8:22 p.m.
commit 54959c1ebf7bdb4c9b46bd14048af449c4a144f2
Author: Kevin Kofler <kevin.kofler(a)chello.at>
Date: Sat Feb 17 21:22:06 2018 +0100
Add fixes for CVE-2018-6942 and loading of named instances from Fedora
* Sat Feb 17 2018 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.8-5
- Add 0077-truetype-Fix-loading-of-named-instances.patch and
0079-src-truetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch from Fedora
freetype: Fix loading of named instances (TrueType)
- Add freetype-2.8-getvariation.patch from Fedora freetype: Avoid NULL pointer
dereference in the Ins_GETVARIATION() function (CVE-2018-6942, rh#1544776)
0077-truetype-Fix-loading-of-named-instances.patch | 67 ++++++++++++++++++++++
...uetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch | 45 +++++++++++++++
freetype-2.8-getvariation.patch | 39 +++++++++++++
freetype-freeworld.spec | 20 ++++++-
4 files changed, 169 insertions(+), 2 deletions(-)
---
diff --git a/0077-truetype-Fix-loading-of-named-instances.patch
b/0077-truetype-Fix-loading-of-named-instances.patch
new file mode 100644
index 0000000..26fd0bc
--- /dev/null
+++ b/0077-truetype-Fix-loading-of-named-instances.patch
@@ -0,0 +1,67 @@
+From 55bbb98f5c5a89230127d6b998a6e23e634b5d0e Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <behdad(a)behdad.org>
+Date: Tue, 1 Aug 2017 09:17:02 +0200
+Subject: [PATCH 077/132] [truetype] Fix loading of named instances.
+
+* src/truetype/ttgxvar.c (TT_Get_MM_Var): Preserve file position
+while loading the `avar' table.
+---
+ ChangeLog | 7 +++++++
+ include/freetype/ftmm.h | 2 +-
+ src/truetype/ttgxvar.c | 11 ++++++++++-
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/include/freetype/ftmm.h b/include/freetype/ftmm.h
+index c41b80ea6..1f48a4945 100644
+--- a/include/freetype/ftmm.h
++++ b/include/freetype/ftmm.h
+@@ -178,7 +178,7 @@ FT_BEGIN_HEADER
+ /* strid :: The entry in `name' table identifying this instance. */
+ /* */
+ /* psid :: The entry in `name' table identifying a PostScript name */
+- /* for this instance. */
++ /* for this instance. Value 0 indicates a missing entry. */
+ /* */
+ typedef struct FT_Var_Named_Style_
+ {
+diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
+index 68458362e..df42b3bfd 100644
+--- a/src/truetype/ttgxvar.c
++++ b/src/truetype/ttgxvar.c
+@@ -2139,8 +2139,16 @@
+ goto Exit;
+
+ if ( fvar_head.instanceCount && !face->blend->avar_loaded )
++ {
++ FT_ULong offset = FT_STREAM_POS();
++
++
+ ft_var_load_avar( face );
+
++ if ( FT_STREAM_SEEK( offset ) )
++ goto Exit;
++ }
++
+ ns = mmvar->namedstyle;
+ nsc = face->blend->normalized_stylecoords;
+ for ( i = 0; i < fvar_head.instanceCount; i++, ns++ )
+@@ -2157,6 +2165,7 @@
+ for ( j = 0; j < fvar_head.axisCount; j++, c++ )
+ *c = FT_GET_LONG();
+
++ /* valid psid values are 6 and [256;32767] */
+ if ( usePsName )
+ ns->psid = FT_GET_USHORT();
+
+@@ -2174,7 +2183,7 @@
+ SFNT_Service sfnt = (SFNT_Service)face->sfnt;
+
+ FT_Int found, dummy1, dummy2;
+- FT_UInt strid = 0xFFFFFFFFUL;
++ FT_UInt strid = ~0U;
+
+
+ /* the default instance is missing in array the */
+--
+2.13.5
+
diff --git a/0079-src-truetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch
b/0079-src-truetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch
new file mode 100644
index 0000000..e492e58
--- /dev/null
+++ b/0079-src-truetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch
@@ -0,0 +1,45 @@
+From 7e50824288fac5a36c2938fdb3e1c949ea53f982 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl(a)gnu.org>
+Date: Tue, 1 Aug 2017 12:44:35 +0200
+Subject: [PATCH 079/132] * src/truetype/ttgxvar.c (TT_Get_MM_Var): Fix thinko.
