Depends: Update FreeType package (CVE-2020-15999) #20320

Update FreeType package to v2.10.4 in Depends to help mitigate against recent 0 day flaw found. See CVE-2020-15999

utACK

Please don't close-and-make-new PRs...

No probs, understood.

<!--9cd9c72976c961c55c7acef8f6ba82cd-->

Guix builds

<!--a722867cd34abeea1fadc8d60700f111-->

Gitian builds

From CVE-2020-15999 description:

Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

So I'm wondering what is the scenario to exploit that vulnerability when running bitcoin-qt? @MarcoFalke Why 0.21.0 milestone added? Is it error prone to change dependency package at the last moment before branching-off?

Why 0.21.0 milestone added? Is it error prone to change dependency package at the last moment before branching-off?

I'm not sure, however there's not really a rush to update this just before a branch-off, and as far as I'm aware, there's no way to "use" this exploit with bitcoin-qt. It requires loading a specially crafted font, which has a .png file embedded inside it, and taking advantage of a buffer overflow thereafter. An exploit like this is obviously easier to use in a web browser, where pages can load arbitrary resources, like fonts.

Note that when we compile FreeType in depends we also explicitly disable png support, so for depends (release) builds we shouldn't even be compiling the affected code (Load_SBit_Png). If you look in the Linux depends output for Freetype you should see:

Library configuration:
  external zlib: no
  bzip2:         no
  libpng:        no

We also currently load libfreetype.so at runtime, so if anything, an end-user should make sure that the version of libfreetype on their system is updated.

I'm fine for us to update FreeType post branch off as part of #19716 (I'd already included an update there, although it's currently just to 2.10.2).

utACK efea820083b341fc461fa2eb6fb95efe2bdfc61e. Package SHA256 hash matches the one I have on my computer, downloaded by OS package manager some time ago.

Thanks for the investigation @fanquake .

Note that when we compile FreeType in depends we also explicitly disable png support, so for depends (release) builds we shouldn't even be compiling the affected code (Load_SBit_Png). If you look in the Linux depends output for Freetype you should see:

OK, so we don't compile the vulnerable code at all.

We also currently load libfreetype.so at runtime, so if anything, an end-user should make sure that the version of libfreetype on their system is updated.

Oh, right!!! this is one of the libraries that we only compile as an interface to a system shared library. We don't actually use any code from depends except the headers really. This would be something where TBD stubs would be better:

/tmp/x/bitcoin-0.20.0/bin$ readelf -d ./bitcoin-qt |grep NEEDED
 0x0000000000000001 (NEEDED)             Shared library: [libpthread.so.0]
 0x0000000000000001 (NEEDED)             Shared library: [librt.so.1]
 0x0000000000000001 (NEEDED)             Shared library: [libfontconfig.so.1]
 0x0000000000000001 (NEEDED)             Shared library: [libfreetype.so.6]    <-----------------------------------
 0x0000000000000001 (NEEDED)             Shared library: [libxcb.so.1]
 0x0000000000000001 (NEEDED)             Shared library: [libdl.so.2]
 0x0000000000000001 (NEEDED)             Shared library: [libm.so.6]
 0x0000000000000001 (NEEDED)             Shared library: [libgcc_s.so.1]
 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
 0x0000000000000001 (NEEDED)             Shared library: [ld-linux-x86-64.so.2]

So it is sufficient if users upgrade their system package. Which they really should, but not so much because of bitcoin core.

Agree with removing it from the milestone.

(It still makes sense to bump this package at some point but there is no hurry)

In that case (we don't ship the built lib at all), it may be better to leave it at an older version simply to avoid any compatibility surprises...

I would say that If there are no compatibility issues flagged on the Bitcoin release processes to include 2.10.4, then that mitigates the CVE easily and should be merged in a future milestone / release, and also from end users or developers fiddling with depends compilation switches. It's just another attack vector that is simple to mitigate with the version bump.

It's just another attack vector that is simple to mitigate with the version bump.

Given the realizations above, how is this an attack vector?

I suppose it's a danger to anyone who uses depends themselves (ie, not via gitian)

But I'm not sure why anyone would need freetype from depends?

As mentioned above, a FreeType update was already a part of #19716, which I'll begin to split up shortly. I'll add you as a co-author in the relevant commit. Going to close this PR.

<!--e57a25ab6845829454e8d69fc972939a-->

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

<!--174a7506f384e20aa4161008e828411d-->

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #20413 (build: Require C++17 compiler by MarcoFalke)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

ok thanks.