Hello community,
here is the log from the commit of package freetype2 for openSUSE:Factory
checked in at Wed May 6 18:38:40 CEST 2009.
--------
--- freetype2/freetype2.changes 2008-12-10 13:59:13.000000000 +0100
+++ /mounts/work_src_done/STABLE/freetype2/freetype2.changes 2009-04-16 18:08:40.000000000 +0200
@@ -1,0 +2,10 @@
+Thu Apr 16 18:08:31 CEST 2009 - nadvornik@suse.cz
+
+- fixed integer overflows [bnc#485889] CVE-2009-0946
+
+-------------------------------------------------------------------
+Mon Mar 9 16:48:46 CET 2009 - crrodriguez@suse.de
+
+- freetype2 has subpixel rendering enabled [bnc#478407]
+
+-------------------------------------------------------------------
--- freetype2/ft2demos.changes 2008-11-05 17:01:32.000000000 +0100
+++ /mounts/work_src_done/STABLE/freetype2/ft2demos.changes 2009-04-16 17:56:00.000000000 +0200
@@ -1,0 +2,5 @@
+Thu Apr 16 17:55:50 CEST 2009 - nadvornik@suse.cz
+
+- fixed integer overflows [bnc#485889] CVE-2009-0946
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
New:
----
bnc485889-overflow1.patch
bnc485889-overflow2.patch
bnc485889-overflow3.patch
bnc485889-overflow4.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ freetype2.spec ++++++
--- /var/tmp/diff_new_pack.y17982/_old 2009-05-06 18:38:10.000000000 +0200
+++ /var/tmp/diff_new_pack.y17982/_new 2009-05-06 18:38:10.000000000 +0200
@@ -1,7 +1,7 @@
#
# spec file for package freetype2 (Version 2.3.7)
#
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
Name: freetype2
BuildRequires: zlib-devel
-License: Other uncritical OpenSource License
+License: Freetype License (BSD-like). See http://freetype.sourceforge.net/FTL.TXT
Group: System/Libraries
AutoReqProv: on
# bug437293
@@ -29,7 +29,7 @@
%endif
#
Version: 2.3.7
-Release: 24
+Release: 26
Url: http://www.freetype.org
Summary: A TrueType Font Library
# CVS repository:
@@ -48,6 +48,10 @@
Patch10: uninitialized-variable.patch
Patch308961: bugzilla-308961-cmex-workaround.patch
Patch441638: bnc441638-bc-enabling-fix-from-cvs.patch
+Patch11: bnc485889-overflow1.patch
+Patch12: bnc485889-overflow2.patch
+Patch13: bnc485889-overflow3.patch
+Patch14: bnc485889-overflow4.patch
Patch100: freetype2-bc.patch
Patch200: freetype2-subpixel.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -65,7 +69,7 @@
Werner Lemberg
%package devel
-License: GPL v2 or later
+License: GPL v2 or later; Freetype License (BSD-like). See http://freetype.sourceforge.net/FTL.TXT
Summary: Development environment for the freetype2 TrueType font library
Group: Development/Libraries/C and C++
Requires: %{name} = %{version}, zlib-devel
@@ -100,7 +104,7 @@
# in /etc/sysconfig/fonts-config.
#
%define enable_bytecode_interpreter 1
-%define enable_subpixel_rendering 0%{?opensuse_bs}
+%define enable_subpixel_rendering 0
%setup -q -n freetype-%{version} -a 1
%patch3 -p 1 -b .bitmap-foundry
%patch4 -p 1 -b .ft2-stream-compat
@@ -110,6 +114,10 @@
%patch10 -p 1
%patch308961 -p 1
%patch441638 -p 1
+%patch11 -p 1
+%patch12 -p 1
+%patch13 -p 1
+%patch14 -p 1
%if %{enable_bytecode_interpreter}
%patch100 -p 1 -b .bytecode
%endif
@@ -163,6 +171,10 @@
/usr/share/aclocal/*
%changelog
+* Thu Apr 16 2009 nadvornik@suse.cz
+- fixed integer overflows [bnc#485889] CVE-2009-0946
+* Mon Mar 09 2009 crrodriguez@suse.de
+- freetype2 has subpixel rendering enabled [bnc#478407]
* Wed Dec 10 2008 olh@suse.de
- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade
(bnc#437293)
@@ -497,7 +509,7 @@
- update to 2.1.7.
