--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: freetype/2.6.3-3.2
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 30 Apr 2017 10:51:34 +0200
- Message-id: <149354229412.11049.17103646957360908817.reportbug@eldamar.local>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi
Please unblock package freetype. It actually has already but it needs
an ack as well for d-i.
The update fixes two CVEs,
- CVE-2017-8105, #861220
- CVE-2017-8287, #861308
and adressed in a DSA for stable. Would thus be great to have the
fixes as well in stretch to avoid a regression.
unblock freetype/2.6.3-3.2
Regards,
Salvatore
diff -u freetype-2.6.3/debian/changelog freetype-2.6.3/debian/changelog
--- freetype-2.6.3/debian/changelog
+++ freetype-2.6.3/debian/changelog
@@ -1,3 +1,12 @@
+freetype (2.6.3-3.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Better protect `flex' handling (CVE-2017-8105) (Closes: #861220)
+ * t1_builder_close_contour: Add safety guard (CVE-2017-8287)
+ (Closes: #861308)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Thu, 27 Apr 2017 20:57:40 +0200
+
freetype (2.6.3-3.1) unstable; urgency=medium
* Non-maintainer upload.
diff -u freetype-2.6.3/debian/patches-freetype/series freetype-2.6.3/debian/patches-freetype/series
--- freetype-2.6.3/debian/patches-freetype/series
+++ freetype-2.6.3/debian/patches-freetype/series
@@ -6,0 +7,2 @@
+CVE-2017-8105-psaux-Better-protect-flex-handling.patch
+CVE-2017-8287-src-psaux-psobjs.c-t1_builder_close_contour-Add-safe.patch
only in patch2:
unchanged:
--- freetype-2.6.3.orig/debian/patches-freetype/CVE-2017-8105-psaux-Better-protect-flex-handling.patch
+++ freetype-2.6.3/debian/patches-freetype/CVE-2017-8105-psaux-Better-protect-flex-handling.patch
@@ -0,0 +1,43 @@
+From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Fri, 24 Mar 2017 09:15:10 +0100
+Subject: [PATCH] [psaux] Better protect `flex' handling.
+
+Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
+
+* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+<callothersubr>: Since there is not a single flex operator but a
+series of subroutine calls, malformed fonts can call arbitrary other
+operators after the start of a flex, possibly adding points. For
+this reason we have to check the available number of points before
+inserting a point.
+---
+diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
+index af7b465..7dd4513 100644
+--- a/src/psaux/t1decode.c
++++ b/src/psaux/t1decode.c
+@@ -780,10 +780,19 @@
+ /* point without adding any point to the outline */
+ idx = decoder->num_flex_vectors++;
+ if ( idx > 0 && idx < 7 )
++ {
++ /* in malformed fonts it is possible to have other */
++ /* opcodes in the middle of a flex (which don't */
++ /* increase `num_flex_vectors'); we thus have to */
++ /* check whether we can add a point */
++ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
++ goto Syntax_Error;
++
+ t1_builder_add_point( builder,
+ x,
+ y,
+ (FT_Byte)( idx == 3 || idx == 6 ) );
++ }
+ }
+ break;
+
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.6.3.orig/debian/patches-freetype/CVE-2017-8287-src-psaux-psobjs.c-t1_builder_close_contour-Add-safe.patch
+++ freetype-2.6.3/debian/patches-freetype/CVE-2017-8287-src-psaux-psobjs.c-t1_builder_close_contour-Add-safe.patch
@@ -0,0 +1,32 @@
+From 3774fc08b502c3e685afca098b6e8a195aded6a0 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sun, 26 Mar 2017 08:32:09 +0200
+Subject: [PATCH] * src/psaux/psobjs.c (t1_builder_close_contour): Add safety
+ guard.
+
+Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941
+---
+diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c
+index d18e821..0baf836 100644
+--- a/src/psaux/psobjs.c
++++ b/src/psaux/psobjs.c
+@@ -1718,6 +1718,14 @@
+ first = outline->n_contours <= 1
+ ? 0 : outline->contours[outline->n_contours - 2] + 1;
+
++ /* in malformed fonts it can happen that a contour was started */
++ /* but no points were added */
++ if ( outline->n_contours && first == outline->n_points )
++ {
++ outline->n_contours--;
++ return;
++ }
++
+ /* We must not include the last point in the path if it */
+ /* is located on the first point. */
+ if ( outline->n_points > 1 )
+--
+2.1.4
+
--- End Message ---
--- Begin Message ---
Cyril Brulebois:
> Salvatore Bonaccorso <carnil@debian.org> (2017-04-30):
>> Please unblock package freetype. It actually has already but it needs
>> an ack as well for d-i.
>>
>> The update fixes two CVEs,
>>
>> - CVE-2017-8105, #861220
>
> No regressions spotted with various languages, ACK.
>
>
> KiBi.
>
Unblocked, thanks.
~Niels
--- End Message ---