Bug#1010304: marked as done (bullseye-pu: package freetype/2.10.4+dfsg-1+deb11u1)

Debian Bug Tracking System Sat, 09 Jul 2022 03:55:43 -0700

Your message dated Sat, 09 Jul 2022 11:47:43 +0100
with message-id 
<2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 11.4
has caused the Debian Bug report #1010304,
regarding bullseye-pu: package freetype/2.10.4+dfsg-1+deb11u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1010304: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010304
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu

This update fixes three security vulnerabilities in FreeType 2.10.4+dfsg-1.

- CVE-2022-27404: heap buffer overflow via invalid integer decrement in
sfnt_init_face() and woff2_open_font().
- CVE-2022-27405: segmentation violation via ft_open_face_internal() when
attempting to read the value of FT_LONG face_index.
- CVE-2022-27406: segmentation violation via FT_Request_Size() when attempting
to read the value of an unguarded face size handle.

It would be ideal to get these fixes into Bullseye.

diff -Nru freetype-2.10.4+dfsg/debian/changelog 
freetype-2.10.4+dfsg/debian/changelog
--- freetype-2.10.4+dfsg/debian/changelog       2020-12-05 19:20:58.000000000 
+1100
+++ freetype-2.10.4+dfsg/debian/changelog       2022-04-28 19:54:23.000000000 
+1000
@@ -1,3 +1,15 @@
+freetype (2.10.4+dfsg-1+deb11u1) bullseye; urgency=medium
+
+  * Add upstream patches to fix multiple vulnerabilities. Closes: #1010183.
+    - CVE-2022-27404: heap buffer overflow via invalid integer decrement in
+      sfnt_init_face() and woff2_open_font().
+    - CVE-2022-27405: segmentation violation via ft_open_face_internal() when
+      attempting to read the value of FT_LONG face_index.
+    - CVE-2022-27406: segmentation violation via FT_Request_Size() when
+      attempting to read the value of an unguarded face size handle.
+
+ -- Hugh McMaster <[email protected]>  Thu, 28 Apr 2022 19:54:23 +1000
+
 freetype (2.10.4+dfsg-1) unstable; urgency=medium
 
   * New upstream version:
diff -Nru freetype-2.10.4+dfsg/debian/patches/CVE-2022-27404.patch 
freetype-2.10.4+dfsg/debian/patches/CVE-2022-27404.patch
--- freetype-2.10.4+dfsg/debian/patches/CVE-2022-27404.patch    1970-01-01 
10:00:00.000000000 +1000
+++ freetype-2.10.4+dfsg/debian/patches/CVE-2022-27404.patch    2022-04-28 
19:54:23.000000000 +1000
@@ -0,0 +1,30 @@
+Description: Check `face_index` before decrementing to prevent heap buffer
+ overflow (CVE-2022-27404).
+Author: Werner Lemberg
+Origin: 
https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1138
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/sfnt/sfobjs.c
++++ b/src/sfnt/sfobjs.c
+@@ -553,7 +553,7 @@
+     face_index = FT_ABS( face_instance_index ) & 0xFFFF;
+ 
+     /* value -(N+1) requests information on index N */
+-    if ( face_instance_index < 0 )
++    if ( face_instance_index < 0 && face_index > 0 )
+       face_index--;
+ 
+     if ( face_index >= face->ttc_header.count )
+--- a/src/sfnt/sfwoff2.c
++++ b/src/sfnt/sfwoff2.c
+@@ -2098,7 +2098,7 @@
+     /* Validate requested face index. */
+     *num_faces = woff2.num_fonts;
+     /* value -(N+1) requests information on index N */
+-    if ( *face_instance_index < 0 )
++    if ( *face_instance_index < 0 && face_index > 0 )
+       face_index--;
+ 
+     if ( face_index >= woff2.num_fonts )
diff -Nru freetype-2.10.4+dfsg/debian/patches/CVE-2022-27405.patch 
freetype-2.10.4+dfsg/debian/patches/CVE-2022-27405.patch
--- freetype-2.10.4+dfsg/debian/patches/CVE-2022-27405.patch    1970-01-01 
10:00:00.000000000 +1000
+++ freetype-2.10.4+dfsg/debian/patches/CVE-2022-27405.patch    2022-04-28 
19:54:23.000000000 +1000
@@ -0,0 +1,26 @@
+Description: Properly guard `face_index` before attempting to read its value
+ (CVE-2022-27405).
+Author: Werner Lemberg
+Origin: 
https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1139
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -2407,6 +2407,15 @@
+ #endif
+ 
+ 
++    /* only use lower 31 bits together with sign bit */
++    if ( face_index > 0 )
++      face_index &= 0x7FFFFFFFL;
++    else
++    {
++      face_index &= 0x7FFFFFFFL;
++      face_index  = -face_index;
++    }
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+     FT_TRACE3(( "FT_Open_Face: " ));
+     if ( face_index < 0 )
diff -Nru freetype-2.10.4+dfsg/debian/patches/CVE-2022-27406.patch 
freetype-2.10.4+dfsg/debian/patches/CVE-2022-27406.patch
--- freetype-2.10.4+dfsg/debian/patches/CVE-2022-27406.patch    1970-01-01 
10:00:00.000000000 +1000
+++ freetype-2.10.4+dfsg/debian/patches/CVE-2022-27406.patch    2022-04-28 
19:54:23.000000000 +1000
@@ -0,0 +1,20 @@
+Description: Guard the `face->size` handle before attempting to read its value
+ (CVE-2022-27406).
+Author: Werner Lemberg
+Origin: 
https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1140
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -3273,6 +3273,9 @@
+     if ( !face )
+       return FT_THROW( Invalid_Face_Handle );
+ 
++    if ( !face->size )
++      return FT_THROW( Invalid_Size_Handle );
++
+     if ( !req || req->width < 0 || req->height < 0 ||
+          req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+       return FT_THROW( Invalid_Argument );
diff -Nru freetype-2.10.4+dfsg/debian/patches/series 
freetype-2.10.4+dfsg/debian/patches/series
--- freetype-2.10.4+dfsg/debian/patches/series  2020-12-05 19:20:58.000000000 
+1100
+++ freetype-2.10.4+dfsg/debian/patches/series  2022-04-28 19:54:23.000000000 
+1000
@@ -5,3 +5,6 @@
 remove-gstatic-code.patch
 no-web-fonts.patch
 hide-donations-information.patch
+CVE-2022-27404.patch
+CVE-2022-27405.patch
+CVE-2022-27406.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 11.4

(re-sending with fixed bug numbers)

Hi,

The updates discussed in these bugs were included in today's bullseye
point release.

Regards,

Adam

--- End Message ---

Bug#1010304: marked as done (bullseye-pu: package freetype/2.10.4+dfsg-1+deb11u1)

Reply via email to