[freetype/f20] Fix various CVEs
mkasik
mkasik at fedoraproject.org
Tue Mar 11 13:13:26 UTC 2014
commit 026a552e731c47525ca9e64bdb8242b18bf733c5
Author: Marek Kasik <mkasik at redhat.com>
Date: Tue Mar 11 14:12:40 2014 +0100
Fix various CVEs
Add freetype-2.5.0-CVE-2014-2240.patch
(Return when `hintMask' is invalid.)
Add freetype-2.5.0-CVE-2014-2241.patch
(Don't call non-existing subroutines.)
Resolves: #1074647
freetype-2.5.0-CVE-2014-2240.patch | 25 +++++++++++++++++
freetype-2.5.0-CVE-2014-2241.patch | 52 ++++++++++++++++++++++++++++++++++++
freetype.spec | 16 ++++++++++-
3 files changed, 92 insertions(+), 1 deletions(-)
---
diff --git a/freetype-2.5.0-CVE-2014-2240.patch b/freetype-2.5.0-CVE-2014-2240.patch
new file mode 100644
index 0000000..d838de3
--- /dev/null
+++ b/freetype-2.5.0-CVE-2014-2240.patch
@@ -0,0 +1,25 @@
+From 0eae6eb0645264c98812f0095e0f5df4541830e6 Mon Sep 17 00:00:00 2001
+From: Dave Arnold <darnold at adobe.com>
+Date: Fri, 28 Feb 2014 06:40:01 +0000
+Subject: Fix Savannah bug #41697, part 1.
+
+* src/cff/cf2hints.c (cf2_hintmap_build): Return when `hintMask' is
+invalid. In this case, it is not safe to use the length of
+`hStemHintArray'; the exception has already been recorded in
+`hintMask'.
+---
+diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
+index 5f44161..79f84fc 100644
+--- a/src/cff/cf2hints.c
++++ b/src/cff/cf2hints.c
+@@ -781,6 +781,8 @@
+ cf2_hintmask_setAll( hintMask,
+ cf2_arrstack_size( hStemHintArray ) +
+ cf2_arrstack_size( vStemHintArray ) );
++ if ( !cf2_hintmask_isValid( hintMask ) )
++ return; /* too many stem hints */
+ }
+
+ /* begin by clearing the map */
+--
+cgit v0.9.0.2
diff --git a/freetype-2.5.0-CVE-2014-2241.patch b/freetype-2.5.0-CVE-2014-2241.patch
new file mode 100644
index 0000000..3e6cd60
--- /dev/null
+++ b/freetype-2.5.0-CVE-2014-2241.patch
@@ -0,0 +1,52 @@
+From 135c3faebb96f8f550bd4f318716f2e1e095a969 Mon Sep 17 00:00:00 2001
+From: Dave Arnold <darnold at adobe.com>
+Date: Fri, 28 Feb 2014 06:42:42 +0000
+Subject: Fix Savannah bug #41697, part 2.
+
+* src/cff/cf2ft.c (cf2_initLocalRegionBuffer,
+cf2_initGlobalRegionBuffer): It is possible for a charstring to call
+a subroutine if no subroutines exist. This is an error but should
+not trigger an assert. Split the assert to account for this.
+---
+diff --git a/src/cff/cf2ft.c b/src/cff/cf2ft.c
+index df5f8fb..82bac75 100644
+--- a/src/cff/cf2ft.c
++++ b/src/cff/cf2ft.c
+@@ -521,7 +521,7 @@
+ CF2_UInt idx,
+ CF2_Buffer buf )
+ {
+- FT_ASSERT( decoder && decoder->globals );
++ FT_ASSERT( decoder );
+
+ FT_ZERO( buf );
+
+@@ -529,6 +529,8 @@
+ if ( idx >= decoder->num_globals )
+ return TRUE; /* error */
+
++ FT_ASSERT( decoder->globals );
++
+ buf->start =
+ buf->ptr = decoder->globals[idx];
+ buf->end = decoder->globals[idx + 1];
+@@ -594,7 +596,7 @@
+ CF2_UInt idx,
+ CF2_Buffer buf )
+ {
+- FT_ASSERT( decoder && decoder->locals );
++ FT_ASSERT( decoder );
+
+ FT_ZERO( buf );
+
+@@ -602,6 +604,8 @@
+ if ( idx >= decoder->num_locals )
+ return TRUE; /* error */
+
++ FT_ASSERT( decoder->locals );
++
+ buf->start =
+ buf->ptr = decoder->locals[idx];
+ buf->end = decoder->locals[idx + 1];
+--
+cgit v0.9.0.2
diff --git a/freetype.spec b/freetype.spec
index 74cee3c..93a8113 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -7,7 +7,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.5.0
-Release: 4%{?dist}
+Release: 5%{?dist}
License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -35,6 +35,10 @@ Patch91: freetype-2.5.0.1.patch
# https://bugzilla.gnome.org/show_bug.cgi?id=686709
Patch92: 0001-Fix-vertical-size-of-emboldened-glyphs.patch
+# https://bugzilla.gnome.org/show_bug.cgi?id=1074647
+Patch93: freetype-2.5.0-CVE-2014-2240.patch
+Patch94: freetype-2.5.0-CVE-2014-2241.patch
+
Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
BuildRequires: libX11-devel
@@ -102,6 +106,9 @@ popd
%patch92 -p1 -b .emboldened-glyphs
+%patch93 -p1 -b .CVE-2014-2240
+%patch94 -p1 -b .CVE-2014-2241
+
%build
%configure --disable-static
@@ -222,6 +229,13 @@ rm -rf $RPM_BUILD_ROOT
%doc docs/tutorial
%changelog
+* Tue Mar 11 2014 Marek Kasik <mkasik at redhat.com> - 2.5.0-5
+- Add freetype-2.5.0-CVE-2014-2240.patch
+ (Return when `hintMask' is invalid.)
+- Add freetype-2.5.0-CVE-2014-2241.patch
+ (Don't call non-existing subroutines.)
+- Resolves: #1074647
+
* Fri Sep 20 2013 Marek Kasik <mkasik at redhat.com> - 2.5.0-4
- Fix vertical size of emboldened glyphs
More information about the fonts-bugs
mailing list