+
+---
+ ChangeLog | 4 ++++
+ include/freetype/ftmm.h | 3 ++-
+ src/truetype/ttgxvar.c | 4 +++-
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/include/freetype/ftmm.h b/include/freetype/ftmm.h
+index 1f48a4945..b1bc1ed82 100644
+--- a/include/freetype/ftmm.h
++++ b/include/freetype/ftmm.h
+@@ -178,7 +178,8 @@ FT_BEGIN_HEADER
+ /* strid :: The entry in `name' table identifying this instance. */
+ /* */
+ /* psid :: The entry in `name' table identifying a PostScript name */
+- /* for this instance. Value 0 indicates a missing entry. */
++ /* for this instance. Value 0xFFFF indicates a missing */
++ /* entry. */
+ /* */
+ typedef struct FT_Var_Named_Style_
+ {
+diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
+index df42b3bfd..5a87df139 100644
+--- a/src/truetype/ttgxvar.c
++++ b/src/truetype/ttgxvar.c
+@@ -2165,9 +2165,11 @@
+ for ( j = 0; j < fvar_head.axisCount; j++, c++ )
+ *c = FT_GET_LONG();
+
+- /* valid psid values are 6 and [256;32767] */
++ /* valid psid values are 6, [256;32767], and 0xFFFF */
+ if ( usePsName )
+ ns->psid = FT_GET_USHORT();
++ else
++ ns->psid = 0xFFFF;
+
+ ft_var_to_normalized( face,
+ fvar_head.axisCount,
+--
+2.13.5
+
diff --git a/freetype-2.8-getvariation.patch b/freetype-2.8-getvariation.patch
new file mode 100644
index 0000000..7e0ecf9
--- /dev/null
+++ b/freetype-2.8-getvariation.patch
@@ -0,0 +1,39 @@
+From 29c759284e305ec428703c9a5831d0b1fc3497ef Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl(a)gnu.org>
+Date: Sat, 27 Jan 2018 14:43:43 +0100
+Subject: [PATCH] * src/truetype/ttinterp.c (Ins_GETVARIATION): Avoid NULL
+ reference.
+
+Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5736
+---
+ src/truetype/ttinterp.c | 12 ++++++++++--
+ 1 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
+index d855aaaa9..551f14a2e 100644
+--- a/src/truetype/ttinterp.c
++++ b/src/truetype/ttinterp.c
+@@ -7470,8 +7470,16 @@
+ return;
+ }
+
+- for ( i = 0; i < num_axes; i++ )
+- args[i] = coords[i] >> 2; /* convert 16.16 to 2.14 format */
++ if ( coords )
++ {
++ for ( i = 0; i < num_axes; i++ )
++ args[i] = coords[i] >> 2; /* convert 16.16 to 2.14 format */
++ }
++ else
++ {
++ for ( i = 0; i < num_axes; i++ )
++ args[i] = 0;
++ }
+ }
+
+
+--
+2.14.3
+
diff --git a/freetype-freeworld.spec b/freetype-freeworld.spec
index d6986e6..2fb9ced 100644
--- a/freetype-freeworld.spec
+++ b/freetype-freeworld.spec
@@ -1,7 +1,7 @@
Summary: A free and portable font rendering engine
Name: freetype-freeworld
Version: 2.8
-Release: 4%{?dist}
+Release: 5%{?dist}
License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
URL: http://www.freetype.org
Source: http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.ta...
@@ -19,8 +19,12 @@ Patch4: freetype-2.8-pcf-encoding.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1456585
Patch5: freetype-2.8-loop-counter.patch
+Patch6: 0077-truetype-Fix-loading-of-named-instances.patch
+Patch7: 0079-src-truetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch
+
## Security fixes:
-# None yet
+# CVE-2018-6942 NULL pointer dereference in the Ins_GETVARIATION() function
+Patch9: freetype-2.8-getvariation.patch
Provides: freetype-bytecode
Provides: freetype-subpixel
@@ -52,6 +56,11 @@ It transparently overrides the system library using ld.so.conf.d.
%patch4 -p1 -b .pcf-encoding
%patch5 -p1 -b .loop-counter
+%patch6 -p1 -b .named-instances
+%patch7 -p1 -b .named-instances2
+
+# Security fixes:
+%patch9 -p1 -b .getvariation
%build
%configure --disable-static \
@@ -95,6 +104,13 @@ echo "%{_libdir}/%{name}" \
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
%changelog
+* Sat Feb 17 2018 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.8-5
+- Add 0077-truetype-Fix-loading-of-named-instances.patch and
+ 0079-src-truetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch from Fedora
+ freetype: Fix loading of named instances (TrueType)
+- Add freetype-2.8-getvariation.patch from Fedora freetype: Avoid NULL pointer
+ dereference in the Ins_GETVARIATION() function (CVE-2018-6942, rh#1544776)
+
* Thu Aug 31 2017 RPM Fusion Release Engineering <kwizart(a)rpmfusion.org> - 2.8-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
2471
days inactive
2471
days old
rpmfusion-commits@lists.rpmfusion.org
0 comments
1 participants
participants (1)
-
Kevin Kofler