rpms/freetype-freeworld/devel freetype-2.5.3-CVE-2014-9656.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9657.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9658.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9660.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9661a.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9661b.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9662.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9663.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9664a.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9664b.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9665.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9666.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9667.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9668.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9669.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9670.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9671.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9672.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9673.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9674a.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9674b.patch, NONE, 1.1 freetype-2.5.3-CVE-2014-9675.patch, NONE, 1.1 freetype-2.5.3-unsigned-long.patch, NONE, 1.1 freetype-freeworld.spec, 1.37, 1.38
Kevin Kofler
kkofler at rpmfusion.org
Wed Feb 18 02:32:07 CET 2015
- Previous message: rpms/vdr-softhddevice/devel .cvsignore, 1.17, 1.18 sources, 1.17, 1.18 vdr-softhddevice.spec, 1.20, 1.21
- Next message: rpms/freetype-freeworld/F-20 freetype-2.5.0-CVE-2014-9656.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9657.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9658.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9660.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9661a.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9661b.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9662.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9663.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9664a.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9664b.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9666.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9667.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9669.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9670.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9671.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9672.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9673.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9674a.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9674b.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9675.patch, NONE, 1.1 freetype-2.5.0-ft-strncmp.patch, NONE, 1.1 freetype-2.5.0-unsigned-long.patch, NONE, 1.1 freetype-freeworld.spec, 1.33, 1.34
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: kkofler
Update of /cvs/free/rpms/freetype-freeworld/devel
In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv32326/devel
Modified Files:
freetype-freeworld.spec
Added Files:
freetype-2.5.3-CVE-2014-9656.patch
freetype-2.5.3-CVE-2014-9657.patch
freetype-2.5.3-CVE-2014-9658.patch
freetype-2.5.3-CVE-2014-9660.patch
freetype-2.5.3-CVE-2014-9661a.patch
freetype-2.5.3-CVE-2014-9661b.patch
freetype-2.5.3-CVE-2014-9662.patch
freetype-2.5.3-CVE-2014-9663.patch
freetype-2.5.3-CVE-2014-9664a.patch
freetype-2.5.3-CVE-2014-9664b.patch
freetype-2.5.3-CVE-2014-9665.patch
freetype-2.5.3-CVE-2014-9666.patch
freetype-2.5.3-CVE-2014-9667.patch
freetype-2.5.3-CVE-2014-9668.patch
freetype-2.5.3-CVE-2014-9669.patch
freetype-2.5.3-CVE-2014-9670.patch
freetype-2.5.3-CVE-2014-9671.patch
freetype-2.5.3-CVE-2014-9672.patch
freetype-2.5.3-CVE-2014-9673.patch
freetype-2.5.3-CVE-2014-9674a.patch
freetype-2.5.3-CVE-2014-9674b.patch
freetype-2.5.3-CVE-2014-9675.patch
freetype-2.5.3-unsigned-long.patch
Log Message:
* Wed Feb 18 2015 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.5.3-4
- Add freetype-2.5.3-CVE-2014-9656.patch from Fedora freetype (rh#1191099)
(Check `p' before `num_glyphs'.)
- Add freetype-2.5.3-CVE-2014-9657.patch from Fedora freetype (rh#1191099)
(Check minimum size of `record_size'.)
- Add freetype-2.5.3-CVE-2014-9658.patch from Fedora freetype (rh#1191099)
(Use correct value for minimum table length test.)
- Add freetype-2.5.3-CVE-2014-9675.patch from Fedora freetype (rh#1191193)
(New macro that checks one character more than `strncmp'.)
- Add freetype-2.5.3-CVE-2014-9660.patch from Fedora freetype (rh#1191099)
(Check `_BDF_GLYPH_BITS'.)
- Add freetype-2.5.3-CVE-2014-9661a.patch from Fedora freetype (rh#1191099)
(Initialize `face->ttf_size'. Always set `face->ttf_size' directly.)
- Add freetype-2.5.3-CVE-2014-9661b.patch from Fedora freetype (rh#1191099)
(Exclusively use the `truetype' font driver for loading the font contained
in the `sfnts' array.)
- Add freetype-2.5.3-CVE-2014-9662.patch from Fedora freetype (rh#1191099)
(Handle return values of point allocation routines.)
- Add freetype-2.5.3-CVE-2014-9663.patch from Fedora freetype (rh#1191099)
(Fix order of validity tests.)
