commit freetype2 for openSUSE:11.3

Thu, 03 Mar 2011 06:59:15 -0800 

Hello community,

here is the log from the commit of package freetype2 for openSUSE:11.3
checked in at Thu Mar 3 15:59:12 CET 2011.



--------
--- old-versions/11.3/UPDATES/all/freetype2/freetype2.changes   2010-10-13 
17:13:20.000000000 +0200
+++ 11.3/freetype2/freetype2.changes    2011-02-28 17:58:51.000000000 +0100
@@ -1,0 +2,10 @@
+Mon Feb 28 16:55:09 UTC 2011 - [email protected]
+
+- added bnc647375_CVE-2010-3855.diff for BNC#647375
+
+-------------------------------------------------------------------
+Fri Feb 25 12:37:06 UTC 2011 - [email protected]
+
+- added bnc647375_CVE-2010-3814.diff for BNC#647375
+
+-------------------------------------------------------------------
--- old-versions/11.3/UPDATES/all/freetype2/ft2demos.changes    2010-10-13 
17:13:21.000000000 +0200
+++ 11.3/freetype2/ft2demos.changes     2011-02-28 17:58:51.000000000 +0100
@@ -1,0 +2,10 @@
+Mon Feb 28 16:55:30 UTC 2011 - [email protected]
+
+- added bnc647375_CVE-2010-3855.diff for BNC#647375
+
+-------------------------------------------------------------------
+Fri Feb 25 12:37:51 UTC 2011 - [email protected]
+
+- added bnc647375_CVE-2010-3814.diff+testcase for BNC#647375
+
+-------------------------------------------------------------------

calling whatdependson for 11.3-i586


New:
----
  bnc647375_CVE-2010-3814.diff
  bnc647375_CVE-2010-3855.diff
  bug-647375_tt2.ttf

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ freetype2.spec ++++++
--- /var/tmp/diff_new_pack.5Ruak0/_old  2011-03-03 15:58:58.000000000 +0100
+++ /var/tmp/diff_new_pack.5Ruak0/_new  2011-03-03 15:58:58.000000000 +0100
@@ -1,7 +1,7 @@
 #
-# spec file for package freetype2 (Version 2.3.12)
+# spec file for package freetype2
 #
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -29,7 +29,7 @@
 %endif
 #
 Version:        2.3.12
-Release:        7.<RELEASE2>
+Release:        7.<RELEASE4>
 Url:            http://www.freetype.org
 Summary:        A TrueType Font Library
 # CVS repository:
@@ -65,6 +65,8 @@
 # Patch1012:      bnc619562_CVE-2010-2541.diff
 Patch1013:      bnc633938_CVE-2010-3053.diff
 Patch1015:      bnc641580_CVE-2010-3311.diff
+Patch1016:      bnc647375_CVE-2010-3814.diff
+Patch1017:      bnc647375_CVE-2010-3855.diff
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
@@ -144,6 +146,10 @@
 %patch1013 -p1
 # bnc641580_CVE-2010-3311.diff
 %patch1015 -p1
+# bnc647375_CVE-2010-3814.diff
+%patch1016 -p1
+# bnc647375_CVE-2010-3855.diff
+%patch1017 -p1
 
 pushd docs
     tar xf $RPM_SOURCE_DIR/freetype-doc-reference.tar.bz2

++++++ ft2demos.spec ++++++
--- /var/tmp/diff_new_pack.5Ruak0/_old  2011-03-03 15:58:58.000000000 +0100
+++ /var/tmp/diff_new_pack.5Ruak0/_new  2011-03-03 15:58:58.000000000 +0100
@@ -1,7 +1,7 @@
 #
-# spec file for package ft2demos (Version 2.3.12)
+# spec file for package ft2demos
 #
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -25,7 +25,7 @@
 AutoReqProv:    on
 Supplements:    fonts-config
 Version:        2.3.12
-Release:        7.<RELEASE2>
+Release:        7.<RELEASE4>
 %define freetype_version %{version}
 Url:            http://www.freetype.org
 Summary:        Freetype2 Utilities and Demo Programs
@@ -69,6 +69,9 @@
 Source1013:     bnc633938_badbdf.0
 Patch1015:      bnc641580_CVE-2010-3311.diff
 Source1015:     bug-641580_CVE-2010-3311.cff
+Patch1016:      bnc647375_CVE-2010-3814.diff
+Source1016:     bug-647375_tt2.ttf
+Patch1017:      bnc647375_CVE-2010-3855.diff
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
@@ -127,6 +130,10 @@
 %patch1013 -p1
 # bnc641580_CVE-2010-3311.diff
 %patch1015 -p1
+# bnc647375_CVE-2010-3814.diff
+%patch1016 -p1
+# bnc647375_CVE-2010-3855.diff
+%patch1017 -p1
 
