commit d87426afe752c847b6ea99ff13ee06157c0f5130 Author: Kevin Kofler <kevin.kofler(a)chello.at&gt; Date: Sat Feb 17 21:51:14 2018 +0100 Add freetype-2.7.1-getvariation.patch from Fedora freetype (CVE-2018-6942, rh#1544776) * Sat Feb 17 2018 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.7.1-8 - Add freetype-2.7.1-getvariation.patch from Fedora freetype: Avoid NULL pointer dereference in the Ins_GETVARIATION() function (CVE-2018-6942, rh#1544776) .gitignore | 1 + freetype-2.7.1-getvariation.patch | 39 +++++++++++++++++++++++++++++++++++++++ freetype-freeworld.spec | 12 +++++++++++- 3 files changed, 51 insertions(+), 1 deletion(-) --- diff --git a/.gitignore b/.gitignore index 99558ca..3db64b5 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ freetype-2.6.tar.bz2 /freetype-2.6.5.tar.bz2 /freetype-2.7.tar.bz2 /freetype-2.7.1.tar.bz2 +/freetype-2.8.tar.bz2 diff --git a/freetype-2.7.1-getvariation.patch b/freetype-2.7.1-getvariation.patch new file mode 100644 index 0000000..550676e --- /dev/null +++ b/freetype-2.7.1-getvariation.patch @@ -0,0 +1,39 @@ +From 29c759284e305ec428703c9a5831d0b1fc3497ef Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl(a)gnu.org&gt; +Date: Sat, 27 Jan 2018 14:43:43 +0100 +Subject: [PATCH] * src/truetype/ttinterp.c (Ins_GETVARIATION): Avoid NULL + reference. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5736 +--- + src/truetype/ttinterp.c | 12 ++++++++++-- + 1 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c +index d855aaaa9..551f14a2e 100644 +--- a/src/truetype/ttinterp.c ++++ b/src/truetype/ttinterp.c +@@ -7456,8 +7456,16 @@ + return; + } + +- for ( i = 0; i < num_axes; i++ ) +- args[i] = coords[i] >> 2; /* convert 16.16 to 2.14 format */ ++ if ( coords ) ++ { ++ for ( i = 0; i < num_axes; i++ ) ++ args[i] = coords[i] >> 2; /* convert 16.16 to 2.14 format */ ++ } ++ else ++ { ++ for ( i = 0; i < num_axes; i++ ) ++ args[i] = 0; ++ } + } + + +-- +2.14.3 + diff --git a/freetype-freeworld.spec b/freetype-freeworld.spec index 345469c..4d085bd 100644 --- a/freetype-freeworld.spec +++ b/freetype-freeworld.spec @@ -1,7 +1,7 @@ Summary: A free and portable font rendering engine Name: freetype-freeworld Version: 2.7.1 -Release: 7%{?dist} +Release: 8%{?dist} License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement URL: http://www.freetype.org Source: http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.ta... @@ -26,6 +26,10 @@ Patch94: freetype-2.7.1-protect-flex-handling.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1446073 Patch95: freetype-2.7.1-safety-guard.patch +# CVE-2018-6942 NULL pointer dereference in the Ins_GETVARIATION() function +# https://bugzilla.redhat.com/show_bug.cgi?id=1544776 +Patch98: freetype-2.7.1-getvariation.patch + Provides: freetype-bytecode Provides: freetype-subpixel @@ -57,8 +61,10 @@ It transparently overrides the system library using ld.so.conf.d. %patch4 -p1 -b .pcf-encoding %patch5 -p1 -b .loop-counter +# Security fixes: %patch94 -p1 -b .protect-flex-handling %patch95 -p1 -b .safety-guard +%patch98 -p1 -b .getvariation %build %configure --disable-static \ @@ -102,6 +108,10 @@ echo "%{_libdir}/%{name}" \ %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %changelog +* Sat Feb 17 2018 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.7.1-8 +- Add freetype-2.7.1-getvariation.patch from Fedora freetype: Avoid NULL pointer + dereference in the Ins_GETVARIATION() function (CVE-2018-6942, rh#1544776) + * Tue Jun 06 2017 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.7.1-7 - Add freetype-2.7.1-loop-counter.patch from Fedora freetype: Adjust loop counter maximum for TrueType fonts (rh#1456585)