diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-06-15 13:38:18 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-06-15 13:49:28 +0000 |
commit | e4bb22b94325a5d26f07a717475760c410e49f25 (patch) | |
tree | a03e2fb74800b414fa22e9e1716029da49eefd3a | |
parent | 379c5299d65499022d1f9338b6042ef5f6008b52 (diff) | |
download | aports-e4bb22b94325a5d26f07a717475760c410e49f25.tar.bz2 aports-e4bb22b94325a5d26f07a717475760c410e49f25.tar.xz |
main/freetype: security fixes #7270
-rw-r--r-- | main/freetype/APKBUILD | 34 | ||||
-rw-r--r-- | main/freetype/CVE-2016-10244.patch | 20 | ||||
-rw-r--r-- | main/freetype/CVE-2017-8105.patch | 46 | ||||
-rw-r--r-- | main/freetype/CVE-2017-8287.patch | 34 |
4 files changed, 126 insertions, 8 deletions
diff --git a/main/freetype/APKBUILD b/main/freetype/APKBUILD index 4264e067df..1dd4dc02d8 100644 --- a/main/freetype/APKBUILD +++ b/main/freetype/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Carlo Landmeter <clandmeter@gmail.com> pkgname=freetype pkgver=2.5.5 -pkgrel=0 +pkgrel=1 pkgdesc="TrueType font rendering library" url="http://freetype.sourceforge.net" arch="all" @@ -12,10 +12,19 @@ depends_dev="zlib-dev libpng-dev" makedepends="$depends_dev" subpackages="$pkgname-dev" source="http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz -20-enable-spr.patch -30-enable-valid.patch -40-memcpy-fix.patch -" + 20-enable-spr.patch + 30-enable-valid.patch + 40-memcpy-fix.patch + CVE-2016-10244.patch + CVE-2017-8105.patch + CVE-2017-8287.patch + " + +# secfixes: +# 2.5.5-r1: +# - CVE-2016-10244 +# - CVE-2017-8105 +# - CVE-2017-8287 _builddir="$srcdir/$pkgname-$pkgver" @@ -54,12 +63,21 @@ package() { md5sums="7448edfbd40c7aa5088684b0a3edb2b8 freetype-2.5.5.tar.gz 605e03a5d95b858f566cadca1dbd316b 20-enable-spr.patch 3f6c5739843dcbc110ee0f243c4f6bdb 30-enable-valid.patch -bd2d808a0c00dcf9f1d1c0a9a8227ad9 40-memcpy-fix.patch" +bd2d808a0c00dcf9f1d1c0a9a8227ad9 40-memcpy-fix.patch +0bb752550d20a3bee72f737ad479991a CVE-2016-10244.patch +478ff673ef99f69bcc4fa0957b606cf3 CVE-2017-8105.patch +a45568a4c33ed3768e73ab7951ef2bf8 CVE-2017-8287.patch" sha256sums="5d03dd76c2171a7601e9ce10551d52d4471cf92cd205948e60289251daddffa8 freetype-2.5.5.tar.gz 9ec2c8c126fa9bda4eaec779ae6234f094f8a8d85d20f947e910716df9d703ca 20-enable-spr.patch 5f1b3b767dc1fdb1fcd3963399ac3c2263d07fe3f1f14f677d08cd0d2161ae5c 30-enable-valid.patch -574c265c7a7032c5afb32a9807e5d04354ad0def656194cfcfff1ccca6a5540e 40-memcpy-fix.patch" +574c265c7a7032c5afb32a9807e5d04354ad0def656194cfcfff1ccca6a5540e 40-memcpy-fix.patch +9ad660d70077c167a41da007056eada3fd9dab3ba802e14d5b46426e5ded6692 CVE-2016-10244.patch +173689b597571f05a1187bc92a400d6bc838a693301011544be982952dc80904 CVE-2017-8105.patch +235c3946ad3bbd11685cb6511be46e84adeaf52c23511863e9aa715a5369a8a2 CVE-2017-8287.patch" sha512sums="1c8812252d748c6ccc5f6002b57c8a7cb0f08fe15e3c700ac8b2714c7648d756cd4af4207a765cf0d320509be6d09c74239d69e9ca6a05bb15ca6a475cf96ce3 freetype-2.5.5.tar.gz bd30f76003ae4e7fd324fdbdbc70f930bda418ae819e7c611c90cb2d8299dca5995edb543c7991121c3990fab6ffff03a183a08c1975d083009f7272586fc266 20-enable-spr.patch fdfa3c633a32bd9142f62454e12dd92442e8e02831fd34aca348aec6d00e7813130fbf267a7f4048a272596a478cfe3064df0ee9f9c06531378710f41bc2e40f 30-enable-valid.patch -1553f7f0514238012e300bc8d0b1e260145db17fb56f13e4aa667435e98c3749c00e150caa0e318289b84bca33b9a06a68b8342575e10ac3bf5af3d5cc861537 40-memcpy-fix.patch" +1553f7f0514238012e300bc8d0b1e260145db17fb56f13e4aa667435e98c3749c00e150caa0e318289b84bca33b9a06a68b8342575e10ac3bf5af3d5cc861537 40-memcpy-fix.patch +64f7ca7b84d8ddf881beed097911f52f704539f872c67c2490d42ab44c879d973a8d7bd290fe841248998d2fade5ab4a71a725148f91deb624135552437a1162 