rpms/freetype-freeworld/devel freetype-2.4.9-CVE-2012-1139.patch, NONE, 1.1 freetype-2.4.9-CVE-2012-1141.patch, NONE, 1.1 freetype-2.4.9-incremental-interface.patch, NONE, 1.1 freetype-2.4.9-loop-exit-condition.patch, NONE, 1.1 .cvsignore, 1.12, 1.13 freetype-freeworld.spec, 1.23, 1.24 sources, 1.12, 1.13

Kevin Kofler kkofler at rpmfusion.org
Mon Apr 2 02:27:37 CEST 2012 

Author: kkofler

Update of /cvs/free/rpms/freetype-freeworld/devel
In directory se02.es.rpmfusion.net:/tmp/cvs-serv27697/devel

Modified Files:
	.cvsignore freetype-freeworld.spec sources 
Added Files:
	freetype-2.4.9-CVE-2012-1139.patch 
	freetype-2.4.9-CVE-2012-1141.patch 
	freetype-2.4.9-incremental-interface.patch 
	freetype-2.4.9-loop-exit-condition.patch 
Log Message:
* Mon Apr 02 2012 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.4.9-1
- Update to 2.4.9 (matches Fedora freetype, fixes various CVEs (rh#806270))
- Add additional security and bugfix patches from Fedora freetype-2.4.9-1

freetype-2.4.9-CVE-2012-1139.patch:
 bdflib.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE freetype-2.4.9-CVE-2012-1139.patch ---
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -842,7 +842,7 @@
   };
 
 
-#define isdigok( m, d )  (m[(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
+#define isdigok( m, d )  (m[(unsigned char)(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
 
 
   /* Routine to convert an ASCII string into an unsigned long integer. */

freetype-2.4.9-CVE-2012-1141.patch:
 bdflib.c |    1 +
 1 file changed, 1 insertion(+)

--- NEW FILE freetype-2.4.9-CVE-2012-1141.patch ---
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -569,6 +569,7 @@
       list->field[1] = (char*)empty;
       list->field[2] = (char*)empty;
       list->field[3] = (char*)empty;
+      list->field[4] = (char*)empty;
     }
 
     /* If the line is empty, then simply return. */

freetype-2.4.9-incremental-interface.patch:
 t1load.c |   30 ++++++++++++++++++++----------
 1 file changed, 20 insertions(+), 10 deletions(-)

--- NEW FILE freetype-2.4.9-incremental-interface.patch ---
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -71,6 +71,13 @@
 #include "t1errors.h"
 
 
+#ifdef FT_CONFIG_OPTION_INCREMENTAL
+#define IS_INCREMENTAL  ( face->root.internal->incremental_interface != 0 )
+#else
+#define IS_INCREMENTAL  0
+#endif
+
+
   /*************************************************************************/
   /*                                                                       */
   /* The macro FT_COMPONENT is used in trace mode.  It is an implicit      */
@@ -1030,7 +1037,8 @@
   static int
   read_binary_data( T1_Parser  parser,
                     FT_Long*   size,
-                    FT_Byte**  base )
+                    FT_Byte**  base,
+                    FT_Bool    incremental )
   {
     FT_Byte*  cur;
     FT_Byte*  limit = parser->root.limit;
@@ -1065,8 +1073,12 @@
       }
     }
 
-    FT_ERROR(( "read_binary_data: invalid size field\n" ));
-    parser->root.error = T1_Err_Invalid_File_Format;
+    if( !incremental )
+    {
+      FT_ERROR(( "read_binary_data: invalid size field\n" ));
+      parser->root.error = T1_Err_Invalid_File_Format;
+    }
+
     return 0;
   }
 
@@ -1396,7 +1408,7 @@
 
       idx = T1_ToInt( parser );
 
-      if ( !read_binary_data( parser, &size, &base ) )
+      if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
         return;
 
       /* The binary string is followed by one token, e.g. `NP' */
@@ -1582,7 +1594,7 @@
         cur++;                              /* skip `/' */
         len = parser->root.cursor - cur;
 
-        if ( !read_binary_data( parser, &size, &base ) )
+        if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
           return;
 
