[freetype-freeworld] Add fixes for CVE-2018-6942 and loading of named instances from Fedora
by Kevin Kofler
commit 54959c1ebf7bdb4c9b46bd14048af449c4a144f2
Author: Kevin Kofler <kevin.kofler(a)chello.at>
Date: Sat Feb 17 21:22:06 2018 +0100
Add fixes for CVE-2018-6942 and loading of named instances from Fedora
* Sat Feb 17 2018 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.8-5
- Add 0077-truetype-Fix-loading-of-named-instances.patch and
0079-src-truetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch from Fedora
freetype: Fix loading of named instances (TrueType)
- Add freetype-2.8-getvariation.patch from Fedora freetype: Avoid NULL pointer
dereference in the Ins_GETVARIATION() function (CVE-2018-6942, rh#1544776)
0077-truetype-Fix-loading-of-named-instances.patch | 67 ++++++++++++++++++++++
...uetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch | 45 +++++++++++++++
freetype-2.8-getvariation.patch | 39 +++++++++++++
freetype-freeworld.spec | 20 ++++++-
4 files changed, 169 insertions(+), 2 deletions(-)
---
diff --git a/0077-truetype-Fix-loading-of-named-instances.patch b/0077-truetype-Fix-loading-of-named-instances.patch
new file mode 100644
index 0000000..26fd0bc
--- /dev/null
+++ b/0077-truetype-Fix-loading-of-named-instances.patch
@@ -0,0 +1,67 @@
+From 55bbb98f5c5a89230127d6b998a6e23e634b5d0e Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <behdad(a)behdad.org>
+Date: Tue, 1 Aug 2017 09:17:02 +0200
+Subject: [PATCH 077/132] [truetype] Fix loading of named instances.
+
+* src/truetype/ttgxvar.c (TT_Get_MM_Var): Preserve file position
+while loading the `avar' table.
+---
+ ChangeLog | 7 +++++++
+ include/freetype/ftmm.h | 2 +-
+ src/truetype/ttgxvar.c | 11 ++++++++++-
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/include/freetype/ftmm.h b/include/freetype/ftmm.h
+index c41b80ea6..1f48a4945 100644
+--- a/include/freetype/ftmm.h
++++ b/include/freetype/ftmm.h
+@@ -178,7 +178,7 @@ FT_BEGIN_HEADER
+ /* strid :: The entry in `name' table identifying this instance. */
+ /* */
+ /* psid :: The entry in `name' table identifying a PostScript name */
+- /* for this instance. */
++ /* for this instance. Value 0 indicates a missing entry. */
+ /* */
+ typedef struct FT_Var_Named_Style_
+ {
+diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
+index 68458362e..df42b3bfd 100644
+--- a/src/truetype/ttgxvar.c
++++ b/src/truetype/ttgxvar.c
+@@ -2139,8 +2139,16 @@
+ goto Exit;
+
+ if ( fvar_head.instanceCount && !face->blend->avar_loaded )
++ {
++ FT_ULong offset = FT_STREAM_POS();
++
++
+ ft_var_load_avar( face );
+
++ if ( FT_STREAM_SEEK( offset ) )
++ goto Exit;
++ }
++
+ ns = mmvar->namedstyle;
+ nsc = face->blend->normalized_stylecoords;
+ for ( i = 0; i < fvar_head.instanceCount; i++, ns++ )
+@@ -2157,6 +2165,7 @@
+ for ( j = 0; j < fvar_head.axisCount; j++, c++ )
+ *c = FT_GET_LONG();
+
++ /* valid psid values are 6 and [256;32767] */
+ if ( usePsName )
+ ns->psid = FT_GET_USHORT();
+
+@@ -2174,7 +2183,7 @@
+ SFNT_Service sfnt = (SFNT_Service)face->sfnt;
+
+ FT_Int found, dummy1, dummy2;
+- FT_UInt strid = 0xFFFFFFFFUL;
++ FT_UInt strid = ~0U;
+
+
+ /* the default instance is missing in array the */
+--
+2.13.5
+
diff --git a/0079-src-truetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch b/0079-src-truetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch
new file mode 100644
index 0000000..e492e58
--- /dev/null
+++ b/0079-src-truetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch
@@ -0,0 +1,45 @@
+From 7e50824288fac5a36c2938fdb3e1c949ea53f982 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl(a)gnu.org>
+Date: Tue, 1 Aug 2017 12:44:35 +0200
+Subject: [PATCH 079/132] * src/truetype/ttgxvar.c (TT_Get_MM_Var): Fix thinko.