- Add freetype-2.5.3-CVE-2014-9664a.patch from Fedora freetype (rh#1191099)
(Add another boundary testing.)
- Add freetype-2.5.3-CVE-2014-9664b.patch from Fedora freetype (rh#1191099)
(Fix boundary testing.)
- Add freetype-2.5.3-CVE-2014-9665.patch from Fedora freetype (rh#1191099)
(Protect against too large bitmaps.)
- Add freetype-2.5.3-CVE-2014-9666.patch from Fedora freetype (rh#1191099)
(Protect against addition and multiplication overflow.)
- Add freetype-2.5.3-CVE-2014-9667.patch from Fedora freetype (rh#1191099)
(Protect against addition overflow.)
- Add freetype-2.5.3-CVE-2014-9668.patch from Fedora freetype (rh#1191099)
(Protect against addition overflow.)
- Add freetype-2.5.3-CVE-2014-9669.patch from Fedora freetype (rh#1191099)
(Protect against overflow in additions and multiplications.)
- Add freetype-2.5.3-CVE-2014-9670.patch from Fedora freetype (rh#1191099)
(Add sanity checks for row and column values.)
- Add freetype-2.5.3-CVE-2014-9671.patch from Fedora freetype (rh#1191099)
(Check `size' and `offset' values.)
- Add freetype-2.5.3-CVE-2014-9672.patch from Fedora freetype (rh#1191095)
(Prevent a buffer overrun caused by a font including too many (> 63) strings
to store names[] table.)
- Add freetype-2.5.3-CVE-2014-9673.patch from Fedora freetype (rh#1191096)
(Fix integer overflow by a broken POST table in resource-fork.)
- Add freetype-2.5.3-CVE-2014-9674a.patch from Fedora freetype (rh#1191191)
(Fix integer overflow by a broken POST table in resource-fork.)
- Add freetype-2.5.3-unsigned-long.patch from Fedora freetype (rh#1191191)
(Use unsigned long variables to read the lengths in POST fragments.)
- Add freetype-2.5.3-CVE-2014-9674b.patch from Fedora freetype (rh#1191191)
(Additional overflow check in the summation of POST fragment lengths.)
freetype-2.5.3-CVE-2014-9656.patch:
ttsbit.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9656.patch ---
>From f0292bb9920aa1dbfed5f53861e7c7a89b35833a Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Mon, 24 Nov 2014 09:51:21 +0000
Subject: [sfnt] Fix Savannah bug #43680.
This adds an additional constraint to make the fix from 2013-01-25
really work.
* src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) <index_format==4>:
Check `p' before `num_glyphs'.
---
diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c
index b37bd7d..c2db96c 100644
--- a/src/sfnt/ttsbit.c
+++ b/src/sfnt/ttsbit.c
@@ -1147,7 +1147,8 @@
num_glyphs = FT_NEXT_ULONG( p );
/* overflow check for p + ( num_glyphs + 1 ) * 4 */
- if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
+ if ( p + 4 > p_limit ||
+ num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
goto NoBitmap;
for ( mm = 0; mm < num_glyphs; mm++ )
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9657.patch:
ttpload.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9657.patch ---
>From eca0f067068020870a429fe91f6329e499390d55 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Mon, 24 Nov 2014 09:22:08 +0000
Subject: [truetype] Fix Savannah bug #43679.
* src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of
`record_size'.
---
diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c
index 9723a51..9991925 100644
--- a/src/truetype/ttpload.c
+++ b/src/truetype/ttpload.c
@@ -508,9 +508,9 @@
record_size = FT_NEXT_ULONG( p );
/* The maximum number of bytes in an hdmx device record is the */
- /* maximum number of glyphs + 2; this is 0xFFFF + 2; this is */
- /* the reason why `record_size' is a long (which we read as */
- /* unsigned long for convenience). In practice, two bytes */
+ /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus */
+ /* explaining why `record_size' is a long (which we read as */
+ /* unsigned long for convenience). In practice, two bytes are */
/* sufficient to hold the size value. */
/* */
/* There are at least two fonts, HANNOM-A and HANNOM-B version */
@@ -522,8 +522,10 @@
record_size &= 0xFFFFU;
/* The limit for `num_records' is a heuristic value. */
-
- if ( version != 0 || num_records > 255 || record_size > 0x10001L )
+ if ( version != 0 ||
+ num_records > 255 ||
+ record_size > 0x10001L ||
+ record_size < 4 )
{
error = FT_THROW( Invalid_File_Format );
goto Fail;
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9658.patch:
ttkern.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9658.patch ---
>From f70d9342e65cd2cb44e9f26b6d7edeedf191fc6c Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Mon, 24 Nov 2014 08:31:32 +0000
Subject: [sfnt] Fix Savannah bug #43672.
