[qutebrowser] CVE-2020-15999: heap overflow in freetype

[Florian Bruhin]

Hey,

Recently, a security issue in freetype made the rounds, as its being
actively exploited in Google Chrome:
https://nakedsecurity.sophos.com/2020/10/21/chrome-zero-day-in-the-wild-patch-now/
https://security.archlinux.org/CVE-2020-15999

QtWebEngine (the backend used by default by qutebrowser) can use either
a system-wide or a bundled freetype.

The binary releases for Windows/macOS are likely affected (as they ship
with a Qt build which comes with a bundled freetype, as far as I can
tell). It looks like there's a fix already merged for Qt 5.15.2:
https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/318220

The release of that is planned for November 3rd - after that, there will
be an updated PyQt release (usually takes 1-2 days or so), and as soon
as that happens I'll be able to release a new qutebrowser release.

As for Linux distributions, I'd hope most of them use a system-wide
freetype which can be updated independently. Archlinux does, I have no
idea about others. If you're using another distro, check via something
like: ldd /usr/lib/libQt5WebEngine.so | grep -i freetype

If you see a line pointing to something like /usr/lib/libfreetype.so.6,
it should be fixed as soon as your distribution updates freetype. If you
don't see such a line, it might be good to open a bug against your
distribution to make the respective package maintainers aware of the
issue.

Florian

-- 
me at the-compiler.org (Mail/XMPP) | https://www.qutebrowser.org 
       https://bruhin.software/ | https://github.com/sponsors/The-Compiler/
       GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc
             I love long mails! | https://email.is-not-s.ms/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://listi.jpberlin.de/pipermail/qutebrowser/attachments/20201021/1a55a378/attachment.asc>