OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 28-Jul-2006 13:44:54
Branch: OPENPKG_2_5_SOLID Handle: 2006072812445400
Modified files: (Branch: OPENPKG_2_5_SOLID)
openpkg-src/freetype freetype.patch freetype.spec
Log:
multiple security fixes (CVE-2006-3467, CVE-2006-2661, CVE-2006-1861
aka CVE-2006-2493, CVE-2006-0747)
Summary:
Revision Changes Path
1.5.2.1 +352 -0 openpkg-src/freetype/freetype.patch
1.53.2.3 +1 -1 openpkg-src/freetype/freetype.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/freetype/freetype.patch
============================================================================
$ cvs diff -u -r1.5 -r1.5.2.1 freetype.patch
--- openpkg-src/freetype/freetype.patch 25 Jul 2005 17:54:35 -0000
1.5
+++ openpkg-src/freetype/freetype.patch 28 Jul 2006 11:44:54 -0000
1.5.2.1
@@ -108,3 +108,355 @@
#ifndef __FREETYPE_H__
#define __FREETYPE_H__
+-----------------------------------------------------------------------------
+
+Security Fix (CVE-2006-3467)
+
+Integer overflow allows remote attackers to cause a Denial of Service
+(crash) and possibly execute arbitrary code via unknown vectors, as
+demonstrated by the Red Hat "bad1.pcf" test file, due to a partial fix
+of CVE-2006-1861.
+
+--- src/pcf/pcfread.c.strlen2 2003-01-22 17:45:28.000000000 -0500
++++ src/pcf/pcfread.c 2006-06-28 15:01:19.000000000 -0400
+@@ -428,6 +428,14 @@
+
+ for ( i = 0; i < nprops; i++ )
+ {
++ /* 2006:0500 (mbarnes) - Detect invalid string length.
++ * XXX Is this is best error code to return? */
++ if ( props[i].name < 0 )
++ {
++ error = FT_Err_Invalid_File_Format;
++ goto Bail;
++ }
++
+ /* XXX: make atom */
+ if ( FT_NEW_ARRAY( properties[i].name,
+ ft_strlen( strings + props[i].name ) + 1 ) )
+@@ -438,6 +446,14 @@
+
+ if ( props[i].isString )
+ {
++ /* 2006:0500 (mbarnes) - Detect invalid string length.
++ * XXX Is this the best error code to return? */
++ if ( props[i].value < 0 )
++ {
++ error = FT_Err_Invalid_File_Format;
++ goto Bail;
++ }
++
+ if ( FT_NEW_ARRAY( properties[i].value.atom,
+ ft_strlen( strings + props[i].value ) + 1 ) )
+ goto Bail;
+
+-----------------------------------------------------------------------------
+
+Security Fix
+
+Serious bug that caused some programs to go into an infinite loop
+(Denial of Service) when dealing with fonts that don't have a properly
+sorted kerning sub-table.
+
+--- src/sfnt/ttkern.c 2005-03-03 12:18:15.000000000 +0100
++++ src/sfnt/ttkern.c 2006-05-30 16:04:57.000000000 +0200
+@@ -246,7 +246,9 @@
+ }
+ else /* linear search */
+ {
+- for ( count = num_pairs; count > 0; count-- )
++ FT_UInt count2;
++
++ for ( count2 = num_pairs; count2 > 0; count2-- )
+ {
+ FT_ULong key = FT_NEXT_ULONG( p );
+
+-----------------------------------------------------------------------------
+
+Security Fix (CVE-2006-2661)
+
+Allows remote attackers to cause a Denial of Service (crash) via a
+crafted font file that triggers a NULL dereference.
+
+--- src/base/ftutil.c 2005-03-03 23:59:06.000000000 +0100
++++ src/base/ftutil.c 2006-05-30 17:05:10.000000000 +0200
+@@ -67,6 +67,11 @@
+ }
+ FT_MEM_ZERO( *P, size );
+ }
++ else if ( size < 0 )
++ {
++ /* may help catch/prevent nasty security issues */
++ return FT_Err_Invalid_Argument;
++ }
+ else
+ *P = NULL;
+
+@@ -99,6 +104,11 @@
+ return FT_Err_Out_Of_Memory;
+ }
+ }
++ else if (size < 0)
++ {
++ /* may help catch/prevent security issues */
++ return FT_Err_Invalid_Argument;
++ }
+ else
+ *P = NULL;
+
+@@ -127,6 +137,11 @@
+ if ( !*P )
+ return FT_Alloc( memory, size, P );
+
++ if ( size < 0 || current < 0 )
++ {
++ return FT_Err_Invalid_Argument;
++ }
++
+ /* if the new block if zero-sized, clear the current one */
+ if ( size <= 0 )
+ {
+@@ -169,6 +184,11 @@
+ if ( !*P )
+ return FT_QAlloc( memory, size, P );
+
++ if ( size < 0 || current < 0 )
++ {
++ return FT_Err_Invalid_Argument;
++ }
++
+ /* if the new block if zero-sized, clear the current one */
+ if ( size <= 0 )
+ {
+
+-----------------------------------------------------------------------------
+
+Security Fix (CVE-2006-1861 aka CVE-2006-2493)
+
+Multiple integer overflows allow remote attackers to cause a Denial of
+Service (crash) and possibly execute arbitrary code.