         /* for some non-standard fonts like `Optima' which provides */
@@ -1871,7 +1883,7 @@
 
 
         parser->root.cursor = start_binary;
-        if ( !read_binary_data( parser, &s, &b ) )
+        if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
           return T1_Err_Invalid_File_Format;
         have_integer = 0;
       }
@@ -1884,7 +1896,7 @@
 
 
         parser->root.cursor = start_binary;
-        if ( !read_binary_data( parser, &s, &b ) )
+        if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
           return T1_Err_Invalid_File_Format;
         have_integer = 0;
       }
@@ -2160,9 +2172,7 @@
       type1->subrs_len   = loader.subrs.lengths;
     }
 
-#ifdef FT_CONFIG_OPTION_INCREMENTAL
-    if ( !face->root.internal->incremental_interface )
-#endif
+    if ( !IS_INCREMENTAL )
       if ( !loader.charstrings.init )
       {
         FT_ERROR(( "T1_Open_Face: no `/CharStrings' array in face\n" ));

freetype-2.4.9-loop-exit-condition.patch:
 t1load.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- NEW FILE freetype-2.4.9-loop-exit-condition.patch ---
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1399,9 +1399,10 @@
       FT_Byte*  base;
 
 
-      /* If the next token isn't `dup' we are done. */
-      if ( parser->root.cursor + 4 < parser->root.limit            &&
-           ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
+      /* If we are out of data, or if the next token isn't `dup', */
+      /* we are done.                                             */
+      if ( parser->root.cursor + 4 >= parser->root.limit          ||
+          ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
         break;
 
       T1_Skip_PS_Token( parser );       /* `dup' */


Index: .cvsignore
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/devel/.cvsignore,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- .cvsignore	17 Nov 2011 16:56:37 -0000	1.12
+++ .cvsignore	2 Apr 2012 00:27:37 -0000	1.13
@@ -1 +1 @@
-freetype-2.4.8.tar.bz2
+freetype-2.4.9.tar.bz2


Index: freetype-freeworld.spec
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/devel/freetype-freeworld.spec,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- freetype-freeworld.spec	23 Nov 2011 15:59:05 -0000	1.23
+++ freetype-freeworld.spec	2 Apr 2012 00:27:37 -0000	1.24
@@ -1,7 +1,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype-freeworld
-Version: 2.4.8
-Release: 2%{?dist}
+Version: 2.4.9
+Release: 1%{?dist}
 License: FTL or GPLv2+
 Group: System Environment/Libraries
 URL: http://www.freetype.org
@@ -12,6 +12,16 @@
 # Enable otvalid and gxvalid modules
 Patch46:  freetype-2.2.1-enable-valid.patch
 
+# Security patches
+Patch89:  freetype-2.4.9-CVE-2012-1139.patch
+Patch90:  freetype-2.4.9-CVE-2012-1141.patch
+
+# https://savannah.nongnu.org/bugs/?35833
+Patch91:  freetype-2.4.9-loop-exit-condition.patch
+
+# https://savannah.nongnu.org/bugs/?35847
+Patch92:  freetype-2.4.9-incremental-interface.patch
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
 
 Provides: freetype-bytecode
@@ -39,6 +49,12 @@
 
 %patch46  -p1 -b .enable-valid
 
+%patch89 -p1 -b .CVE-2012-1139
+%patch90 -p1 -b .CVE-2012-1141
+%patch91 -p1 -b .loop-exit-condition
+%patch92 -p1 -b .incremental-interface
+
+
 %build
 
 %configure --disable-static
@@ -82,6 +98,10 @@
 %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
 
 %changelog
+* Mon Apr 02 2012 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.4.9-1
+- Update to 2.4.9 (matches Fedora freetype, fixes various CVEs (rh#806270))
+- Add additional security and bugfix patches from Fedora freetype-2.4.9-1
+
 * Wed Nov 23 2011 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.4.8-2
 - Rebuild for #2031
 


Index: sources
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/devel/sources,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- sources	17 Nov 2011 16:56:37 -0000	1.12
+++ sources	2 Apr 2012 00:27:37 -0000	1.13
@@ -1 +1 @@
-dbf2caca1d3afd410a29217a9809d397  freetype-2.4.8.tar.bz2
+77a893dae81fd5b896632715ca041179  freetype-2.4.9.tar.bz2

More information about the rpmfusion-commits mailing list