Hello community, here is the log from the commit of package freetype2 for openSUSE:Factory checked in at Wed May 6 18:38:40 CEST 2009. -------- --- freetype2/freetype2.changes 2008-12-10 13:59:13.000000000 +0100 +++ /mounts/work_src_done/STABLE/freetype2/freetype2.changes 2009-04-16 18:08:40.000000000 +0200 @@ -1,0 +2,10 @@ +Thu Apr 16 18:08:31 CEST 2009 - nadvornik@suse.cz + +- fixed integer overflows [bnc#485889] CVE-2009-0946 + +------------------------------------------------------------------- +Mon Mar 9 16:48:46 CET 2009 - crrodriguez@suse.de + +- freetype2 has subpixel rendering enabled [bnc#478407] + +------------------------------------------------------------------- --- freetype2/ft2demos.changes 2008-11-05 17:01:32.000000000 +0100 +++ /mounts/work_src_done/STABLE/freetype2/ft2demos.changes 2009-04-16 17:56:00.000000000 +0200 @@ -1,0 +2,5 @@ +Thu Apr 16 17:55:50 CEST 2009 - nadvornik@suse.cz + +- fixed integer overflows [bnc#485889] CVE-2009-0946 + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- bnc485889-overflow1.patch bnc485889-overflow2.patch bnc485889-overflow3.patch bnc485889-overflow4.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ freetype2.spec ++++++ --- /var/tmp/diff_new_pack.y17982/_old 2009-05-06 18:38:10.000000000 +0200 +++ /var/tmp/diff_new_pack.y17982/_new 2009-05-06 18:38:10.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package freetype2 (Version 2.3.7) # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ Name: freetype2 BuildRequires: zlib-devel -License: Other uncritical OpenSource License +License: Freetype License (BSD-like). See http://freetype.sourceforge.net/FTL.TXT Group: System/Libraries AutoReqProv: on # bug437293 @@ -29,7 +29,7 @@ %endif # Version: 2.3.7 -Release: 24 +Release: 26 Url: http://www.freetype.org Summary: A TrueType Font Library # CVS repository: @@ -48,6 +48,10 @@ Patch10: uninitialized-variable.patch Patch308961: bugzilla-308961-cmex-workaround.patch Patch441638: bnc441638-bc-enabling-fix-from-cvs.patch +Patch11: bnc485889-overflow1.patch +Patch12: bnc485889-overflow2.patch +Patch13: bnc485889-overflow3.patch +Patch14: bnc485889-overflow4.patch Patch100: freetype2-bc.patch Patch200: freetype2-subpixel.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -65,7 +69,7 @@ Werner Lemberg <werner.lemberg@freetype.org> %package devel -License: GPL v2 or later +License: GPL v2 or later; Freetype License (BSD-like). See http://freetype.sourceforge.net/FTL.TXT Summary: Development environment for the freetype2 TrueType font library Group: Development/Libraries/C and C++ Requires: %{name} = %{version}, zlib-devel @@ -100,7 +104,7 @@ # in /etc/sysconfig/fonts-config. # %define enable_bytecode_interpreter 1 -%define enable_subpixel_rendering 0%{?opensuse_bs} +%define enable_subpixel_rendering 0 %setup -q -n freetype-%{version} -a 1 %patch3 -p 1 -b .bitmap-foundry %patch4 -p 1 -b .ft2-stream-compat @@ -110,6 +114,10 @@ %patch10 -p 1 %patch308961 -p 1 %patch441638 -p 1 +%patch11 -p 1 +%patch12 -p 1 +%patch13 -p 1 +%patch14 -p 1 %if %{enable_bytecode_interpreter} %patch100 -p 1 -b .bytecode %endif @@ -163,6 +171,10 @@ /usr/share/aclocal/* %changelog +* Thu Apr 16 2009 nadvornik@suse.cz +- fixed integer overflows [bnc#485889] CVE-2009-0946 +* Mon Mar 09 2009 crrodriguez@suse.de +- freetype2 has subpixel rendering enabled [bnc#478407] * Wed Dec 10 2008 olh@suse.de - use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade (bnc#437293) @@ -497,7 +509,7 @@ - update to 2.1.7. - remove freetype2-type1.patch (included upstream) - add documentation. -* Wed Oct 08 2003 schwab@suse.de +* Thu Oct 09 2003 schwab@suse.de - Fix invalid free. * Fri Sep 26 2003 mfabian@suse.de - update to 2.1.5. @@ -613,7 +625,7 @@ - fix build-rooting * Thu Dec 14 2000 kukuk@suse.de - split devel package -* Mon Dec 11 2000 egger@suse.de +* Tue Dec 12 2000 egger@suse.de - Updated to version 2.0.1. * Fri Nov 10 2000 egger@suse.de - Initial SuSE package. ++++++ ft2demos.spec ++++++ --- /var/tmp/diff_new_pack.y17982/_old 2009-05-06 18:38:11.000000000 +0200 +++ /var/tmp/diff_new_pack.y17982/_new 2009-05-06 18:38:11.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package ft2demos (Version 2.3.7) # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,7 +27,7 @@ Supplements: fonts-config %endif Version: 2.3.7 -Release: 31 +Release: 33 %define freetype_version %{version} Url: http://www.freetype.org Summary: Freetype2 Utilities and Demo Programs @@ -48,6 +48,10 @@ Patch9: fix-build.patch Patch308961: bugzilla-308961-cmex-workaround.patch Patch441638: bnc441638-bc-enabling-fix-from-cvs.patch +Patch11: bnc485889-overflow1.patch +Patch12: bnc485889-overflow2.patch +Patch13: bnc485889-overflow3.patch +Patch14: bnc485889-overflow4.patch Patch50: ft2demos-build-testname.patch Patch100: freetype2-bc.patch Patch101: ft2demos-bc.patch @@ -84,6 +88,10 @@ %patch9 -p 1 %patch308961 -p 1 %patch441638 -p 1 +%patch11 -p 1 +%patch12 -p 1 +%patch13 -p 1 +%patch14 -p 1 pushd ../ft2demos-%{version} %patch50 -p 1 popd @@ -137,6 +145,8 @@ %{_bindir}/testname %changelog +* Thu Apr 16 2009 nadvornik@suse.cz +- fixed integer overflows [bnc#485889] CVE-2009-0946 * Wed Nov 05 2008 mfabian@suse.de - bnc#441638: use fix from upstream CVS to fix the return value of FT_Get_TrueType_Engine_Type (and make it work as documented). @@ -456,7 +466,7 @@ * Wed Dec 17 2003 mfabian@suse.de - update to 2.1.7. - remove freetype2-type1.patch (included upstream) -* Wed Oct 08 2003 schwab@suse.de +* Thu Oct 09 2003 schwab@suse.de - Fix invalid free. * Fri Sep 26 2003 mfabian@suse.de - update to 2.1.5. ++++++ bnc485889-overflow1.patch ++++++

From 0545ec1ca36b27cb928128870a83e5f668980bc5 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl@gnu.org> Date: Fri, 20 Mar 2009 05:49:10 +0000 Subject: Protect against invalid SID values in CFFs.

Problem reported by Tavis Ormandy <taviso@google.com>. * src/cff/cffload.c (cff_charset_load): Reject SID values larger than 64999. --- diff --git a/src/cff/cffload.c b/src/cff/cffload.c index 22163fb..24b899d 100644 --- a/src/cff/cffload.c +++ b/src/cff/cffload.c @@ -842,7 +842,20 @@ goto Exit; for ( j = 1; j < num_glyphs; j++ ) - charset->sids[j] = FT_GET_USHORT(); + { + FT_UShort sid = FT_GET_USHORT(); + + + /* this constant is given in the CFF specification */ + if ( sid < 65000 ) + charset->sids[j] = sid; + else + { + FT_ERROR(( "cff_charset_load:" + " invalid SID value %d set to zero\n", sid )); + charset->sids[j] = 0; + } + } FT_FRAME_EXIT(); } @@ -875,6 +888,20 @@ goto Exit; } + /* check whether the range contains at least one valid glyph; */ + /* the constant is given in the CFF specification */ + if ( glyph_sid >= 65000 ) { + FT_ERROR(( "cff_charset_load: invalid SID range\n" )); + error = CFF_Err_Invalid_File_Format; + goto Exit; + } + + /* try to rescue some of the SIDs if `nleft' is too large */ + if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) { + FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" )); + nleft = 65000 - 1 - glyph_sid; + } + /* Fill in the range of sids -- `nleft + 1' glyphs. */ for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ ) charset->sids[j] = glyph_sid; -- cgit v0.8.2 ++++++ bnc485889-overflow2.patch ++++++

From 0a05ba257b6ddd87dacf8d54b626e4b360e0a596 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl@gnu.org> Date: Fri, 20 Mar 2009 06:19:45 +0000 Subject: Protect against malformed compressed data.