- remove freetype2-type1.patch (included upstream)
- add documentation.
-* Wed Oct 08 2003 schwab@suse.de
+* Thu Oct 09 2003 schwab@suse.de
- Fix invalid free.
* Fri Sep 26 2003 mfabian@suse.de
- update to 2.1.5.
@@ -613,7 +625,7 @@
- fix build-rooting
* Thu Dec 14 2000 kukuk@suse.de
- split devel package
-* Mon Dec 11 2000 egger@suse.de
+* Tue Dec 12 2000 egger@suse.de
- Updated to version 2.0.1.
* Fri Nov 10 2000 egger@suse.de
- Initial SuSE package.
++++++ ft2demos.spec ++++++
--- /var/tmp/diff_new_pack.y17982/_old 2009-05-06 18:38:11.000000000 +0200
+++ /var/tmp/diff_new_pack.y17982/_new 2009-05-06 18:38:11.000000000 +0200
@@ -1,7 +1,7 @@
#
# spec file for package ft2demos (Version 2.3.7)
#
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -27,7 +27,7 @@
Supplements: fonts-config
%endif
Version: 2.3.7
-Release: 31
+Release: 33
%define freetype_version %{version}
Url: http://www.freetype.org
Summary: Freetype2 Utilities and Demo Programs
@@ -48,6 +48,10 @@
Patch9: fix-build.patch
Patch308961: bugzilla-308961-cmex-workaround.patch
Patch441638: bnc441638-bc-enabling-fix-from-cvs.patch
+Patch11: bnc485889-overflow1.patch
+Patch12: bnc485889-overflow2.patch
+Patch13: bnc485889-overflow3.patch
+Patch14: bnc485889-overflow4.patch
Patch50: ft2demos-build-testname.patch
Patch100: freetype2-bc.patch
Patch101: ft2demos-bc.patch
@@ -84,6 +88,10 @@
%patch9 -p 1
%patch308961 -p 1
%patch441638 -p 1
+%patch11 -p 1
+%patch12 -p 1
+%patch13 -p 1
+%patch14 -p 1
pushd ../ft2demos-%{version}
%patch50 -p 1
popd
@@ -137,6 +145,8 @@
%{_bindir}/testname
%changelog
+* Thu Apr 16 2009 nadvornik@suse.cz
+- fixed integer overflows [bnc#485889] CVE-2009-0946
* Wed Nov 05 2008 mfabian@suse.de
- bnc#441638: use fix from upstream CVS to fix the return value
of FT_Get_TrueType_Engine_Type (and make it work as documented).
@@ -456,7 +466,7 @@
* Wed Dec 17 2003 mfabian@suse.de
- update to 2.1.7.
- remove freetype2-type1.patch (included upstream)
-* Wed Oct 08 2003 schwab@suse.de
+* Thu Oct 09 2003 schwab@suse.de
- Fix invalid free.
* Fri Sep 26 2003 mfabian@suse.de
- update to 2.1.5.
++++++ bnc485889-overflow1.patch ++++++
From 0545ec1ca36b27cb928128870a83e5f668980bc5 Mon Sep 17 00:00:00 2001
From: Werner Lemberg
Date: Fri, 20 Mar 2009 05:49:10 +0000
Subject: Protect against invalid SID values in CFFs.
Problem reported by Tavis Ormandy .
* src/cff/cffload.c (cff_charset_load): Reject SID values larger
than 64999.
---
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index 22163fb..24b899d 100644
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -842,7 +842,20 @@
goto Exit;
for ( j = 1; j < num_glyphs; j++ )
- charset->sids[j] = FT_GET_USHORT();
+ {
+ FT_UShort sid = FT_GET_USHORT();
+
+
+ /* this constant is given in the CFF specification */
+ if ( sid < 65000 )
+ charset->sids[j] = sid;
+ else
+ {
+ FT_ERROR(( "cff_charset_load:"
+ " invalid SID value %d set to zero\n", sid ));
+ charset->sids[j] = 0;
+ }
+ }
FT_FRAME_EXIT();
}
@@ -875,6 +888,20 @@
goto Exit;
}
+ /* check whether the range contains at least one valid glyph; */
+ /* the constant is given in the CFF specification */
+ if ( glyph_sid >= 65000 ) {
+ FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
+ error = CFF_Err_Invalid_File_Format;
+ goto Exit;
+ }
+
+ /* try to rescue some of the SIDs if `nleft' is too large */
+ if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
+ FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
+ nleft = 65000 - 1 - glyph_sid;
+ }
+
/* Fill in the range of sids -- `nleft + 1' glyphs. */
for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
charset->sids[j] = glyph_sid;
--
cgit v0.8.2
++++++ bnc485889-overflow2.patch ++++++
From 0a05ba257b6ddd87dacf8d54b626e4b360e0a596 Mon Sep 17 00:00:00 2001
From: Werner Lemberg
Date: Fri, 20 Mar 2009 06:19:45 +0000
Subject: Protect against malformed compressed data.