+
+---
+ ChangeLog | 4 ++++
+ include/freetype/ftmm.h | 3 ++-
+ src/truetype/ttgxvar.c | 4 +++-
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/include/freetype/ftmm.h b/include/freetype/ftmm.h
+index 1f48a4945..b1bc1ed82 100644
+--- a/include/freetype/ftmm.h
++++ b/include/freetype/ftmm.h
+@@ -178,7 +178,8 @@ FT_BEGIN_HEADER
+ /* strid :: The entry in `name' table identifying this instance. */
+ /* */
+ /* psid :: The entry in `name' table identifying a PostScript name */
+- /* for this instance. Value 0 indicates a missing entry. */
++ /* for this instance. Value 0xFFFF indicates a missing */
++ /* entry. */
+ /* */
+ typedef struct FT_Var_Named_Style_
+ {
+diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
+index df42b3bfd..5a87df139 100644
+--- a/src/truetype/ttgxvar.c
++++ b/src/truetype/ttgxvar.c
+@@ -2165,9 +2165,11 @@
+ for ( j = 0; j < fvar_head.axisCount; j++, c++ )
+ *c = FT_GET_LONG();
+
+- /* valid psid values are 6 and [256;32767] */
++ /* valid psid values are 6, [256;32767], and 0xFFFF */
+ if ( usePsName )
+ ns->psid = FT_GET_USHORT();
++ else
++ ns->psid = 0xFFFF;
+
+ ft_var_to_normalized( face,
+ fvar_head.axisCount,
+--
+2.13.5
+
diff --git a/freetype-2.8-getvariation.patch b/freetype-2.8-getvariation.patch
new file mode 100644
index 0000000..7e0ecf9
--- /dev/null
+++ b/freetype-2.8-getvariation.patch
@@ -0,0 +1,39 @@
+From 29c759284e305ec428703c9a5831d0b1fc3497ef Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl(a)gnu.org>
+Date: Sat, 27 Jan 2018 14:43:43 +0100
+Subject: [PATCH] * src/truetype/ttinterp.c (Ins_GETVARIATION): Avoid NULL
+ reference.
+
+Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5736
+---
+ src/truetype/ttinterp.c | 12 ++++++++++--
+ 1 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
+index d855aaaa9..551f14a2e 100644
+--- a/src/truetype/ttinterp.c
++++ b/src/truetype/ttinterp.c
+@@ -7470,8 +7470,16 @@
+ return;
+ }
+
+- for ( i = 0; i < num_axes; i++ )
+- args[i] = coords[i] >> 2; /* convert 16.16 to 2.14 format */
++ if ( coords )
++ {
++ for ( i = 0; i < num_axes; i++ )
++ args[i] = coords[i] >> 2; /* convert 16.16 to 2.14 format */
++ }
++ else
++ {
++ for ( i = 0; i < num_axes; i++ )
++ args[i] = 0;
++ }
+ }
+
+
+--
+2.14.3
+
diff --git a/freetype-freeworld.spec b/freetype-freeworld.spec
index d6986e6..2fb9ced 100644
--- a/freetype-freeworld.spec
+++ b/freetype-freeworld.spec
@@ -1,7 +1,7 @@
Summary: A free and portable font rendering engine
Name: freetype-freeworld
Version: 2.8
-Release: 4%{?dist}
+Release: 5%{?dist}
License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
URL: http://www.freetype.org
Source: http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.ta...
@@ -19,8 +19,12 @@ Patch4: freetype-2.8-pcf-encoding.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1456585
Patch5: freetype-2.8-loop-counter.patch
+Patch6: 0077-truetype-Fix-loading-of-named-instances.patch
+Patch7: 0079-src-truetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch
+
## Security fixes:
-# None yet
+# CVE-2018-6942 NULL pointer dereference in the Ins_GETVARIATION() function
+Patch9: freetype-2.8-getvariation.patch
Provides: freetype-bytecode
Provides: freetype-subpixel
@@ -52,6 +56,11 @@ It transparently overrides the system library using ld.so.conf.d.
