Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package freetype2 for openSUSE:Factory checked in at 2022-08-24 15:10:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/freetype2 (Old) and /work/SRC/openSUSE:Factory/.freetype2.new.2083 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "freetype2" Wed Aug 24 15:10:44 2022 rev:97 rq:998792 version:2.12.1 Changes: -------- --- /work/SRC/openSUSE:Factory/freetype2/freetype2.changes 2022-08-20 20:28:12.853277971 +0200 +++ /work/SRC/openSUSE:Factory/.freetype2.new.2083/freetype2.changes 2022-08-24 15:10:54.148489432 +0200 @@ -72,0 +73,2 @@ + - fixes bsc#1198830 (CVE-2022-27404), bsc#1198832 (CVE-2022-27405), + bsc#1198823 (CVE-2022-27406) @@ -110,2 +112,3 @@ - * Fix a heap buffer overflow has been found in the handling of embedded - PNG bitmaps, introduced in FreeType version 2.6 (CVE-2020-15999 bsc#1177914) + * Fix a heap buffer overflow has been found in the handling of + embedded PNG bitmaps, introduced in FreeType version 2.6 + (CVE-2020-15999 bsc#1177914) --- /work/SRC/openSUSE:Factory/freetype2/ft2demos.changes 2022-08-20 20:28:13.041278493 +0200 +++ /work/SRC/openSUSE:Factory/.freetype2.new.2083/ft2demos.changes 2022-08-24 15:10:54.212489493 +0200 @@ -1,0 +2,7 @@ +Tue Aug 23 09:29:39 UTC 2022 - Fridrich Strba <[email protected]> + +- Add CVE-2022-31782.patch + * Fix bsc#1200264, CVE-2022-31782: heap-based buffer overflow in + ftbench.c + +------------------------------------------------------------------- New: ---- CVE-2022-31782.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ft2demos.spec ++++++ --- /var/tmp/diff_new_pack.2irLmQ/_old 2022-08-24 15:10:54.980490234 +0200 +++ /var/tmp/diff_new_pack.2irLmQ/_new 2022-08-24 15:10:54.984490238 +0200 @@ -40,6 +40,8 @@ Patch201: overflow.patch # PATCH-FIX-OPENSUSE don-t-mark-libpng-as-required-library.patch -- it is private in .pc Patch202: don-t-mark-libpng-as-required-library.patch +# PATCH-FIX-UPSTREAM CVE-2022-31782.patch -- exit if face->num_glyphs is zero +Patch203: CVE-2022-31782.patch Patch308961: bugzilla-308961-cmex-workaround.patch BuildRequires: libpng-devel BuildRequires: pkgconfig @@ -173,6 +175,7 @@ %patch308961 -p 1 pushd ../ft2demos-%{version} %patch201 -p1 +%patch203 -p1 popd %patch202 -p1 ++++++ CVE-2022-31782.patch ++++++ --- a/src/ftbench.c +++ b/src/ftbench.c @@ -1242,6 +1242,9 @@ if ( get_face( &face ) ) goto Exit; + if ( !face->num_glyphs ) + goto Exit; + if ( first_index >= face->num_glyphs ) first_index = face->num_glyphs - 1; if ( last_index >= face->num_glyphs )
