020-15999
                      Fix heap buffer overflow.
                  
                   -- Thorsten Alteholz <debian@alteholz.de>  Fri, 23 Oct 2020 19:03:02 +0200

                  So the explot was fixed.

                  Thanks for reading until the end.

                  • This reply was modified 2 years, 6 months ago by Xecure. Reason: Pasted correct antiX 17 version changelog

                  antiX Live system enthusiast.
                  General Live Boot Parameters for antiX.

                  #44144
                  Member
                  stevesr0
                    Helpful
                    Up
                    0
                    ::

                    Thanks, Xecure – I wasn’t familiar with using apt changelog, so you have taught me something useful.

                    Thanks skidoo – I am leery about installing things from different versions; I wonder (from what Xecure said) if the versions marked (SECURITY) are the patched versions for different debians?

                    This is solved for me. (I would mark it solved, but I looked at my opening message and there is no option to edit…)

                    stevesr0

                  Viewing 8 posts - 1 through 8 (of 8 total)
                  • You must be logged in to reply to this topic.