+
+--- include/freetype/fterrdef.h 2004-02-12 09:33:20.000000000 +0100
++++ include/freetype/fterrdef.h 2006-06-02 15:42:00.000000000 +0200
+@@ -226,6 +226,8 @@
+ "`ENCODING' field missing" )
+ FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \
+ "`BBX' field missing" )
++ FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \
++ "`BBX' too big" )
+
+
+ /* END */
+--- src/base/ftmac.c 2004-08-28 10:02:46.000000000 +0200
++++ src/base/ftmac.c 2006-06-02 15:45:18.000000000 +0200
+@@ -430,6 +430,7 @@
+ short res_id;
+ unsigned char *buffer, *p, *size_p = NULL;
+ FT_ULong total_size = 0;
++ FT_ULong old_total_size = 0;
+ FT_ULong post_size, pfb_chunk_size;
+ Handle post_data;
+ char code, last_code;
+@@ -462,6 +463,15 @@
+ last_code = code;
+ }
+
++ /* detect integer overflows */
++ if ( total_size < old_total_size )
++ {
++ error = FT_Err_Array_Too_Large;
++ goto Error;
++ }
++
++ old_total_size = total_size;
++
+ if ( FT_ALLOC( buffer, (FT_Long)total_size ) )
+ goto Error;
+
+--- src/bdf/bdflib.c 2006-06-02 15:40:24.000000000 +0200
++++ src/bdf/bdflib.c 2006-06-02 15:42:00.000000000 +0200
+@@ -1092,6 +1092,7 @@
+ #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n"
+ #define ERRMSG2 "[line %ld] Font header corrupted or missing fields.\n"
+ #define ERRMSG3 "[line %ld] Font glyphs corrupted or missing fields.\n"
++#define ERRMSG4 "[line %ld] BBX too big.\n"
+
+
+ static FT_Error
+@@ -1569,6 +1570,14 @@
+ goto Exit;
+ }
+
++ /* Check that the encoding is in the range [0,65536] because */
++ /* otherwise p->have (a bitmap with static size) overflows. */
++ if ( p->glyph_enc >= sizeof(p->have)*8 )
++ {
++ error = BDF_Err_Invalid_File_Format;
++ goto Exit;
++ }
++
+ /* Check to see whether this encoding has already been encountered. */
+ /* If it has then change it to unencoded so it gets added if */
+ /* indicated. */
+@@ -1814,6 +1823,9 @@
+ /* And finally, gather up the bitmap. */
+ if ( ft_memcmp( line, "BITMAP", 6 ) == 0 )
+ {
++ unsigned long bitmap_size;
++
++
+ if ( !( p->flags & _BDF_BBX ) )
+ {
+ /* Missing BBX field. */
+@@ -1824,7 +1836,16 @@
+
+ /* Allocate enough space for the bitmap. */
+ glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;
+- glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height );
++
++ bitmap_size = glyph->bpr * glyph->bbx.height;
++ if ( bitmap_size < 0 || bitmap_size > 0xFFFFU )
++ {
++ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));
++ error = BDF_Err_Bbx_Too_Big;
++ goto Exit;
++ }
++ else
++ glyph->bytes = (unsigned short)bitmap_size;
+
+ if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) )
+ goto Exit;
+--- src/cff/cffgload.c 2006-06-02 15:40:24.000000000 +0200
++++ src/cff/cffgload.c 2006-06-02 15:42:00.000000000 +0200
+@@ -2284,7 +2284,7 @@
+ FT_LOCAL_DEF( FT_Error )
+ cff_slot_load( CFF_GlyphSlot glyph,
+ CFF_Size size,
+- FT_Int glyph_index,
++ FT_UInt glyph_index,
+ FT_Int32 load_flags )
+ {
+ FT_Error error;
+@@ -2330,7 +2330,7 @@
+
+ error = sfnt->load_sbit_image( face,
+ (FT_ULong)size->strike_index,
+- (FT_UInt)glyph_index,
++ glyph_index,
+ (FT_Int)load_flags,
+ stream,
+ &glyph->root.bitmap,
+@@ -2393,7 +2393,12 @@
+ /* subsetted font, glyph_indices and CIDs are identical, though */
+ if ( cff->top_font.font_dict.cid_registry != 0xFFFFU &&
+ cff->charset.cids )
+- glyph_index = cff->charset.cids[glyph_index];
++ {
++ if ( glyph_index < cff->charset.max_cid )
++ glyph_index = cff->charset.cids[glyph_index];
++ else
++ glyph_index = 0;
++ }
+
