[freetype/f13/master] Security bugfixes
mkasik
mkasik at fedoraproject.org
Mon Oct 4 13:41:50 UTC 2010
commit 646398f62640bf38aaa6016178eddc3690f64a0f
Author: Marek Kasik <mkasik at redhat.com>
Date: Mon Oct 4 15:34:50 2010 +0200
Security bugfixes
Add freetype-2.3.11-CVE-2010-2805.patch
(Fix comparison.)
Add freetype-2.3.11-CVE-2010-2806.patch
(Protect against negative string_size. Fix comparison.)
Add freetype-2.3.11-CVE-2010-2808.patch
(Check the total length of collected POST segments.)
Add freetype-2.3.11-CVE-2010-3311.patch
(Don't seek behind end of stream.)
Resolves: #638522
freetype-2.3.11-CVE-2010-2805.patch | 11 +++++++++
freetype-2.3.11-CVE-2010-2806.patch | 41 +++++++++++++++++++++++++++++++++++
freetype-2.3.11-CVE-2010-2808.patch | 21 ++++++++++++++++++
freetype-2.3.11-CVE-2010-3311.patch | 37 +++++++++++++++++++++++++++++++
freetype.spec | 21 +++++++++++++++++-
5 files changed, 130 insertions(+), 1 deletions(-)
---
diff --git a/freetype-2.3.11-CVE-2010-2805.patch b/freetype-2.3.11-CVE-2010-2805.patch
new file mode 100644
index 0000000..74ff6be
--- /dev/null
+++ b/freetype-2.3.11-CVE-2010-2805.patch
@@ -0,0 +1,11 @@
+--- freetype-2.3.11/src/base/ftstream.c 2009-08-03 19:51:40.000000000 +0200
++++ freetype-2.3.11/src/base/ftstream.c 2010-09-30 13:46:08.000000000 +0200
+@@ -275,7 +275,7 @@
+ {
+ /* check current and new position */
+ if ( stream->pos >= stream->size ||
+- stream->pos + count > stream->size )
++ stream->size - stream->pos < count )
+ {
+ FT_ERROR(( "FT_Stream_EnterFrame:"
+ " invalid i/o; pos = 0x%lx, count = %lu, size = 0x%lx\n",
diff --git a/freetype-2.3.11-CVE-2010-2806.patch b/freetype-2.3.11-CVE-2010-2806.patch
new file mode 100644
index 0000000..564d6d3
--- /dev/null
+++ b/freetype-2.3.11-CVE-2010-2806.patch
@@ -0,0 +1,41 @@
+--- freetype-2.3.11/src/type42/t42parse.c 2009-07-03 15:28:24.000000000 +0200
++++ freetype-2.3.11/src/type42/t42parse.c 2010-09-23 12:15:56.000000000 +0200
+@@ -4,7 +4,7 @@
+ /* */
+ /* Type 42 font parser (body). */
+ /* */
+-/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */
++/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */
+ /* Roberto Alameda. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used, */
+@@ -575,6 +575,12 @@
+ }
+
+ string_size = T1_ToInt( parser );
++ if ( string_size < 0 )
++ {
++ FT_ERROR(( "t42_parse_sfnts: invalid string size\n" ));
++ error = T42_Err_Invalid_File_Format;
++ goto Fail;
++ }
+
+ T1_Skip_PS_Token( parser ); /* `RD' */
+ if ( parser->root.error )
+@@ -582,13 +588,14 @@
+
+ string_buf = parser->root.cursor + 1; /* one space after `RD' */
+
+- parser->root.cursor += string_size + 1;
+- if ( parser->root.cursor >= limit )
++ if ( limit - parser->root.cursor < string_size )
+ {
+ FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
+ error = T42_Err_Invalid_File_Format;
+ goto Fail;
+ }
++ else
++ parser->root.cursor += string_size + 1;
+ }
+
+ if ( !string_buf )
diff --git a/freetype-2.3.11-CVE-2010-2808.patch b/freetype-2.3.11-CVE-2010-2808.patch
new file mode 100644
index 0000000..a68a06f
--- /dev/null
+++ b/freetype-2.3.11-CVE-2010-2808.patch
@@ -0,0 +1,21 @@
+--- freetype-2.3.11/src/base/ftobjs.c 2010-09-30 13:58:50.000000000 +0200
++++ freetype-2.3.11/src/base/ftobjs.c 2010-09-30 13:59:31.000000000 +0200
+@@ -1529,6 +1529,7 @@
+ FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