* src/sfnt/ttkern.c (tt_face_load_kern): Use correct value for
minimum table length test.
---
diff --git a/src/sfnt/ttkern.c b/src/sfnt/ttkern.c
index 32c4008..455e7b5 100644
--- a/src/sfnt/ttkern.c
+++ b/src/sfnt/ttkern.c
@@ -99,7 +99,7 @@
length = FT_NEXT_USHORT( p );
coverage = FT_NEXT_USHORT( p );
- if ( length <= 6 )
+ if ( length <= 6 + 8 )
break;
p_next += length;
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9660.patch:
bdflib.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9660.patch ---
>From af8346172a7b573715134f7a51e6c5c60fa7f2ab Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Sat, 22 Nov 2014 12:29:10 +0000
Subject: [bdf] Fix Savannah bug #43660.
* src/bdf/bdflib.c (_bdf_parse_glyphs) <"ENDFONT">: Check
`_BDF_GLYPH_BITS'.
---
diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
index c128526..369c111 100644
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -1555,6 +1555,14 @@
/* Check for the ENDFONT field. */
if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 )
{
+ if ( p->flags & _BDF_GLYPH_BITS )
+ {
+ /* Missing ENDCHAR field. */
+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENDCHAR" ));
+ error = FT_THROW( Corrupted_Font_Glyphs );
+ goto Exit;
+ }
+
/* Sort the glyphs by encoding. */
ft_qsort( (char *)font->glyphs,
font->glyphs_used,
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9661a.patch:
t42objs.c | 6 ++++++
t42parse.c | 26 ++++++++++++--------------
2 files changed, 18 insertions(+), 14 deletions(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9661a.patch ---
>From 3788187e0c396952cd7d905c6c61f3ff8e84b2b4 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Sat, 22 Nov 2014 09:46:47 +0000
Subject: [type42] Fix Savannah bug #43659.
* src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'.
* src/type42/t42parse.c (t42_parse_sfnts): Always set
`face->ttf_size' directly. This ensures a correct stream size in
the call to `FT_Open_Face', which follows after parsing, even for
buggy input data.
Fix error messages.
---
diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c
index 798ebdb..7a9cb57 100644
--- a/src/type42/t42objs.c
+++ b/src/type42/t42objs.c
@@ -47,6 +47,12 @@
if ( FT_ALLOC( face->ttf_data, 12 ) )
goto Exit;
+ /* while parsing the font we always update `face->ttf_size' so that */
+ /* even in case of buggy data (which might lead to premature end of */
+ /* scanning without causing an error) the call to `FT_Open_Face' in */
+ /* `T42_Face_Init' passes the correct size */
+ face->ttf_size = 12;
+
error = t42_parser_init( parser,
face->root.stream,
memory,
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index a60e216..daf304d 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -524,7 +524,7 @@
FT_Byte* limit = parser->root.limit;
FT_Error error;
FT_Int num_tables = 0;
- FT_ULong count, ttf_size = 0;
+ FT_ULong count;
FT_Long n, string_size, old_string_size, real_size;
FT_Byte* string_buf = NULL;
@@ -617,7 +617,7 @@
if ( limit - parser->root.cursor < string_size )
{
- FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
+ FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
error = FT_THROW( Invalid_File_Format );
goto Fail;
}
@@ -657,18 +657,18 @@
}
else
{
- num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
- status = BEFORE_TABLE_DIR;
- ttf_size = 12 + 16 * num_tables;
+ num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
+ status = BEFORE_TABLE_DIR;
+ face->ttf_size = 12 + 16 * num_tables;
- if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) )
+ if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) )
goto Fail;
}
/* fall through */
case BEFORE_TABLE_DIR:
/* the offset table is read; read the table directory */
- if ( count < ttf_size )
+ if ( count < face->ttf_size )
{
face->ttf_data[count++] = string_buf[n];
continue;
@@ -687,24 +687,23 @@
len = FT_PEEK_ULONG( p );
/* Pad to a 4-byte boundary length */
- ttf_size += ( len + 3 ) & ~3;
+ face->ttf_size += ( len + 3 ) & ~3;
}
- status = OTHER_TABLES;
- face->ttf_size = ttf_size;
+ status = OTHER_TABLES;
/* there are no more than 256 tables, so no size check here */
if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables,
- ttf_size + 1 ) )
+ face->ttf_size + 1 ) )
goto Fail;
}
/* fall through */
case OTHER_TABLES:
/* all other tables are just copied */
- if ( count >= ttf_size )
+ if ( count >= face->ttf_size )
{
- FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
+ FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
error = FT_THROW( Invalid_File_Format );
goto Fail;
}
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9661b.patch:
t42objs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9661b.patch ---
>From 42fcd6693ec7bd6ffc65ddc63e74287a65dda669 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Sat, 22 Nov 2014 11:44:33 +0000
Subject: [type42] Allow only embedded TrueType fonts.