Problem reported by Tavis Ormandy .
* src/lsw/ftzopen.c (ft_lzwstate_io): Test whether `state->prefix' is
zero.
---
diff --git a/src/lzw/ftzopen.c b/src/lzw/ftzopen.c
index fc78315..c0483de 100644
--- a/src/lzw/ftzopen.c
+++ b/src/lzw/ftzopen.c
@@ -332,6 +332,9 @@
while ( code >= 256U )
{
+ if ( !state->prefix )
+ goto Eof;
+
FTLZW_STACK_PUSH( state->suffix[code - 256] );
code = state->prefix[code - 256];
}
--
cgit v0.8.2
++++++ bnc485889-overflow3.patch ++++++
From 79972af4f0485a11dcb19551356c45245749fc5b Mon Sep 17 00:00:00 2001
From: Werner Lemberg
Date: Fri, 20 Mar 2009 07:21:37 +0000
Subject: Protect against too large glyphs.
Problem reported by Tavis Ormandy .
* src/smooth/ftsmooth.c (ft_smooth_render_generic): Don't allow
`width' or `pitch' to be larger than 0xFFFF.
---
diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c
index a6db504..cacc490 100644
--- a/src/smooth/ftsmooth.c
+++ b/src/smooth/ftsmooth.c
@@ -153,7 +153,7 @@
slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
}
- /* allocate new one, depends on pixel format */
+ /* allocate new one */
pitch = width;
if ( hmul )
{
@@ -194,6 +194,13 @@
#endif
+ if ( pitch > 0xFFFF || height > 0xFFFF )
+ {
+ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
+ width, height ));
+ return Smooth_Err_Raster_Overflow;
+ }
+
bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
bitmap->num_grays = 256;
bitmap->width = width;
--
cgit v0.8.2
++++++ bnc485889-overflow4.patch ++++++
From a18788b14db60ae3673f932249cd02d33a227c4e Mon Sep 17 00:00:00 2001
From: Werner Lemberg
Date: Fri, 20 Mar 2009 07:03:58 +0000
Subject: Fix validation for various cmap table formats.
* src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate,
tt_cmap12_validate): Check `length' correctly.
(tt_cmap_14_validate): Check `length' and `numMappings' correctly.
---
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index 6830391..1bd2ce7 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -1635,7 +1635,7 @@
FT_INVALID_TOO_SHORT;
length = TT_NEXT_ULONG( p );
- if ( table + length > valid->limit || length < 8208 )
+ if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 )
FT_INVALID_TOO_SHORT;
is32 = table + 12;
@@ -1863,7 +1863,8 @@
p = table + 16;
count = TT_NEXT_ULONG( p );
- if ( table + length > valid->limit || length < 20 + count * 2 )
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+ length < 20 + count * 2 )
FT_INVALID_TOO_SHORT;
/* check glyph indices */
@@ -2048,7 +2049,8 @@
p = table + 12;
num_groups = TT_NEXT_ULONG( p );
- if ( table + length > valid->limit || length < 16 + 12 * num_groups )
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+ length < 16 + 12 * num_groups )
FT_INVALID_TOO_SHORT;
/* check groups, they must be in increasing order */
@@ -2429,7 +2431,8 @@
FT_ULong num_selectors = TT_NEXT_ULONG( p );
- if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+ length < 10 + 11 * num_selectors )
FT_INVALID_TOO_SHORT;
/* check selectors, they must be in increasing order */
@@ -2491,7 +2494,7 @@
FT_ULong i, lastUni = 0;
- if ( ndp + numMappings * 4 > valid->limit )
+ if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
FT_INVALID_TOO_SHORT;
for ( i = 0; i < numMappings; ++i )
--
cgit v0.8.2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org