+ i, offsets[i], rlen, flags ));
+
++ /* postpone the check of rlen longer than buffer until FT_Stream_Read() */
+ if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */
+ continue;
+
+@@ -1568,6 +1569,10 @@
+ pfb_data[pfb_pos++] = 0;
+ }
+
++ error = FT_Err_Cannot_Open_Resource;
++ if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
++ goto Exit2;
++
+ error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
+ if ( error )
+ goto Exit2;
diff --git a/freetype-2.3.11-CVE-2010-3311.patch b/freetype-2.3.11-CVE-2010-3311.patch
new file mode 100644
index 0000000..3645591
--- /dev/null
+++ b/freetype-2.3.11-CVE-2010-3311.patch
@@ -0,0 +1,37 @@
+--- freetype-2.3.11/src/base/ftstream.c 2010-09-30 14:12:38.000000000 +0200
++++ freetype-2.3.11/src/base/ftstream.c 2010-09-30 14:12:59.000000000 +0200
+@@ -59,8 +59,17 @@
+ {
+ FT_Error error = FT_Err_Ok;
+
++ /* note that seeking to the first position after the file is valid */
++ if ( pos > stream->size )
++ {
++ FT_ERROR(( "FT_Stream_Seek:"
++ " invalid i/o; pos = 0x%lx, size = 0x%lx\n",
++ pos, stream->size ));
+
+- if ( stream->read )
++ error = FT_Err_Invalid_Stream_Operation;
++ }
++
++ if ( !error && stream->read )
+ {
+ if ( stream->read( stream, pos, 0, 0 ) )
+ {
+@@ -71,15 +80,6 @@
+ error = FT_Err_Invalid_Stream_Operation;
+ }
+ }
+- /* note that seeking to the first position after the file is valid */
+- else if ( pos > stream->size )
+- {
+- FT_ERROR(( "FT_Stream_Seek:"
+- " invalid i/o; pos = 0x%lx, size = 0x%lx\n",
+- pos, stream->size ));
+-
+- error = FT_Err_Invalid_Stream_Operation;
+- }
+
+ if ( !error )
+ stream->pos = pos;
diff --git a/freetype.spec b/freetype.spec
index 6c2603f..e128f67 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -9,7 +9,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.3.11
-Release: 5%{?dist}
+Release: 6%{?dist}
License: FTL or GPLv2+
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -38,6 +38,10 @@ Patch93: freetype-2.3.11-CVE-2010-2520.patch
Patch94: freetype-2.3.11-CVE-2010-2527.patch
Patch95: freetype-2.3.11-CVE-2010-2541.patch
Patch96: freetype-2.3.11-CVE-2010-1797.patch
+Patch97: freetype-2.3.11-CVE-2010-2805.patch
+Patch98: freetype-2.3.11-CVE-2010-2806.patch
+Patch99: freetype-2.3.11-CVE-2010-2808.patch
+Patch100: freetype-2.3.11-CVE-2010-3311.patch
Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
@@ -114,6 +118,10 @@ popd
%patch94 -p1 -b .CVE-2010-2527
%patch95 -p1 -b .CVE-2010-2541
%patch96 -p1 -b .CVE-2010-1797
+%patch97 -p1 -b .CVE-2010-2805
+%patch98 -p1 -b .CVE-2010-2806
+%patch99 -p1 -b .CVE-2010-2808
+%patch100 -p1 -b .CVE-2010-3311
%build
@@ -246,6 +254,17 @@ rm -rf $RPM_BUILD_ROOT
%doc docs/tutorial
%changelog
+* Mon Oct 4 2010 Marek Kasik <mkasik at redhat.com> 2.3.11-6
+- Add freetype-2.3.11-CVE-2010-2805.patch
+ (Fix comparison.)
+- Add freetype-2.3.11-CVE-2010-2806.patch
+ (Protect against negative string_size. Fix comparison.)
+- Add freetype-2.3.11-CVE-2010-2808.patch
+ (Check the total length of collected POST segments.)
+- Add freetype-2.3.11-CVE-2010-3311.patch
+ (Don't seek behind end of stream.)
+- Resolves: #638522
+
* Mon Oct 4 2010 Marek Kasik <mkasik at redhat.com> 2.3.11-5
- Add freetype-2.3.11-CVE-2010-1797.patch
(Check stack after execution of operations too.
More information about the scm-commits
mailing list