This is a follow-up to Savannah bug #43659.
* src/type42/t42objs.c (T42_Face_Init): Exclusively use the
`truetype' font driver for loading the font contained in the `sfnts'
array.
---
diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c
index 7a9cb57..915e81f 100644
--- a/src/type42/t42objs.c
+++ b/src/type42/t42objs.c
@@ -292,7 +292,9 @@
FT_Open_Args args;
- args.flags = FT_OPEN_MEMORY;
+ args.flags = FT_OPEN_MEMORY | FT_OPEN_DRIVER;
+ args.driver = FT_Get_Module( FT_FACE_LIBRARY( face ),
+ "truetype" );
args.memory_base = face->ttf_data;
args.memory_size = face->ttf_size;
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9662.patch:
cf2ft.c | 49 ++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 38 insertions(+), 11 deletions(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9662.patch ---
>From 5f201ab5c24cb69bc96b724fd66e739928d6c5e2 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Sat, 22 Nov 2014 08:16:39 +0000
Subject: [cff] Fix Savannah bug #43658.
* src/cff/cf2ft.c (cf2_builder_lineTo, cf2_builder_cubeTo): Handle
return values of point allocation routines.
---
diff --git a/src/cff/cf2ft.c b/src/cff/cf2ft.c
index cb8d31c..ebba469 100644
--- a/src/cff/cf2ft.c
+++ b/src/cff/cf2ft.c
@@ -142,6 +142,8 @@
cf2_builder_lineTo( CF2_OutlineCallbacks callbacks,
const CF2_CallbackParams params )
{
+ FT_Error error;
+
/* downcast the object pointer */
CF2_Outline outline = (CF2_Outline)callbacks;
CFF_Builder* builder;
@@ -156,15 +158,27 @@
{
/* record the move before the line; also check points and set */
/* `path_begun' */
- cff_builder_start_point( builder,
- params->pt0.x,
- params->pt0.y );
+ error = cff_builder_start_point( builder,
+ params->pt0.x,
+ params->pt0.y );
+ if ( error )
+ {
+ if ( !*callbacks->error )
+ *callbacks->error = error;
+ return;
+ }
}
/* `cff_builder_add_point1' includes a check_points call for one point */
- cff_builder_add_point1( builder,
- params->pt1.x,
- params->pt1.y );
+ error = cff_builder_add_point1( builder,
+ params->pt1.x,
+ params->pt1.y );
+ if ( error )
+ {
+ if ( !*callbacks->error )
+ *callbacks->error = error;
+ return;
+ }
}
@@ -172,6 +186,8 @@
cf2_builder_cubeTo( CF2_OutlineCallbacks callbacks,
const CF2_CallbackParams params )
{
+ FT_Error error;
+
/* downcast the object pointer */
CF2_Outline outline = (CF2_Outline)callbacks;
CFF_Builder* builder;
@@ -186,13 +202,25 @@
{
/* record the move before the line; also check points and set */
/* `path_begun' */
- cff_builder_start_point( builder,
- params->pt0.x,
- params->pt0.y );
+ error = cff_builder_start_point( builder,
+ params->pt0.x,
+ params->pt0.y );
+ if ( error )
+ {
+ if ( !*callbacks->error )
+ *callbacks->error = error;
+ return;
+ }
}
/* prepare room for 3 points: 2 off-curve, 1 on-curve */
- cff_check_points( builder, 3 );
+ error = cff_check_points( builder, 3 );
+ if ( error )
+ {
+ if ( !*callbacks->error )
+ *callbacks->error = error;
+ return;
+ }
cff_builder_add_point( builder,
params->pt1.x,
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9663.patch:
ttcmap.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9663.patch ---
>From 9bd20b7304aae61de5d50ac359cf27132bafd4c1 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Sat, 22 Nov 2014 05:24:45 +0000
Subject: [sfnt] Fix Savannah bug #43656.
