[freetype/f12/master] Security bugfixes

mkasik mkasik at fedoraproject.org
Mon Oct 4 13:41:50 UTC 2010 

commit eea03f17e6ef62c64919293af3587fedb09742b8
Author: Marek Kasik <mkasik at redhat.com>
Date:   Mon Oct 4 15:34:44 2010 +0200

    Security bugfixes
    
    Add freetype-2.3.11-CVE-2010-2805.patch
      (Fix comparison.)
    Add freetype-2.3.11-CVE-2010-2806.patch
      (Protect against negative string_size. Fix comparison.)
    Add freetype-2.3.11-CVE-2010-2808.patch
      (Check the total length of collected POST segments.)
    Add freetype-2.3.11-CVE-2010-3311.patch
      (Don't seek behind end of stream.)
    Resolves: #638522

 freetype-2.3.11-CVE-2010-2805.patch |   11 +++++++++
 freetype-2.3.11-CVE-2010-2806.patch |   41 +++++++++++++++++++++++++++++++++++
 freetype-2.3.11-CVE-2010-2808.patch |   21 ++++++++++++++++++
 freetype-2.3.11-CVE-2010-3311.patch |   37 +++++++++++++++++++++++++++++++
 freetype.spec                       |   21 +++++++++++++++++-
 5 files changed, 130 insertions(+), 1 deletions(-)
---
diff --git a/freetype-2.3.11-CVE-2010-2805.patch b/freetype-2.3.11-CVE-2010-2805.patch
new file mode 100644
index 0000000..74ff6be
--- /dev/null
+++ b/freetype-2.3.11-CVE-2010-2805.patch
@@ -0,0 +1,11 @@
+--- freetype-2.3.11/src/base/ftstream.c	2009-08-03 19:51:40.000000000 +0200
++++ freetype-2.3.11/src/base/ftstream.c	2010-09-30 13:46:08.000000000 +0200
+@@ -275,7 +275,7 @@
+     {
+       /* check current and new position */
+       if ( stream->pos >= stream->size        ||
+-           stream->pos + count > stream->size )
++           stream->size - stream->pos < count )
+       {
+         FT_ERROR(( "FT_Stream_EnterFrame:"
+                    " invalid i/o; pos = 0x%lx, count = %lu, size = 0x%lx\n",
diff --git a/freetype-2.3.11-CVE-2010-2806.patch b/freetype-2.3.11-CVE-2010-2806.patch
new file mode 100644
index 0000000..564d6d3
--- /dev/null
+++ b/freetype-2.3.11-CVE-2010-2806.patch
@@ -0,0 +1,41 @@
+--- freetype-2.3.11/src/type42/t42parse.c	2009-07-03 15:28:24.000000000 +0200
++++ freetype-2.3.11/src/type42/t42parse.c	2010-09-23 12:15:56.000000000 +0200
+@@ -4,7 +4,7 @@
+ /*                                                                         */
+ /*    Type 42 font parser (body).                                          */
+ /*                                                                         */
+-/*  Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by            */
++/*  Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 by      */
+ /*  Roberto Alameda.                                                       */
+ /*                                                                         */
+ /*  This file is part of the FreeType project, and may only be used,       */
+@@ -575,6 +575,12 @@
+         }
+ 
+         string_size = T1_ToInt( parser );
++        if ( string_size < 0 )
++        {
++          FT_ERROR(( "t42_parse_sfnts: invalid string size\n" ));
++          error = T42_Err_Invalid_File_Format;
++          goto Fail;
++        }
+ 
+         T1_Skip_PS_Token( parser );             /* `RD' */
+         if ( parser->root.error )
+@@ -582,13 +588,14 @@
+ 
+         string_buf = parser->root.cursor + 1;   /* one space after `RD' */
+ 
+-        parser->root.cursor += string_size + 1;
+-        if ( parser->root.cursor >= limit )
++        if ( limit - parser->root.cursor < string_size )
+         {
+           FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
+           error = T42_Err_Invalid_File_Format;
+           goto Fail;
+         }
++        else
++          parser->root.cursor += string_size + 1;
+       }
+ 
+       if ( !string_buf )
diff --git a/freetype-2.3.11-CVE-2010-2808.patch b/freetype-2.3.11-CVE-2010-2808.patch
new file mode 100644
index 0000000..a68a06f
--- /dev/null
+++ b/freetype-2.3.11-CVE-2010-2808.patch
@@ -0,0 +1,21 @@
+--- freetype-2.3.11/src/base/ftobjs.c	2010-09-30 13:58:50.000000000 +0200
++++ freetype-2.3.11/src/base/ftobjs.c	2010-09-30 13:59:31.000000000 +0200
+@@ -1529,6 +1529,7 @@
+       FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
+                    i, offsets[i], rlen, flags ));
+ 
++      /* postpone the check of rlen longer than buffer until FT_Stream_Read() */
+       if ( ( flags >> 8 ) == 0 )        /* Comment, should not be loaded */
+         continue;
+ 
+@@ -1568,6 +1569,10 @@
+         pfb_data[pfb_pos++] = 0;
+       }
+ 
++      error = FT_Err_Cannot_Open_Resource;
++      if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
++        goto Exit2;
++
+       error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
+       if ( error )
+         goto Exit2;
diff --git a/freetype-2.3.11-CVE-2010-3311.patch b/freetype-2.3.11-CVE-2010-3311.patch
new file mode 100644
index 0000000..3645591
--- /dev/null
+++ b/freetype-2.3.11-CVE-2010-3311.patch
@@ -0,0 +1,37 @@
+--- freetype-2.3.11/src/base/ftstream.c	2010-09-30 14:12:38.000000000 +0200
++++ freetype-2.3.11/src/base/ftstream.c	2010-09-30 14:12:59.000000000 +0200
+@@ -59,8 +59,17 @@
+   {
+     FT_Error  error = FT_Err_Ok;
+ 
++    /* note that seeking to the first position after the file is valid */
++    if ( pos > stream->size )
++    {
++      FT_ERROR(( "FT_Stream_Seek:"
++                 " invalid i/o; pos = 0x%lx, size = 0x%lx\n",
++                 pos, stream->size ));
+ 
+-    if ( stream->read )
++      error = FT_Err_Invalid_Stream_Operation;
++    }
++
++    if ( !error && stream->read )
+     {
+       if ( stream->read( stream, pos, 0, 0 ) )
+       {
+@@ -71,15 +80,6 @@
+         error = FT_Err_Invalid_Stream_Operation;
+       }
+     }
+-    /* note that seeking to the first position after the file is valid */
+-    else if ( pos > stream->size )
+-    {
+-      FT_ERROR(( "FT_Stream_Seek:"
+-                 " invalid i/o; pos = 0x%lx, size = 0x%lx\n",
+-                 pos, stream->size ));
+-
+-      error = FT_Err_Invalid_Stream_Operation;
+-    }
+ 
+     if ( !error )
+       stream->pos = pos;
diff --git a/freetype.spec b/freetype.spec
index a6b6640..cbe1c5f 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -9,7 +9,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype
 Version: 2.3.11
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: FTL or GPLv2+
 Group: System Environment/Libraries
 URL: http://www.freetype.org
@@ -38,6 +38,10 @@ Patch93:  freetype-2.3.11-CVE-2010-2520.patch
 Patch94:  freetype-2.3.11-CVE-2010-2527.patch
 Patch95:  freetype-2.3.11-CVE-2010-2541.patch
 Patch96:  freetype-2.3.11-CVE-2010-1797.patch
+Patch97:  freetype-2.3.11-CVE-2010-2805.patch
+Patch98:  freetype-2.3.11-CVE-2010-2806.patch
+Patch99:  freetype-2.3.11-CVE-2010-2808.patch
+Patch100:  freetype-2.3.11-CVE-2010-3311.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
 
