[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#861526: marked as done (unblock: freetype/2.6.3-3.2)

Your message dated Mon, 01 May 2017 16:41:00 +0000
with message-id <4b576db8-7aa4-7c59-f747-db56f323021c@thykier.net>
and subject line Re: Bug#861526: unblock: freetype/2.6.3-3.2
has caused the Debian Bug report #861526,
regarding unblock: freetype/2.6.3-3.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
861526: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861526
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Please unblock package freetype. It actually has already but it needs
an ack as well for d-i.

The update fixes two CVEs,

 - CVE-2017-8105, #861220
 - CVE-2017-8287, #861308

and adressed in a DSA for stable. Would thus be great to have the
fixes as well in stretch to avoid a regression.

unblock freetype/2.6.3-3.2

Regards,
Salvatore

diff -u freetype-2.6.3/debian/changelog freetype-2.6.3/debian/changelog
--- freetype-2.6.3/debian/changelog
+++ freetype-2.6.3/debian/changelog
@@ -1,3 +1,12 @@
+freetype (2.6.3-3.2) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Better protect `flex' handling (CVE-2017-8105) (Closes: #861220)
+  * t1_builder_close_contour: Add safety guard (CVE-2017-8287)
+    (Closes: #861308)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 27 Apr 2017 20:57:40 +0200
+
 freetype (2.6.3-3.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -u freetype-2.6.3/debian/patches-freetype/series freetype-2.6.3/debian/patches-freetype/series
--- freetype-2.6.3/debian/patches-freetype/series
+++ freetype-2.6.3/debian/patches-freetype/series
@@ -6,0 +7,2 @@
+CVE-2017-8105-psaux-Better-protect-flex-handling.patch
+CVE-2017-8287-src-psaux-psobjs.c-t1_builder_close_contour-Add-safe.patch
only in patch2:
unchanged:
--- freetype-2.6.3.orig/debian/patches-freetype/CVE-2017-8105-psaux-Better-protect-flex-handling.patch
+++ freetype-2.6.3/debian/patches-freetype/CVE-2017-8105-psaux-Better-protect-flex-handling.patch
@@ -0,0 +1,43 @@
+From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Fri, 24 Mar 2017 09:15:10 +0100
+Subject: [PATCH] [psaux] Better protect `flex' handling.
+
+Reported as
+
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
+
+* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+<callothersubr>: Since there is not a single flex operator but a
+series of subroutine calls, malformed fonts can call arbitrary other
+operators after the start of a flex, possibly adding points.  For
+this reason we have to check the available number of points before
+inserting a point.
+---
+diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
+index af7b465..7dd4513 100644
+--- a/src/psaux/t1decode.c
++++ b/src/psaux/t1decode.c
+@@ -780,10 +780,19 @@
+             /* point without adding any point to the outline    */
+             idx = decoder->num_flex_vectors++;
+             if ( idx > 0 && idx < 7 )
++            {
++              /* in malformed fonts it is possible to have other */
++              /* opcodes in the middle of a flex (which don't    */
++              /* increase `num_flex_vectors'); we thus have to   */
++              /* check whether we can add a point                */
++              if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
++                goto Syntax_Error;
++
+               t1_builder_add_point( builder,
+                                     x,
+                                     y,
+                                     (FT_Byte)( idx == 3 || idx == 6 ) );
++            }
+           }
+           break;
+ 
+-- 
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.6.3.orig/debian/patches-freetype/CVE-2017-8287-src-psaux-psobjs.c-t1_builder_close_contour-Add-safe.patch
+++ freetype-2.6.3/debian/patches-freetype/CVE-2017-8287-src-psaux-psobjs.c-t1_builder_close_contour-Add-safe.patch
@@ -0,0 +1,32 @@
+From 3774fc08b502c3e685afca098b6e8a195aded6a0 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sun, 26 Mar 2017 08:32:09 +0200
+Subject: [PATCH] * src/psaux/psobjs.c (t1_builder_close_contour): Add safety
+ guard.
+
+Reported as
+
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941
+---
+diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c
+index d18e821..0baf836 100644
+--- a/src/psaux/psobjs.c
++++ b/src/psaux/psobjs.c
+@@ -1718,6 +1718,14 @@
+     first = outline->n_contours <= 1
+             ? 0 : outline->contours[outline->n_contours - 2] + 1;
+ 
++    /* in malformed fonts it can happen that a contour was started */
++    /* but no points were added                                    */
++    if ( outline->n_contours && first == outline->n_points )
++    {
++      outline->n_contours--;
++      return;
++    }
++
+     /* We must not include the last point in the path if it */
+     /* is located on the first point.                       */
+     if ( outline->n_points > 1 )
+-- 
+2.1.4
+

--- End Message ---
--- Begin Message --- 
Cyril Brulebois:
> Salvatore Bonaccorso <carnil@debian.org> (2017-04-30):
>> Please unblock package freetype. It actually has already but it needs
>> an ack as well for d-i.
>>
>> The update fixes two CVEs,
>>
>>  - CVE-2017-8105, #861220
> 
> No regressions spotted with various languages, ACK.
> 
> 
> KiBi.
> 

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: