[freetype/f14/master] Security bugfix

Wed Oct 6 17:03:56 UTC 2010

commit 0c0437d310b2e3c227d12c8d55cbc21533569beb
Author: Marek Kasik <mkasik at redhat.com>
Date:   Wed Oct 6 19:00:46 2010 +0200

    Security bugfix
    
    Add freetype-2.4.2-CVE-2010-3311.patch
      (Don't seek behind end of stream.)
    Resolves: #638522

 freetype-2.4.2-CVE-2010-3311.patch |   37 ++++++++++++++++++++++++++++++++++++
 freetype.spec                      |   10 ++++++++-
 2 files changed, 46 insertions(+), 1 deletions(-)
---

diff --git a/freetype-2.4.2-CVE-2010-3311.patch b/freetype-2.4.2-CVE-2010-3311.patch
new file mode 100644
index 0000000..7f51a95
--- /dev/null
+++ b/freetype-2.4.2-CVE-2010-3311.patch
@@ -0,0 +1,37 @@
+--- freetype-2.4.2/src/base/ftstream.c	2010-08-04 15:52:01.000000000 +0200
++++ freetype-2.4.2/src/base/ftstream.c	2010-10-06 18:47:07.000000000 +0200
+@@ -59,8 +59,17 @@
+   {
+     FT_Error  error = FT_Err_Ok;
+ 
++    /* note that seeking to the first position after the file is valid */
++    if ( pos > stream->size )
++    {
++      FT_ERROR(( "FT_Stream_Seek:"
++                 " invalid i/o; pos = 0x%lx, size = 0x%lx\n",
++                 pos, stream->size ));
+ 
+-    if ( stream->read )
++      error = FT_Err_Invalid_Stream_Operation;
++    }
++
++    if ( !error && stream->read )
+     {
+       if ( stream->read( stream, pos, 0, 0 ) )
+       {
+@@ -71,15 +80,6 @@
+         error = FT_Err_Invalid_Stream_Operation;
+       }
+     }
+-    /* note that seeking to the first position after the file is valid */
+-    else if ( pos > stream->size )
+-    {
+-      FT_ERROR(( "FT_Stream_Seek:"
+-                 " invalid i/o; pos = 0x%lx, size = 0x%lx\n",
+-                 pos, stream->size ));
+-
+-      error = FT_Err_Invalid_Stream_Operation;
+-    }
+ 
+     if ( !error )
+       stream->pos = pos;
diff --git a/freetype.spec b/freetype.spec
index 3b4bd9f..46c2bbd 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -7,7 +7,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype
 Version: 2.4.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: FTL or GPLv2+
 Group: System Environment/Libraries
 URL: http://www.freetype.org
@@ -26,6 +26,8 @@ Patch47:  freetype-2.3.11-more-demos.patch
 # Fix multilib conflicts
 Patch88:  freetype-multilib.patch
 
+Patch89:  freetype-2.4.2-CVE-2010-3311.patch
+
 Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
 
 BuildRequires: libX11-devel
@@ -91,6 +93,7 @@ pushd ft2demos-%{version}
 popd
 
 %patch88 -p1 -b .multilib
+%patch89 -p1 -b .CVE-2010-3311
 
 %build
 
@@ -223,6 +226,11 @@ rm -rf $RPM_BUILD_ROOT
 %doc docs/tutorial
 
 %changelog
+* Wed Oct  6 2010 Marek Kasik <mkasik at redhat.com> 2.4.2-3
+- Add freetype-2.4.2-CVE-2010-3311.patch
+    (Don't seek behind end of stream.)
+- Resolves: #638522
+
 * Fri Aug  6 2010 Matthias Clasen <mclasen at redhat.com> 2.4.2-2
 - Fix a thinko, we still want to disable the bytecode interpreter
   by default