+ cff_decoder_init( &decoder, face, size, glyph, hinting,
+ FT_LOAD_TARGET_MODE( load_flags ) );
+--- src/cff/cffgload.h 2004-05-13 23:59:17.000000000 +0200
++++ src/cff/cffgload.h 2006-06-02 15:42:00.000000000 +0200
+@@ -196,7 +196,7 @@ FT_BEGIN_HEADER
+ FT_LOCAL( FT_Error )
+ cff_slot_load( CFF_GlyphSlot glyph,
+ CFF_Size size,
+- FT_Int glyph_index,
++ FT_UInt glyph_index,
+ FT_Int32 load_flags );
+
+
+--- src/cff/cffload.c 2006-06-02 15:40:24.000000000 +0200
++++ src/cff/cffload.c 2006-06-02 15:42:00.000000000 +0200
+@@ -1688,6 +1688,8 @@
+
+ for ( i = 0; i < num_glyphs; i++ )
+ charset->cids[charset->sids[i]] = (FT_UShort)i;
++
++ charset->max_cid = max_cid;
+ }
+
+ Exit:
+--- src/cff/cfftypes.h 2003-12-20 08:30:05.000000000 +0100
++++ src/cff/cfftypes.h 2006-06-02 15:42:00.000000000 +0200
+@@ -84,6 +84,7 @@ FT_BEGIN_HEADER
+ FT_UShort* sids;
+ FT_UShort* cids; /* the inverse mapping of `sids'; only needed */
+ /* for CID-keyed fonts */
++ FT_UInt max_cid;
+ } CFF_CharsetRec, *CFF_Charset;
+
+
+--- src/sfnt/ttcmap.c 2005-05-11 16:37:40.000000000 +0200
++++ src/sfnt/ttcmap.c 2006-06-02 15:42:00.000000000 +0200
+@@ -2144,9 +2144,7 @@
+ charmap.encoding = FT_ENCODING_NONE; /* will be filled later */
+ offset = TT_NEXT_ULONG( p );
+
+- if ( offset &&
+- table + offset + 2 < limit &&
+- table + offset >= table )
++ if ( offset && offset <= face->cmap_size - 2)
+ {
+ FT_Byte* cmap = table + offset;
+ volatile FT_UInt format = TT_PEEK_USHORT( cmap );
+
+-----------------------------------------------------------------------------
+
+Security Fix (CVE-2006-0747)
+
+Integer underflow which allows remote attackers to cause a Denial of
+Service (crash) via a font file with an odd number of blue values, which
+causes the underflow when decrementing by 2 in a context that assumes an
+even number of values.
+
+--- src/pshinter/pshglob.c 2004-04-02 09:13:53.000000000 +0200
++++ src/pshinter/pshglob.c 2006-05-30 16:28:56.000000000 +0200
+@@ -150,7 +150,7 @@
+ FT_UNUSED( target );
+
+
+- for ( ; read_count > 0; read_count -= 2 )
++ for ( ; read_count > 1; read_count -= 2 )
+ {
+ FT_Int reference, delta;
+ FT_UInt count;
+--- src/cff/cffload.c 2005-05-06 07:49:46.000000000 +0200
++++ src/cff/cffload.c 2006-05-30 16:28:56.000000000 +0200
+@@ -1235,7 +1235,7 @@
+ }
+
+ /* access element */
+- if ( off1 )
++ if ( off1 && off2 > off1 )
+ {
+ *pbyte_len = off2 - off1;
+
+@@ -2040,6 +2040,9 @@
+ FT_FRAME_EXIT();
+ if ( error )
+ goto Exit;
++
++ /* ensure that 'num_blue_values' is even */
++ priv->num_blue_values &= ~1;
+ }
+
+ /* read the local subrs, if any */
+--- src/type1/t1load.c 2005-04-14 13:39:28.000000000 +0200
++++ src/type1/t1load.c 2006-05-30 16:28:56.000000000 +0200
+@@ -1989,6 +1989,9 @@
+ keyword_flags );
+ if ( error )
+ goto Exit;
++
++ /* ensure even-ness of 'num_blue_values' */
++ priv->num_blue_values &= ~1;
+
+ #ifndef T1_CONFIG_OPTION_NO_MM_SUPPORT
+
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/freetype/freetype.spec
============================================================================
$ cvs diff -u -r1.53.2.2 -r1.53.2.3 freetype.spec
--- openpkg-src/freetype/freetype.spec 14 Oct 2005 15:01:54 -0000
1.53.2.2
+++ openpkg-src/freetype/freetype.spec 28 Jul 2006 11:44:54 -0000
1.53.2.3
@@ -33,7 +33,7 @@
Group: Graphics
License: GPL
Version: 2.1.10
-Release: 2.5.0
+Release: 2.5.1
# list of sources
Source0:
http://savannah.nongnu.org/download/freetype/freetype-%{version}.tar.gz
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List openpkg-cvs@openpkg.org