CVE-2016-10244.patch +8992af56a71329f67f0bd445ef2b1d5e10f2ac5281c449ccbf0dbc826027ba8c828c05dbe5aee2e5a7d6b8cd8443192268a4177759c9158c0008d546c6dd9093 CVE-2017-8105.patch +703e345868d0a391645227918fa49ba1e2e1f0009c5f80e8177b9c0468b8c9ae8d47da1bb65a103133e221946556aa49fa24ea0cb1cc270331f7c4954c8b95bd CVE-2017-8287.patch" diff --git a/main/freetype/CVE-2016-10244.patch b/main/freetype/CVE-2016-10244.patch new file mode 100644 index 0000000000..3593d47660 --- /dev/null +++ b/main/freetype/CVE-2016-10244.patch @@ -0,0 +1,20 @@ +diff --git src/type1/t1load.c src/type1/t1load.c +index a53037c..609bd53 100644 +--- src/type1/t1load.c ++++ src/type1/t1load.c +@@ -1776,6 +1776,12 @@ + } + } + ++ if ( !n ) ++ { ++ error = FT_THROW( Invalid_File_Format ); ++ goto Fail; ++ } ++ + loader->num_glyphs = n; + + /* if /.notdef is found but does not occupy index 0, do our magic. */ +-- +2.8.5 + diff --git a/main/freetype/CVE-2017-8105.patch b/main/freetype/CVE-2017-8105.patch new file mode 100644 index 0000000000..00501b4957 --- /dev/null +++ b/main/freetype/CVE-2017-8105.patch @@ -0,0 +1,46 @@ +From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Fri, 24 Mar 2017 09:15:10 +0100 +Subject: [psaux] Better protect `flex' handling. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 + +* src/psaux/t1decode.c (t1_decoder_parse_charstrings) +<callothersubr>: Since there is not a single flex operator but a +series of subroutine calls, malformed fonts can call arbitrary other +operators after the start of a flex, possibly adding points. For +this reason we have to check the available number of points before +inserting a point. +--- + src/psaux/t1decode.c | 9 +++++++++ + 2 files changed, 24 insertions(+) + +diff --git src/psaux/t1decode.c src/psaux/t1decode.c +index af7b465..7dd4513 100644 +--- src/psaux/t1decode.c ++++ src/psaux/t1decode.c +@@ -780,10 +780,19 @@ + /* point without adding any point to the outline */ + idx = decoder->num_flex_vectors++; + if ( idx > 0 && idx < 7 ) ++ { ++ /* in malformed fonts it is possible to have other */ ++ /* opcodes in the middle of a flex (which don't */ ++ /* increase `num_flex_vectors'); we thus have to */ ++ /* check whether we can add a point */ ++ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) ) ++ goto Syntax_Error; ++ + t1_builder_add_point( builder, + x, + y, + (FT_Byte)( idx == 3 || idx == 6 ) ); ++ } + } + break; + +-- +cgit v1.0-41-gc330 + diff --git a/main/freetype/CVE-2017-8287.patch b/main/freetype/CVE-2017-8287.patch new file mode 100644 index 0000000000..b814c8d607 --- /dev/null +++ b/main/freetype/CVE-2017-8287.patch @@ -0,0 +1,34 @@ +From 3774fc08b502c3e685afca098b6e8a195aded6a0 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Sun, 26 Mar 2017 08:32:09 +0200 +Subject: * src/psaux/psobjs.c (t1_builder_close_contour): Add safety guard. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941 +--- + src/psaux/psobjs.c | 8 ++++++++ + 2 files changed, 16 insertions(+) + +diff --git src/psaux/psobjs.c src/psaux/psobjs.c +index d18e821..0baf836 100644 +--- src/psaux/psobjs.c ++++ src/psaux/psobjs.c +@@ -1718,6 +1718,14 @@ + first = outline->n_contours <= 1 + ? 0 : outline->contours[outline->n_contours - 2] + 1; + ++ /* in malformed fonts it can happen that a contour was started */ ++ /* but no points were added */ ++ if ( outline->n_contours && first == outline->n_points ) ++ { ++ outline->n_contours--; ++ return; ++ } ++ + /* We must not include the last point in the path if it */ + /* is located on the first point. */ + if ( outline->n_points > 1 ) +-- +cgit v1.0-41-gc330 + |