 pushd docs
     tar xf $RPM_SOURCE_DIR/freetype-doc-reference.tar.bz2
@@ -165,6 +172,7 @@
 $RPM_BUILD_ROOT/usr/bin/ftbench -c 1 %{S:1004} >/tmp/x$$ 2>&1; grep -q 
"couldn't load font resource" /tmp/x$$ || false
 $RPM_BUILD_ROOT/usr/bin/ftbench -c 1 %{S:1013} >/tmp/x$$ 2>&1; grep -q 
"couldn't load font resource" /tmp/x$$ || false
 $RPM_BUILD_ROOT/usr/bin/ftbench -c 1 %{S:1014} >/tmp/x$$ 2>&1; grep -q 
"couldn't load font resource" /tmp/x$$ || false
+$RPM_BUILD_ROOT/usr/bin/ftbench -c 1 %{S:1016}
 
 %clean
 



++++++ bnc647375_CVE-2010-3814.diff ++++++
commit 0edf0986f3be570f5bf90ff245a85c1675f5c9a4
Author: Werner Lemberg <[email protected]>
Date:   Wed Oct 6 11:52:27 2010 +0200

    [truetype] Improve error handling of `SHZ' bytecode instruction.
    Problem reported by Chris Evans <[email protected]>.
    
    * src/truetype/ttinterp.c (Ins_SHZ): Check `last_point'.

Index: freetype-2.3.12/src/truetype/ttinterp.c
===================================================================
--- freetype-2.3.12.orig/src/truetype/ttinterp.c
+++ freetype-2.3.12/src/truetype/ttinterp.c
@@ -5506,7 +5506,16 @@
     if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 )
       last_point = (FT_UShort)( CUR.zp2.n_points - 1 );
     else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 )
+    {
       last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] );
+
+      if ( BOUNDS( last_point, CUR.zp2.n_points ) )
+      {
+        if ( CUR.pedantic_hinting )
+          CUR.error = TT_Err_Invalid_Reference;
+        return;
+      }
+    }
     else
       last_point = 0;
 
Index: freetype-2.3.12/ChangeLog
===================================================================
--- freetype-2.3.12.orig/ChangeLog
+++ freetype-2.3.12/ChangeLog
@@ -1,3 +1,10 @@
+2010-10-06  Werner Lemberg  <[email protected]>
+
+       [truetype] Improve error handling of `SHZ' bytecode instruction.
+       Problem reported by Chris Evans <[email protected]>.
+
+       * src/truetype/ttinterp.c (Ins_SHZ): Check `last_point'.
+
 2010-02-13  Werner Lemberg  <[email protected]>
 
        * Version 2.3.12 released.
++++++ bnc647375_CVE-2010-3855.diff ++++++
>From 59eb9f8cfe7d1df379a2318316d1f04f80fba54a Mon Sep 17 00:00:00 2001
From: Werner Lemberg <[email protected]>
Date: Tue, 12 Oct 2010 07:49:17 +0200
Subject: [PATCH] Fix Savannah bug #31310.

* src/truetype/ttgxvar.c (ft_var_readpackedpoints): Protect against
invalid `runcnt' values.
---
 ChangeLog              |    7 +++++++
 src/truetype/ttgxvar.c |    6 +++---
 2 files changed, 10 insertions(+), 3 deletions(-)

Index: freetype-2.3.12/src/truetype/ttgxvar.c
===================================================================
--- freetype-2.3.12.orig/src/truetype/ttgxvar.c
+++ freetype-2.3.12/src/truetype/ttgxvar.c
@@ -130,7 +130,7 @@
     FT_Int     j;
     FT_Int     first;
     FT_Memory  memory = stream->memory;
-    FT_Error   error = TT_Err_Ok;
+    FT_Error   error  = TT_Err_Ok;
 
     FT_UNUSED( error );
 
@@ -154,7 +154,7 @@
         runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK;
         first  = points[i++] = FT_GET_USHORT();
 
-        if ( runcnt < 1 )
+        if ( runcnt < 1 || i + runcnt >= n )
           goto Exit;
 
         /* first point not included in runcount */
@@ -165,7 +165,7 @@
       {
         first = points[i++] = FT_GET_BYTE();
 
-        if ( runcnt < 1 )
+        if ( runcnt < 1 || i + runcnt >= n )
           goto Exit;
 
         for ( j = 0; j < runcnt; ++j )



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Remember to have fun...

-- 
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to