Your message dated Mon, 01 May 2017 16:41:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#861526: unblock: freetype/2.6.3-3.2
has caused the Debian Bug report #861526,
regarding unblock: freetype/2.6.3-3.2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
861526: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861526
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi
Please unblock package freetype. It actually has already but it needs
an ack as well for d-i.
The update fixes two CVEs,
- CVE-2017-8105, #861220
- CVE-2017-8287, #861308
and adressed in a DSA for stable. Would thus be great to have the
fixes as well in stretch to avoid a regression.
unblock freetype/2.6.3-3.2
Regards,
Salvatore
diff -u freetype-2.6.3/debian/changelog freetype-2.6.3/debian/changelog
--- freetype-2.6.3/debian/changelog
+++ freetype-2.6.3/debian/changelog
@@ -1,3 +1,12 @@
+freetype (2.6.3-3.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Better protect `flex' handling (CVE-2017-8105) (Closes: #861220)
+ * t1_builder_close_contour: Add safety guard (CVE-2017-8287)
+ (Closes: #861308)
+
+ -- Salvatore Bonaccorso <[email protected]> Thu, 27 Apr 2017 20:57:40 +0200
+
freetype (2.6.3-3.1) unstable; urgency=medium
* Non-maintainer upload.
diff -u freetype-2.6.3/debian/patches-freetype/series
freetype-2.6.3/debian/patches-freetype/series
--- freetype-2.6.3/debian/patches-freetype/series
+++ freetype-2.6.3/debian/patches-freetype/series
@@ -6,0 +7,2 @@
+CVE-2017-8105-psaux-Better-protect-flex-handling.patch
+CVE-2017-8287-src-psaux-psobjs.c-t1_builder_close_contour-Add-safe.patch
only in patch2:
unchanged:
---
freetype-2.6.3.orig/debian/patches-freetype/CVE-2017-8105-psaux-Better-protect-flex-handling.patch
+++
freetype-2.6.3/debian/patches-freetype/CVE-2017-8105-psaux-Better-protect-flex-handling.patch
@@ -0,0 +1,43 @@
+From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <[email protected]>
+Date: Fri, 24 Mar 2017 09:15:10 +0100
+Subject: [PATCH] [psaux] Better protect `flex' handling.
+
+Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
+
+* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+<callothersubr>: Since there is not a single flex operator but a
+series of subroutine calls, malformed fonts can call arbitrary other
+operators after the start of a flex, possibly adding points. For
+this reason we have to check the available number of points before
+inserting a point.
+---
+diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
+index af7b465..7dd4513 100644
+--- a/src/psaux/t1decode.c
++++ b/src/psaux/t1decode.c
+@@ -780,10 +780,19 @@
+ /* point without adding any point to the outline */
+ idx = decoder->num_flex_vectors++;
+ if ( idx > 0 && idx < 7 )
++ {
++ /* in malformed fonts it is possible to have other */
++ /* opcodes in the middle of a flex (which don't */
++ /* increase `num_flex_vectors'); we thus have to */
++ /* check whether we can add a point */
++ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
++ goto Syntax_Error;
++
+ t1_builder_add_point( builder,
+ x,
+ y,
+ (FT_Byte)( idx == 3 || idx == 6 ) );
++ }
+ }
+ break;
+
+--
+2.1.4
+
only in patch2:
unchanged:
---
freetype-2.6.3.orig/debian/patches-freetype/CVE-2017-8287-src-psaux-psobjs.c-t1_builder_close_contour-Add-safe.patch
+++
freetype-2.6.3/debian/patches-freetype/CVE-2017-8287-src-psaux-psobjs.c-t1_builder_close_contour-Add-safe.patch
@@ -0,0 +1,32 @@
+From 3774fc08b502c3e685afca098b6e8a195aded6a0 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <[email protected]>
+Date: Sun, 26 Mar 2017 08:32:09 +0200
+Subject: [PATCH] * src/psaux/psobjs.c (t1_builder_close_contour): Add safety
+ guard.
+
+Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941
+---
+diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c
+index d18e821..0baf836 100644
+--- a/src/psaux/psobjs.c
++++ b/src/psaux/psobjs.c
+@@ -1718,6 +1718,14 @@
+ first = outline->n_contours <= 1
+ ? 0 : outline->contours[outline->n_contours - 2] + 1;
+
++ /* in malformed fonts it can happen that a contour was started */
++ /* but no points were added */
++ if ( outline->n_contours && first == outline->n_points )
++ {
++ outline->n_contours--;
++ return;
++ }
++
+ /* We must not include the last point in the path if it */
+ /* is located on the first point. */
+ if ( outline->n_points > 1 )
+--
+2.1.4
+
--- End Message ---
--- Begin Message ---
Cyril Brulebois:
> Salvatore Bonaccorso <[email protected]> (2017-04-30):
>> Please unblock package freetype. It actually has already but it needs
>> an ack as well for d-i.
>>
>> The update fixes two CVEs,
>>
>> - CVE-2017-8105, #861220
>
> No regressions spotted with various languages, ACK.
>
>
> KiBi.
>
Unblocked, thanks.
~Niels
--- End Message ---
