Bug#1010304: bullseye-pu: package freetype/2.10.4+dfsg-1+deb11u1

2022-05-28 Thread Adam D. Barratt 
Control: tags -1 + confirmed d-i

On Thu, 2022-04-28 at 22:21 +1000, Hugh McMaster wrote:
> This update fixes three security vulnerabilities in FreeType
> 2.10.4+dfsg-1.
> 
> - CVE-2022-27404: heap buffer overflow via invalid integer decrement
> in
> sfnt_init_face() and woff2_open_font().
> - CVE-2022-27405: segmentation violation via ft_open_face_internal()
> when
> attempting to read the value of FT_LONG face_index.
> - CVE-2022-27406: segmentation violation via FT_Request_Size() when
> attempting
> to read the value of an unguarded face size handle.
> 
> It would be ideal to get these fixes into Bullseye.

This looks OK to me, but as freetype builds a udeb it will want a KiBi-
ack; CCed and tagging accordingly.

Regards,

Adam

Bug#1010304: bullseye-pu: package freetype/2.10.4+dfsg-1+deb11u1

2022-04-28 Thread Hugh McMaster 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

This update fixes three security vulnerabilities in FreeType 2.10.4+dfsg-1.

- CVE-2022-27404: heap buffer overflow via invalid integer decrement in
sfnt_init_face() and woff2_open_font().
- CVE-2022-27405: segmentation violation via ft_open_face_internal() when
attempting to read the value of FT_LONG face_index.
- CVE-2022-27406: segmentation violation via FT_Request_Size() when attempting
to read the value of an unguarded face size handle.

It would be ideal to get these fixes into Bullseye.
diff -Nru freetype-2.10.4+dfsg/debian/changelog 
freetype-2.10.4+dfsg/debian/changelog
--- freetype-2.10.4+dfsg/debian/changelog   2020-12-05 19:20:58.0 
+1100
+++ freetype-2.10.4+dfsg/debian/changelog   2022-04-28 19:54:23.0 
+1000
@@ -1,3 +1,15 @@
+freetype (2.10.4+dfsg-1+deb11u1) bullseye; urgency=medium
+
+  * Add upstream patches to fix multiple vulnerabilities. Closes: #1010183.
+- CVE-2022-27404: heap buffer overflow via invalid integer decrement in
+  sfnt_init_face() and woff2_open_font().
+- CVE-2022-27405: segmentation violation via ft_open_face_internal() when
+  attempting to read the value of FT_LONG face_index.
+- CVE-2022-27406: segmentation violation via FT_Request_Size() when
+  attempting to read the value of an unguarded face size handle.
+
+ -- Hugh McMaster   Thu, 28 Apr 2022 19:54:23 +1000
+
 freetype (2.10.4+dfsg-1) unstable; urgency=medium
 
   * New upstream version:
diff -Nru freetype-2.10.4+dfsg/debian/patches/CVE-2022-27404.patch 
freetype-2.10.4+dfsg/debian/patches/CVE-2022-27404.patch
--- freetype-2.10.4+dfsg/debian/patches/CVE-2022-27404.patch1970-01-01 
10:00:00.0 +1000
+++ freetype-2.10.4+dfsg/debian/patches/CVE-2022-27404.patch2022-04-28 
19:54:23.0 +1000
@@ -0,0 +1,30 @@
+Description: Check `face_index` before decrementing to prevent heap buffer
+ overflow (CVE-2022-27404).
+Author: Werner Lemberg
+Origin: 
https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1138
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/sfnt/sfobjs.c
 b/src/sfnt/sfobjs.c
+@@ -553,7 +553,7 @@
+ face_index = FT_ABS( face_instance_index ) & 0x;
+ 
+ /* value -(N+1) requests information on index N */
+-if ( face_instance_index < 0 )
++if ( face_instance_index < 0 && face_index > 0 )
+   face_index--;
+ 
+ if ( face_index >= face->ttc_header.count )
+--- a/src/sfnt/sfwoff2.c
 b/src/sfnt/sfwoff2.c
+@@ -2098,7 +2098,7 @@
+ /* Validate requested face index. */
+ *num_faces = woff2.num_fonts;
+ /* value -(N+1) requests information on index N */
+-if ( *face_instance_index < 0 )
++if ( *face_instance_index < 0 && face_index > 0 )
+   face_index--;
+ 
+ if ( face_index >= woff2.num_fonts )
diff -Nru freetype-2.10.4+dfsg/debian/patches/CVE-2022-27405.patch 
freetype-2.10.4+dfsg/debian/patches/CVE-2022-27405.patch
--- freetype-2.10.4+dfsg/debian/patches/CVE-2022-27405.patch1970-01-01 
10:00:00.0 +1000
+++ freetype-2.10.4+dfsg/debian/patches/CVE-2022-27405.patch2022-04-28 
19:54:23.0 +1000
@@ -0,0 +1,26 @@
+Description: Properly guard `face_index` before attempting to read its value
+ (CVE-2022-27405).
+Author: Werner Lemberg
+Origin: 
https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1139
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/base/ftobjs.c
 b/src/base/ftobjs.c
+@@ -2407,6 +2407,15 @@
+ #endif
+ 
+ 
++/* only use lower 31 bits together with sign bit */
++if ( face_index > 0 )
++  face_index &= 0x7FFFL;
++else
++{
++  face_index &= 0x7FFFL;
++  face_index  = -face_index;
++}
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+ FT_TRACE3(( "FT_Open_Face: " ));
+ if ( face_index < 0 )
diff -Nru freetype-2.10.4+dfsg/debian/patches/CVE-2022-27406.patch 
freetype-2.10.4+dfsg/debian/patches/CVE-2022-27406.patch
--- freetype-2.10.4+dfsg/debian/patches/CVE-2022-27406.patch1970-01-01 
10:00:00.0 +1000
+++ freetype-2.10.4+dfsg/debian/patches/CVE-2022-27406.patch2022-04-28 
19:54:23.0 +1000
@@ -0,0 +1,20 @@
+Description: Guard the `face->size` handle before attempting to read its value
+ (CVE-2022-27406).
+Author: Werner Lemberg
+Origin: 
https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1140
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/base/ftobjs.c
 b/src/base/ftobjs.c
+@@ -3273,6 +3273,9 @@
+ if ( !face )
+   return FT_THROW(