12:27 a.m.
Author: kkofler
Update of /cvs/free/rpms/freetype-freeworld/devel
In directory se02.es.rpmfusion.net:/tmp/cvs-serv27697/devel
Modified Files:
.cvsignore freetype-freeworld.spec sources
Added Files:
freetype-2.4.9-CVE-2012-1139.patch
freetype-2.4.9-CVE-2012-1141.patch
freetype-2.4.9-incremental-interface.patch
freetype-2.4.9-loop-exit-condition.patch
Log Message:
* Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.9-1
- Update to 2.4.9 (matches Fedora freetype, fixes various CVEs (rh#806270))
- Add additional security and bugfix patches from Fedora freetype-2.4.9-1
freetype-2.4.9-CVE-2012-1139.patch:
bdflib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE freetype-2.4.9-CVE-2012-1139.patch ---
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -842,7 +842,7 @@
};
-#define isdigok( m, d ) (m[(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
+#define isdigok( m, d ) (m[(unsigned char)(d) >> 3] & ( 1 << ( (d) &
7 ) ) )
/* Routine to convert an ASCII string into an unsigned long integer. */
freetype-2.4.9-CVE-2012-1141.patch:
bdflib.c | 1 +
1 file changed, 1 insertion(+)
--- NEW FILE freetype-2.4.9-CVE-2012-1141.patch ---
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -569,6 +569,7 @@
list->field[1] = (char*)empty;
list->field[2] = (char*)empty;
list->field[3] = (char*)empty;
+ list->field[4] = (char*)empty;
}
/* If the line is empty, then simply return. */
freetype-2.4.9-incremental-interface.patch:
t1load.c | 30 ++++++++++++++++++++----------
1 file changed, 20 insertions(+), 10 deletions(-)
--- NEW FILE freetype-2.4.9-incremental-interface.patch ---
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -71,6 +71,13 @@
#include "t1errors.h"
+#ifdef FT_CONFIG_OPTION_INCREMENTAL
+#define IS_INCREMENTAL ( face->root.internal->incremental_interface != 0 )
+#else
+#define IS_INCREMENTAL 0
+#endif
+
+
/*************************************************************************/
/* */
/* The macro FT_COMPONENT is used in trace mode. It is an implicit */
@@ -1030,7 +1037,8 @@
static int
read_binary_data( T1_Parser parser,
FT_Long* size,
- FT_Byte** base )
+ FT_Byte** base,
+ FT_Bool incremental )
{
FT_Byte* cur;
FT_Byte* limit = parser->root.limit;
@@ -1065,8 +1073,12 @@
}
}
- FT_ERROR(( "read_binary_data: invalid size field\n" ));
- parser->root.error = T1_Err_Invalid_File_Format;
+ if( !incremental )
+ {
+ FT_ERROR(( "read_binary_data: invalid size field\n" ));
+ parser->root.error = T1_Err_Invalid_File_Format;
+ }
+
return 0;
}
@@ -1396,7 +1408,7 @@
idx = T1_ToInt( parser );
- if ( !read_binary_data( parser, &size, &base ) )
+ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
return;
/* The binary string is followed by one token, e.g. `NP' */
@@ -1582,7 +1594,7 @@
cur++; /* skip `/' */
len = parser->root.cursor - cur;
- if ( !read_binary_data( parser, &size, &base ) )
+ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
return;
/* for some non-standard fonts like `Optima' which provides */
@@ -1871,7 +1883,7 @@
parser->root.cursor = start_binary;
- if ( !read_binary_data( parser, &s, &b ) )
+ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
return T1_Err_Invalid_File_Format;
have_integer = 0;
}
@@ -1884,7 +1896,7 @@
parser->root.cursor = start_binary;
- if ( !read_binary_data( parser, &s, &b ) )
+ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
return T1_Err_Invalid_File_Format;
have_integer = 0;
}
@@ -2160,9 +2172,7 @@
type1->subrs_len = loader.subrs.lengths;
}
-#ifdef FT_CONFIG_OPTION_INCREMENTAL
- if ( !face->root.internal->incremental_interface )
-#endif
+ if ( !IS_INCREMENTAL )
if ( !loader.charstrings.init )
{
FT_ERROR(( "T1_Open_Face: no `/CharStrings' array in face\n" ));
freetype-2.4.9-loop-exit-condition.patch:
t1load.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- NEW FILE freetype-2.4.9-loop-exit-condition.patch ---
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1399,9 +1399,10 @@
FT_Byte* base;
- /* If the next token isn't `dup' we are done. */
- if ( parser->root.cursor + 4 < parser->root.limit &&
- ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
+ /* If we are out of data, or if the next token isn't `dup', */
+ /* we are done. */
+ if ( parser->root.cursor + 4 >= parser->root.limit ||
+ ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
break;
T1_Skip_PS_Token( parser ); /* `dup' */
Index: .cvsignore
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/devel/.cvsignore,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- .cvsignore 17 Nov 2011 16:56:37 -0000 1.12
+++ .cvsignore 2 Apr 2012 00:27:37 -0000 1.13
@@ -1 +1 @@
-freetype-2.4.8.tar.bz2
+freetype-2.4.9.tar.bz2
Index: freetype-freeworld.spec
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/devel/freetype-freeworld.spec,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- freetype-freeworld.spec 23 Nov 2011 15:59:05 -0000 1.23
+++ freetype-freeworld.spec 2 Apr 2012 00:27:37 -0000 1.24
@@ -1,7 +1,7 @@
Summary: A free and portable font rendering engine
Name: freetype-freeworld
-Version: 2.4.8
-Release: 2%{?dist}
+Version: 2.4.9
+Release: 1%{?dist}
License: FTL or GPLv2+
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -12,6 +12,16 @@
# Enable otvalid and gxvalid modules
Patch46: freetype-2.2.1-enable-valid.patch
+# Security patches
+Patch89: freetype-2.4.9-CVE-2012-1139.patch
+Patch90: freetype-2.4.9-CVE-2012-1141.patch
+
+# https://savannah.nongnu.org/bugs/?35833
+Patch91: freetype-2.4.9-loop-exit-condition.patch
+
+# https://savannah.nongnu.org/bugs/?35847
+Patch92: freetype-2.4.9-incremental-interface.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
Provides: freetype-bytecode
@@ -39,6 +49,12 @@
%patch46 -p1 -b .enable-valid
+%patch89 -p1 -b .CVE-2012-1139
+%patch90 -p1 -b .CVE-2012-1141
+%patch91 -p1 -b .loop-exit-condition
+%patch92 -p1 -b .incremental-interface
+
+
%build
%configure --disable-static
@@ -82,6 +98,10 @@
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
%changelog
+* Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.9-1
+- Update to 2.4.9 (matches Fedora freetype, fixes various CVEs (rh#806270))
+- Add additional security and bugfix patches from Fedora freetype-2.4.9-1
+
* Wed Nov 23 2011 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.8-2
- Rebuild for #2031
Index: sources
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/devel/sources,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- sources 17 Nov 2011 16:56:37 -0000 1.12
+++ sources 2 Apr 2012 00:27:37 -0000 1.13
@@ -1 +1 @@
-dbf2caca1d3afd410a29217a9809d397 freetype-2.4.8.tar.bz2
+77a893dae81fd5b896632715ca041179 freetype-2.4.9.tar.bz2