commit 8fc15bde1cf1d21c301ed83068c772ebb632ba80 Author: Kevin Kofler <kevin.kofler(a)chello.at&gt; Date: Fri May 5 01:06:19 2017 +0200 Add CVE-2017-8105 and CVE-2017-8287 fixes from Fedora freetype * Thu May 04 2017 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.6.5-5 - Add freetype-2.6.5-protect-flex-handling.patch from Fedora freetype: Better protect `flex' handling (CVE-2017-8105, rh#1446501) - Add freetype-2.6.5-safety-guard.patch from Fedora freetype: Add safety guard (CVE-2017-8287, rh#1446074) freetype-2.6.5-protect-flex-handling.patch | 47 ++++++++++++++++++++++++++++++ freetype-2.6.5-safety-guard.patch | 36 +++++++++++++++++++++++ freetype-freeworld.spec | 16 +++++++++- 3 files changed, 98 insertions(+), 1 deletion(-) --- diff --git a/freetype-2.6.5-protect-flex-handling.patch b/freetype-2.6.5-protect-flex-handling.patch new file mode 100644 index 0000000..01ff261 --- /dev/null +++ b/freetype-2.6.5-protect-flex-handling.patch @@ -0,0 +1,47 @@ +From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl(a)gnu.org&gt; +Date: Fri, 24 Mar 2017 09:15:10 +0100 +Subject: [PATCH] [psaux] Better protect `flex' handling. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 + +* src/psaux/t1decode.c (t1_decoder_parse_charstrings) +<callothersubr>: Since there is not a single flex operator but a +series of subroutine calls, malformed fonts can call arbitrary other +operators after the start of a flex, possibly adding points. For +this reason we have to check the available number of points before +inserting a point. +--- + ChangeLog | 15 +++++++++++++++ + src/psaux/t1decode.c | 9 +++++++++ + 2 files changed, 24 insertions(+) + +diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c +index af7b465e..7dd45135 100644 +--- a/src/psaux/t1decode.c ++++ b/src/psaux/t1decode.c +@@ -780,10 +780,19 @@ + /* point without adding any point to the outline */ + idx = decoder->num_flex_vectors++; + if ( idx > 0 && idx < 7 ) ++ { ++ /* in malformed fonts it is possible to have other */ ++ /* opcodes in the middle of a flex (which don't */ ++ /* increase `num_flex_vectors'); we thus have to */ ++ /* check whether we can add a point */ ++ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) ) ++ goto Syntax_Error; ++ + t1_builder_add_point( builder, + x, + y, + (FT_Byte)( idx == 3 || idx == 6 ) ); ++ } + } + break; + +-- +2.12.2 + diff --git a/freetype-2.6.5-safety-guard.patch b/freetype-2.6.5-safety-guard.patch new file mode 100644 index 0000000..65ee149 --- /dev/null +++ b/freetype-2.6.5-safety-guard.patch @@ -0,0 +1,36 @@ +From 3774fc08b502c3e685afca098b6e8a195aded6a0 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl(a)gnu.org&gt; +Date: Sun, 26 Mar 2017 08:32:09 +0200 +Subject: [PATCH] * src/psaux/psobjs.c (t1_builder_close_contour): Add safety + guard. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941 +--- + ChangeLog | 8 ++++++++ + src/psaux/psobjs.c | 8 ++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c +index d18e821a..0baf8368 100644 +--- a/src/psaux/psobjs.c ++++ b/src/psaux/psobjs.c +@@ -1718,6 +1718,14 @@ + first = outline->n_contours <= 1 + ? 0 : outline->contours[outline->n_contours - 2] + 1; + ++ /* in malformed fonts it can happen that a contour was started */ ++ /* but no points were added */ ++ if ( outline->n_contours && first == outline->n_points ) ++ { ++ outline->n_contours--; ++ return; ++ } ++ + /* We must not include the last point in the path if it */ + /* is located on the first point. */ + if ( outline->n_points > 1 ) +-- +2.12.2 + diff --git a/freetype-freeworld.spec b/freetype-freeworld.spec index ca26165..30d29d3 100644 --- a/freetype-freeworld.spec +++ b/freetype-freeworld.spec @@ -1,7 +1,7 @@ Summary: A free and portable font rendering engine Name: freetype-freeworld Version: 2.6.5 -Release: 4%{?dist} +Release: 5%{?dist} License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement URL: http://www.freetype.org Source: http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.ta... @@ -15,6 +15,12 @@ Patch46: freetype-2.2.1-enable-valid.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1429965 Patch94: freetype-2.6.5-heap-buffer-overflow.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1446500 +Patch95: freetype-2.6.5-protect-flex-handling.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1446073 +Patch96: freetype-2.6.5-safety-guard.patch + Provides: freetype-bytecode Provides: freetype-subpixel @@ -44,6 +50,8 @@ It transparently overrides the system library using ld.so.conf.d. %patch46 -p1 -b .enable-valid %patch94 -p1 -b .heap-buffer-overflow +%patch95 -p1 -b .protect-flex-handling +%patch96 -p1 -b .safety-guard %build @@ -88,6 +96,12 @@ echo "%{_libdir}/%{name}" \ %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %changelog +* Thu May 04 2017 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.6.5-5 +- Add freetype-2.6.5-protect-flex-handling.patch from Fedora freetype: + Better protect `flex' handling (CVE-2017-8105, rh#1446501) +- Add freetype-2.6.5-safety-guard.patch from Fedora freetype: + Add safety guard (CVE-2017-8287, rh#1446074) + * Mon Apr 10 2017 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.6.5-4 - Drop freetype-2.6.5-linear-scaling.patch again as per rh#1437999 discussion