Hi, attached is a patch for an NMU to fix the above issues. Cheers Nico
-- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u freetype-2.3.9/debian/changelog freetype-2.3.9/debian/changelog --- freetype-2.3.9/debian/changelog +++ freetype-2.3.9/debian/changelog @@ -1,3 +1,11 @@ +freetype (2.3.9-4.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix multiple integer overflows leading to arbitrary code execution + or DoS (CVE-2009-0946; Closes: #524925). + + -- Nico Golde <n...@debian.org> Thu, 23 Apr 2009 21:13:11 +0200 + freetype (2.3.9-4) unstable; urgency=low * debian/patches-ft2demos/compiler-hardening-fixes.patch: always check the diff -u freetype-2.3.9/debian/patches-freetype/series freetype-2.3.9/debian/patches-freetype/series --- freetype-2.3.9/debian/patches-freetype/series +++ freetype-2.3.9/debian/patches-freetype/series @@ -7,0 +8 @@ +CVE-2009-0946.patch only in patch2: unchanged: --- freetype-2.3.9.orig/debian/patches-freetype/CVE-2009-0946.patch +++ freetype-2.3.9/debian/patches-freetype/CVE-2009-0946.patch @@ -0,0 +1,142 @@ +diff --git a/src/cff/cffload.c b/src/cff/cffload.c +index 22163fb..24b899d 100644 +--- a/src/cff/cffload.c ++++ b/src/cff/cffload.c +@@ -842,7 +842,20 @@ + goto Exit; + + for ( j = 1; j < num_glyphs; j++ ) +- charset->sids[j] = FT_GET_USHORT(); ++ { ++ FT_UShort sid = FT_GET_USHORT(); ++ ++ ++ /* this constant is given in the CFF specification */ ++ if ( sid < 65000 ) ++ charset->sids[j] = sid; ++ else ++ { ++ FT_ERROR(( "cff_charset_load:" ++ " invalid SID value %d set to zero\n", sid )); ++ charset->sids[j] = 0; ++ } ++ } + + FT_FRAME_EXIT(); + } +@@ -875,6 +888,20 @@ + goto Exit; + } + ++ /* check whether the range contains at least one valid glyph; */ ++ /* the constant is given in the CFF specification */ ++ if ( glyph_sid >= 65000 ) { ++ FT_ERROR(( "cff_charset_load: invalid SID range\n" )); ++ error = CFF_Err_Invalid_File_Format; ++ goto Exit; ++ } ++ ++ /* try to rescue some of the SIDs if `nleft' is too large */ ++ if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) { ++ FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" )); ++ nleft = 65000 - 1 - glyph_sid; ++ } ++ + /* Fill in the range of sids -- `nleft + 1' glyphs. */ + for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ ) + charset->sids[j] = glyph_sid; +diff --git a/src/lzw/ftzopen.c b/src/lzw/ftzopen.c +index fc78315..c0483de 100644 +--- a/src/lzw/ftzopen.c ++++ b/src/lzw/ftzopen.c +@@ -332,6 +332,9 @@ + + while ( code >= 256U ) + { ++ if ( !state->prefix ) ++ goto Eof; ++ + FTLZW_STACK_PUSH( state->suffix[code - 256] ); + code = state->prefix[code - 256]; + } +diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c +index 6830391..1bd2ce7 100644 +--- a/src/sfnt/ttcmap.c ++++ b/src/sfnt/ttcmap.c +@@ -1635,7 +1635,7 @@ + FT_INVALID_TOO_SHORT; + + length = TT_NEXT_ULONG( p ); +- if ( table + length > valid->limit || length < 8208 ) ++ if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 ) + FT_INVALID_TOO_SHORT; + + is32 = table + 12; +@@ -1863,7 +1863,8 @@ + p = table + 16; + count = TT_NEXT_ULONG( p ); + +- if ( table + length > valid->limit || length < 20 + count * 2 ) ++ if ( length > (FT_ULong)( valid->limit - table ) || ++ length < 20 + count * 2 ) + FT_INVALID_TOO_SHORT; + + /* check glyph indices */ +@@ -2048,7 +2049,8 @@ + p = table + 12; + num_groups = TT_NEXT_ULONG( p ); + +- if ( table + length > valid->limit || length < 16 + 12 * num_groups ) ++ if ( length > (FT_ULong)( valid->limit - table ) || ++ length < 16 + 12 * num_groups ) + FT_INVALID_TOO_SHORT; + + /* check groups, they must be in increasing order */ +@@ -2429,7 +2431,8 @@ + FT_ULong num_selectors = TT_NEXT_ULONG( p ); + + +- if ( table + length > valid->limit || length < 10 + 11 * num_selectors ) ++ if ( length > (FT_ULong)( valid->limit - table ) || ++ length < 10 + 11 * num_selectors ) + FT_INVALID_TOO_SHORT; + + /* check selectors, they must be in increasing order */ +@@ -2491,7 +2494,7 @@ + FT_ULong i, lastUni = 0; + + +- if ( ndp + numMappings * 4 > valid->limit ) ++ if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) + FT_INVALID_TOO_SHORT; + + for ( i = 0; i < numMappings; ++i ) +diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c +index a6db504..cacc490 100644 +--- a/src/smooth/ftsmooth.c ++++ b/src/smooth/ftsmooth.c +@@ -153,7 +153,7 @@ + slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP; + } + +- /* allocate new one, depends on pixel format */ ++ /* allocate new one */ + pitch = width; + if ( hmul ) + { +@@ -194,6 +194,13 @@ + + #endif + ++ if ( pitch > 0xFFFF || height > 0xFFFF ) ++ { ++ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n", ++ width, height )); ++ return Smooth_Err_Raster_Overflow; ++ } ++ + bitmap->pixel_mode = FT_PIXEL_MODE_GRAY; + bitmap->num_grays = 256; + bitmap->width = width; +-- +cgit v0.8.2.1
pgpPKD9i7o7Qe.pgp
Description: PGP signature