%patch4 -p1 -b .pcf-encoding
%patch5 -p1 -b .loop-counter
+%patch6 -p1 -b .named-instances
+%patch7 -p1 -b .named-instances2
+
+# Security fixes:
+%patch9 -p1 -b .getvariation
%build
%configure --disable-static \
@@ -95,6 +104,13 @@ echo "%{_libdir}/%{name}" \
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
%changelog
+* Sat Feb 17 2018 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.8-5
+- Add 0077-truetype-Fix-loading-of-named-instances.patch and
+ 0079-src-truetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch from Fedora
+ freetype: Fix loading of named instances (TrueType)
+- Add freetype-2.8-getvariation.patch from Fedora freetype: Avoid NULL pointer
+ dereference in the Ins_GETVARIATION() function (CVE-2018-6942, rh#1544776)
+
* Thu Aug 31 2017 RPM Fusion Release Engineering <kwizart(a)rpmfusion.org> - 2.8-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
6 years, 7 months
[mpv] Remove %ldconfig_scriptlets
by Miro Hrončok
commit f503b5b531e7004b3ae94387572a05bb69c092b9
Author: Miro Hrončok <miro(a)hroncok.cz>
Date: Sat Feb 17 21:12:15 2018 +0100
Remove %ldconfig_scriptlets
It does nothing on F28+ and the F27 and F26 branches are already diverged.
mpv.spec | 2 --
1 file changed, 2 deletions(-)
---
diff --git a/mpv.spec b/mpv.spec
index 3f6a5fd..fc79939 100644
--- a/mpv.spec
+++ b/mpv.spec
@@ -128,8 +128,6 @@ waf install --destdir=%{buildroot}
desktop-file-validate %{buildroot}%{_datadir}/applications/%{name}.desktop
install -Dpm 644 README.md etc/input.conf etc/mpv.conf -t %{buildroot}%{_docdir}/%{name}
-%ldconfig_scriptlets libs
-
%files
%docdir %{_docdir}/%{name}
%{_docdir}/%{name}
6 years, 7 months
[VirtualBox-kmod/el7] (5 commits) ...Fixes for kernel 4.15
by Sérgio M. Basto
Summary of changes:
a5b4f12... Readd fixes for kernel 4.14 (*)
97ebf86... Add more fixes for kernel 4.14 (*)
537199a... Add fixes for kernel 4.15 (*)
3bb2315... Update VBox to 5.2.6 (*)
9e509ea... Fixes for kernel 4.15 (*)
(*) This commit already existed in another branch; no separate mail sent
6 years, 7 months
[mpv/f26] Update to 0.27.2
by Leigh Scott
Summary of changes:
f338e83... Update to 0.27.2 (*)
(*) This commit already existed in another branch; no separate mail sent
6 years, 7 months
[mpv/f27] Update to 0.27.2
by Leigh Scott
commit f338e8321ff2388d6c2cfc001e902024900a270d
Author: leigh123linux <leigh123linux(a)googlemail.com>
Date: Sat Feb 17 14:06:25 2018 +0000
Update to 0.27.2
mpv.spec | 5 ++++-
sources | 2 +-
2 files changed, 5 insertions(+), 2 deletions(-)
---
diff --git a/mpv.spec b/mpv.spec
index 5174d5a..214ff61 100644
--- a/mpv.spec
+++ b/mpv.spec
@@ -1,5 +1,5 @@
Name: mpv
-Version: 0.27.1
+Version: 0.27.2
Release: 1%{?dist}
Summary: Movie player playing most video formats and DVDs
License: GPLv2+
@@ -149,6 +149,9 @@ install -Dpm 644 README.md etc/input.conf etc/mpv.conf -t %{buildroot}%{_docdir}
%{_libdir}/pkgconfig/mpv.pc
%changelog
+* Sat Feb 17 2018 Leigh Scott <leigh123linux(a)googlemail.com> - 0.27.2-1
+- Update to 0.27.2
+
* Sun Feb 11 2018 Leigh Scott <leigh123linux(a)googlemail.com> - 0.27.1-1
- Update to 0.27.1
diff --git a/sources b/sources
index 6dc42dd..7f7c513 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-d6f7cfde99e14a571950c5b66d17abaa mpv-0.27.1.tar.gz