Problem reported by Tavis Ormandy <taviso@google.com>. * src/lsw/ftzopen.c (ft_lzwstate_io): Test whether `state->prefix' is zero. --- diff --git a/src/lzw/ftzopen.c b/src/lzw/ftzopen.c index fc78315..c0483de 100644 --- a/src/lzw/ftzopen.c +++ b/src/lzw/ftzopen.c @@ -332,6 +332,9 @@ while ( code >= 256U ) { + if ( !state->prefix ) + goto Eof; + FTLZW_STACK_PUSH( state->suffix[code - 256] ); code = state->prefix[code - 256]; } -- cgit v0.8.2 ++++++ bnc485889-overflow3.patch ++++++

From 79972af4f0485a11dcb19551356c45245749fc5b Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl@gnu.org> Date: Fri, 20 Mar 2009 07:21:37 +0000 Subject: Protect against too large glyphs.

Problem reported by Tavis Ormandy <taviso@google.com>. * src/smooth/ftsmooth.c (ft_smooth_render_generic): Don't allow `width' or `pitch' to be larger than 0xFFFF. --- diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c index a6db504..cacc490 100644 --- a/src/smooth/ftsmooth.c +++ b/src/smooth/ftsmooth.c @@ -153,7 +153,7 @@ slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP; } - /* allocate new one, depends on pixel format */ + /* allocate new one */ pitch = width; if ( hmul ) { @@ -194,6 +194,13 @@ #endif + if ( pitch > 0xFFFF || height > 0xFFFF ) + { + FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n", + width, height )); + return Smooth_Err_Raster_Overflow; + } + bitmap->pixel_mode = FT_PIXEL_MODE_GRAY; bitmap->num_grays = 256; bitmap->width = width; -- cgit v0.8.2 ++++++ bnc485889-overflow4.patch ++++++

From a18788b14db60ae3673f932249cd02d33a227c4e Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl@gnu.org> Date: Fri, 20 Mar 2009 07:03:58 +0000 Subject: Fix validation for various cmap table formats.

* src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate, tt_cmap12_validate): Check `length' correctly. (tt_cmap_14_validate): Check `length' and `numMappings' correctly. --- diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c index 6830391..1bd2ce7 100644 --- a/src/sfnt/ttcmap.c +++ b/src/sfnt/ttcmap.c @@ -1635,7 +1635,7 @@ FT_INVALID_TOO_SHORT; length = TT_NEXT_ULONG( p ); - if ( table + length > valid->limit || length < 8208 ) + if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 ) FT_INVALID_TOO_SHORT; is32 = table + 12; @@ -1863,7 +1863,8 @@ p = table + 16; count = TT_NEXT_ULONG( p ); - if ( table + length > valid->limit || length < 20 + count * 2 ) + if ( length > (FT_ULong)( valid->limit - table ) || + length < 20 + count * 2 ) FT_INVALID_TOO_SHORT; /* check glyph indices */ @@ -2048,7 +2049,8 @@ p = table + 12; num_groups = TT_NEXT_ULONG( p ); - if ( table + length > valid->limit || length < 16 + 12 * num_groups ) + if ( length > (FT_ULong)( valid->limit - table ) || + length < 16 + 12 * num_groups ) FT_INVALID_TOO_SHORT; /* check groups, they must be in increasing order */ @@ -2429,7 +2431,8 @@ FT_ULong num_selectors = TT_NEXT_ULONG( p ); - if ( table + length > valid->limit || length < 10 + 11 * num_selectors ) + if ( length > (FT_ULong)( valid->limit - table ) || + length < 10 + 11 * num_selectors ) FT_INVALID_TOO_SHORT; /* check selectors, they must be in increasing order */ @@ -2491,7 +2494,7 @@ FT_ULong i, lastUni = 0; - if ( ndp + numMappings * 4 > valid->limit ) + if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) FT_INVALID_TOO_SHORT; for ( i = 0; i < numMappings; ++i ) -- cgit v0.8.2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org