Can we remove the `freetype` package from RHEL?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • freetype

Issue

  • Can we remove the package freetype to avoid the vulnerability mentioned in CVE-2020-15999 for RHEL7and RHEL8?

Resolution

  • freetype package has a dependency on the grub2 package. So, update the package to a fixed version i.e. freetype-2.8-14.el7_9.1 or a later version instead of removing it.

Root Cause

  • The package older than version freetype-2.8-14.el7_9.1 is affected by the vulnerability CVE-2020-15999 in RHEL7and RHEL8.
  • The freetype engine is a free and portable font rendering engine, developed to provide advanced font support for a variety of platforms and environments.
  • freetype can open and manages font files as well as efficiently load, hint, and render individual glyphs.

Diagnostic Steps

Dependencies Resolved
===============================================================================================
 Package                       Arch           Version             Repository          Size
===============================================================================================
Removing:
 freetype                      x86_64         2.4.11-11.el7       @anaconda/7.2       878 k
Removing for dependencies:
 grub2                         x86_64         1:2.02-0.29.el7     @anaconda/7.2       7.1 M
 grub2-tools                   x86_64         1:2.02-0.29.el7     @anaconda/7.2        20 M

Transaction Summary
===============================================================================================
Remove  1 Package (+2 Dependent packages)

Installed size: 28 M
Is this ok [y/N]: 

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.