Insyde Security Advisory 2022038

Insyde ID Advisory Category Impact of Vulnerability Severity Rating Original Date Last Revised
INSYDE-SA-2022038 Software CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L 3.6 09/30/2022 09/30/2022

Summary:

Some versions of InsydeH2O use the FreeType tools to embed fonts into the BIOS. InsydeH2O does not use the FreeType API at runtime and usage during build time does not produce a vulnerability in the BIOS.

Vulnerability Details

CVE-2022-27405

Some versions of InsydeH2O use the FreeType tools to embed fonts into the BIOS. InsydeH2O does not use the FreeType API at runtime and usage during build time does not produce a vulnerability in the BIOS. The CVSS reflects this limited usage. The version of FreeType used in InsydeH2O was updated to 2.10.4.

This was fixed in the Kernel, versions

kernel 5.0, unknown (End of Support)
kernel 5.1, version 05.17.33
kernel 5.2, version 05.27.33
kernel 5.3, version 05.36.34
kernel 5.4, version 05.44.34
kernel 5.5, version 05.52.33

Acknowledgements

This issue was discovered by the Insyde engineering team based on FreeType reports (https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/)

Revision History:

Revision Date Description
1.0 09/30/2022 Initial Release
- - -

Return to Insyde's Security Pledge