Hello community, here is the log from the commit of package freetype2 for openSUSE:11.2 checked in at Thu Mar 3 15:58:39 CET 2011.
-------- --- old-versions/11.2/UPDATES/all/freetype2/freetype2.changes 2010-10-13 17:36:41.000000000 +0200 +++ 11.2/freetype2/freetype2.changes 2011-02-28 18:33:06.000000000 +0100 @@ -1,0 +2,10 @@ +Mon Feb 28 17:32:14 UTC 2011 - [email protected] + +- added bnc647375_CVE-2010-3855.diff for bnc#647375 + +------------------------------------------------------------------- +Fri Feb 25 12:53:28 UTC 2011 - [email protected] + +- added bnc647375_CVE-2010-3814.diff for bnc#647375 + +------------------------------------------------------------------- --- old-versions/11.2/UPDATES/all/freetype2/ft2demos.changes 2010-10-13 17:36:42.000000000 +0200 +++ 11.2/freetype2/ft2demos.changes 2011-02-28 18:33:06.000000000 +0100 @@ -1,0 +2,10 @@ +Mon Feb 28 17:32:39 UTC 2011 - [email protected] + +- added bnc647375_CVE-2010-3855.diff for bnc#647375 + +------------------------------------------------------------------- +Fri Feb 25 12:53:57 UTC 2011 - [email protected] + +- added bnc647375_CVE-2010-3814.diff+testcase for bnc#647375 + +------------------------------------------------------------------- calling whatdependson for 11.2-i586 New: ---- bnc647375_CVE-2010-3814.diff bnc647375_CVE-2010-3855.diff bug-647375_tt2.ttf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ freetype2.spec ++++++ --- /var/tmp/diff_new_pack.DJFZwe/_old 2011-03-03 15:58:30.000000000 +0100 +++ /var/tmp/diff_new_pack.DJFZwe/_new 2011-03-03 15:58:30.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package freetype2 (Version 2.3.9) +# spec file for package freetype2 # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,7 +29,7 @@ %endif # Version: 2.3.9 -Release: 2.<RELEASE4> +Release: 2.<RELEASE6> Url: http://www.freetype.org Summary: A TrueType Font Library # CVS repository: @@ -72,6 +72,10 @@ Patch1014: bnc633943_CVE-2010-3054.diff # Patch1015: bnc641580_CVE-2010-3311.diff +# +Patch1016: bnc647375_CVE-2010-3814.diff +# +Patch1017: bnc647375_CVE-2010-3855.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -161,6 +165,10 @@ %patch1014 -p1 # bnc641580_CVE-2010-3311.diff %patch1015 -p1 +# bnc647375_CVE-2010-3814.diff +%patch1016 -p1 +# bnc647375_CVE-2010-3855.diff +%patch1017 -p1 pushd docs tar xf $RPM_SOURCE_DIR/freetype-doc-reference.tar.bz2 ++++++ ft2demos.spec ++++++ --- /var/tmp/diff_new_pack.DJFZwe/_old 2011-03-03 15:58:30.000000000 +0100 +++ /var/tmp/diff_new_pack.DJFZwe/_new 2011-03-03 15:58:30.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package ft2demos (Version 2.3.9) +# spec file for package ft2demos # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,7 +27,7 @@ Supplements: fonts-config %endif Version: 2.3.9 -Release: 2.<RELEASE3> +Release: 2.<RELEASE5> %define freetype_version %{version} Url: http://www.freetype.org Summary: Freetype2 Utilities and Demo Programs @@ -79,6 +79,10 @@ # Patch1015: bnc641580_CVE-2010-3311.diff Source1015: bug-641580_CVE-2010-3311.cff +# +Patch1016: bnc647375_CVE-2010-3814.diff +Source1016: bug-647375_tt2.ttf +Patch1017: bnc647375_CVE-2010-3855.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -152,6 +156,10 @@ %patch1014 -p1 # bnc641580_CVE-2010-3311.diff %patch1015 -p1 +# bnc647375_CVE-2010-3814.diff +%patch1016 -p1 +# bnc647375_CVE-2010-3855.diff +%patch1017 -p1 pushd docs tar xf $RPM_SOURCE_DIR/freetype-doc-reference.tar.bz2 @@ -193,6 +201,7 @@ $RPM_BUILD_ROOT/usr/bin/ftbench -c 1 %{S:1004} >/tmp/x$$ 2>&1; grep -q "couldn't load font resource" /tmp/x$$ || false $RPM_BUILD_ROOT/usr/bin/ftbench -c 1 %{S:1013} >/tmp/x$$ 2>&1; grep -q "couldn't load font resource" /tmp/x$$ || false $RPM_BUILD_ROOT/usr/bin/ftbench -c 1 %{S:1015} >/tmp/x$$ 2>&1; grep -q "couldn't load font resource" /tmp/x$$ || false +$RPM_BUILD_ROOT/usr/bin/ftbench -c 1 %{S:1016} %clean ++++++ bnc647375_CVE-2010-3814.diff ++++++ commit 0edf0986f3be570f5bf90ff245a85c1675f5c9a4 Author: Werner Lemberg <[email protected]> Date: Wed Oct 6 11:52:27 2010 +0200 [truetype] Improve error handling of `SHZ' bytecode instruction. Problem reported by Chris Evans <[email protected]>. * src/truetype/ttinterp.c (Ins_SHZ): Check `last_point'. Index: freetype-2.3.9/src/truetype/ttinterp.c =================================================================== --- freetype-2.3.9.orig/src/truetype/ttinterp.c +++ freetype-2.3.9/src/truetype/ttinterp.c @@ -5494,7 +5494,16 @@ if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 ) last_point = (FT_UShort)( CUR.zp2.n_points - 1 ); else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 ) + { last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] ); + + if ( BOUNDS( last_point, CUR.zp2.n_points ) ) + { + if ( CUR.pedantic_hinting ) + CUR.error = TT_Err_Invalid_Reference; + return; + } + } else last_point = 0; ++++++ bnc647375_CVE-2010-3855.diff ++++++ >From 59eb9f8cfe7d1df379a2318316d1f04f80fba54a Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Tue, 12 Oct 2010 07:49:17 +0200 Subject: [PATCH] Fix Savannah bug #31310. * src/truetype/ttgxvar.c (ft_var_readpackedpoints): Protect against invalid `runcnt' values. --- ChangeLog | 7 +++++++ src/truetype/ttgxvar.c | 6 +++--- 2 files changed, 10 insertions(+), 3 deletions(-) --- freetype-2.3.9/src/truetype/ttgxvar.c.orig 2008-10-15 22:01:42.000000000 +0200 +++ freetype-2.3.9/src/truetype/ttgxvar.c 2011-02-28 18:04:38.536173000 +0100 @@ -158,6 +158,9 @@ runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK; first = points[i++] = FT_GET_USHORT(); + if ( runcnt < 1 || i + runcnt >= n ) + goto Exit; + /* first point not included in runcount */ for ( j = 0; j < runcnt; ++j ) points[i++] = (FT_UShort)( first += FT_GET_USHORT() ); @@ -166,11 +169,15 @@ { first = points[i++] = FT_GET_BYTE(); + if ( runcnt < 1 || i + runcnt >= n ) + goto Exit; + for ( j = 0; j < runcnt; ++j ) points[i++] = (FT_UShort)( first += FT_GET_BYTE() ); } } + Exit: return points; } ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