@@ -114,6 +118,10 @@ popd
 %patch94 -p1 -b .CVE-2010-2527
 %patch95 -p1 -b .CVE-2010-2541
 %patch96 -p1 -b .CVE-2010-1797
+%patch97 -p1 -b .CVE-2010-2805
+%patch98 -p1 -b .CVE-2010-2806
+%patch99 -p1 -b .CVE-2010-2808
+%patch100 -p1 -b .CVE-2010-3311
 
 %build
 
@@ -243,6 +251,17 @@ rm -rf $RPM_BUILD_ROOT
 %doc docs/tutorial
 
 %changelog
+* Mon Oct  4 2010 Marek Kasik <mkasik at redhat.com> 2.3.11-6
+- Add freetype-2.3.11-CVE-2010-2805.patch
+    (Fix comparison.)
+- Add freetype-2.3.11-CVE-2010-2806.patch
+    (Protect against negative string_size. Fix comparison.)
+- Add freetype-2.3.11-CVE-2010-2808.patch
+    (Check the total length of collected POST segments.)
+- Add freetype-2.3.11-CVE-2010-3311.patch
+    (Don't seek behind end of stream.)
+- Resolves: #638522
+
 * Mon Oct  4 2010 Marek Kasik <mkasik at redhat.com> 2.3.11-5
 - Add freetype-2.3.11-CVE-2010-1797.patch
     (Check stack after execution of operations too.

More information about the fonts-bugs mailing list