+8cfb48e921e58c0d9d181d96d4809beb mpv-0.27.2.tar.gz
6 years, 7 months
[mpv] Update to 0.28.2
by Leigh Scott
commit 6ebe8e78bbbb40e6963f038f70ce7e7e7ab28c64
Author: leigh123linux <leigh123linux(a)googlemail.com>
Date: Sat Feb 17 14:04:32 2018 +0000
Update to 0.28.2
mpv.spec | 5 ++++-
sources | 2 +-
2 files changed, 5 insertions(+), 2 deletions(-)
---
diff --git a/mpv.spec b/mpv.spec
index d572210..3f6a5fd 100644
--- a/mpv.spec
+++ b/mpv.spec
@@ -1,5 +1,5 @@
Name: mpv
-Version: 0.28.1
+Version: 0.28.2
Release: 1%{?dist}
Summary: Movie player playing most video formats and DVDs
License: GPLv2+ and LGPLv2+
@@ -151,6 +151,9 @@ install -Dpm 644 README.md etc/input.conf etc/mpv.conf -t %{buildroot}%{_docdir}
%{_libdir}/pkgconfig/mpv.pc
%changelog
+* Sat Feb 17 2018 Leigh Scott <leigh123linux(a)googlemail.com> - 0.28.2-1
+- Update to 0.28.2
+
* Sun Feb 11 2018 Leigh Scott <leigh123linux(a)googlemail.com> - 0.28.1-1
- Update to 0.28.1
diff --git a/sources b/sources
index de8ad23..77e8f6f 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-6c233a8cbcdaa0f180651b8bf0f8f72f mpv-0.28.1.tar.gz
+b6538dec29a2a69574f4e3a3d688fb8b mpv-0.28.2.tar.gz
6 years, 7 months
[openshot] Add some recommends to spec Merge epel7 work, but we still haven't python-qt5 in epel7
by Sérgio M. Basto
commit c02094c15ce406716f2b08ee8cb6b88145cf6c81
Author: Sérgio M. Basto <sergio(a)serjux.com>
Date: Sat Feb 17 08:30:24 2018 +0000
Add some recommends to spec
Merge epel7 work, but we still haven't python-qt5 in epel7
openshot.spec | 28 +++++++++++++++++++---------
1 file changed, 19 insertions(+), 9 deletions(-)
---
diff --git a/openshot.spec b/openshot.spec
index 44f6a02..fb960ce 100644
--- a/openshot.spec
+++ b/openshot.spec
@@ -3,7 +3,7 @@
Name: openshot
Version: 2.4.1
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Create and edit videos and movies
Group: Applications/Multimedia
@@ -17,24 +17,30 @@ Source100: openshot-find-lang.sh
BuildArch: noarch
-BuildRequires: python3-devel
-BuildRequires: python3-qt5-devel
-BuildRequires: python3-setuptools
+BuildRequires: python%{python3_pkgversion}-devel
+BuildRequires: python%{python3_pkgversion}-qt5-devel
+BuildRequires: python%{python3_pkgversion}-setuptools
BuildRequires: libopenshot >= 0.1.9
BuildRequires: libopenshot-audio >= 0.1.5
BuildRequires: desktop-file-utils
# To fix icon
BuildRequires: ImageMagick
-Requires: python3-qt5
-Requires: python3-qt5-webkit
-Requires: python3-httplib2
-Requires: python3-libopenshot >= 0.1.8
-Requires: python3-zmq
+Requires: python%{python3_pkgversion}-qt5
+Requires: python%{python3_pkgversion}-qt5-webkit
+Requires: python%{python3_pkgversion}-httplib2
+Requires: python%{python3_pkgversion}-libopenshot >= 0.1.9
+Requires: python%{python3_pkgversion}-zmq
Requires: ffmpeg-libs
+%if 0%{?fedora}
Recommends: openshot-lang
Recommends: font(bitstreamverasans)
+Recommends: blender
+Recommends: vid.stab
+%else
+Requires: openshot-lang
+%endif
%description
@@ -128,6 +134,10 @@ fi
%changelog
+* Sat Feb 17 2018 Sérgio Basto <sergio(a)serjux.com> - 2.4.1-3
+- Add some recommends to spec
+- Merge epel7 work, but we still haven't python-qt5 in epel7
+
* Thu Jan 18 2018 Leigh Scott <leigh123linux(a)googlemail.com> - 2.4.1-2
- Rebuilt for ffmpeg-3.5 git
6 years, 7 months