* src/sfnt/ttcmap.c (tt_cmap4_validate): Fix order of validity
tests.
---
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index 712bd4f..fb863c3 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -845,9 +845,6 @@
p = table + 2; /* skip format */
length = TT_NEXT_USHORT( p );
- if ( length < 16 )
- FT_INVALID_TOO_SHORT;
-
/* in certain fonts, the `length' field is invalid and goes */
/* out of bound. We try to correct this here... */
if ( table + length > valid->limit )
@@ -858,6 +855,9 @@
length = (FT_UInt)( valid->limit - table );
}
+ if ( length < 16 )
+ FT_INVALID_TOO_SHORT;
+
p = table + 6;
num_segs = TT_NEXT_USHORT( p ); /* read segCountX2 */
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9664a.patch:
type1/t1load.c | 5 +++++
type42/t42parse.c | 7 ++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9664a.patch ---
>From 73be9f9ab67842cfbec36ee99e8d2301434c84ca Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Mon, 24 Nov 2014 06:30:05 +0000
Subject: [type1, type42] Another fix for Savannah bug #43655.
* src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c
(t42_parse_charstrings): Add another boundary testing.
---
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index caa75bd..24b14a8 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1596,6 +1596,11 @@
}
T1_Skip_PS_Token( parser );
+ if ( parser->root.cursor >= limit )
+ {
+ error = FT_THROW( Invalid_File_Format );
+ goto Fail;
+ }
if ( parser->root.error )
return;
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index daf304d..d45c069 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -849,6 +849,12 @@
break;
T1_Skip_PS_Token( parser );
+ if ( parser->root.cursor >= limit )
+ {
+ FT_ERROR(( "t42_parse_charstrings: out of bounds\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Fail;
+ }
if ( parser->root.error )
return;
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9664b.patch:
type1/t1load.c | 2 +-
type42/t42parse.c | 3 +--
2 files changed, 2 insertions(+), 3 deletions(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9664b.patch ---
>From dd89710f0f643eb0f99a3830e0712d26c7642acd Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Fri, 21 Nov 2014 21:19:28 +0000
Subject: [type1, type42] Fix Savannah bug #43655.
* src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c
(t42_parse_charstrings): Fix boundary testing.
---
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index fd06432..caa75bd 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1609,7 +1609,7 @@
FT_PtrDist len;
- if ( cur + 1 >= limit )
+ if ( cur + 2 >= limit )
{
error = FT_THROW( Invalid_File_Format );
goto Fail;
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index 9b66888..a60e216 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -863,7 +863,7 @@
FT_PtrDist len;
- if ( cur + 1 >= limit )
+ if ( cur + 2 >= limit )
{
FT_ERROR(( "t42_parse_charstrings: out of bounds\n" ));
error = FT_THROW( Invalid_File_Format );
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9665.patch:
pngshim.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- NEW FILE freetype-2.5.3-CVE-2014-9665.patch ---
--- freetype-2.5.3/src/sfnt/pngshim.c
+++ freetype-2.5.3/src/sfnt/pngshim.c
@@ -269,6 +269,20 @@
map->pitch = map->width * 4;
map->num_grays = 256;
+ /* reject bitmaps with negative dimensions */
+ if ( map->rows < 0 || map->width < 0 )
+ {
+ error = FT_THROW( Invalid_Argument );
+ goto DestroyExit;
+ }
+
+ /* reject too large bitmaps similarly to the rasterizer */
+ if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+ {
+ error = FT_THROW( Array_Too_Large );
+ goto DestroyExit;
+ }
+
size = map->rows * map->pitch;
error = ft_glyphslot_alloc_bitmap( slot, size );
freetype-2.5.3-CVE-2014-9666.patch:
ttsbit.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9666.patch ---
>From 257c270bd25e15890190a28a1456e7623bba4439 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Wed, 12 Nov 2014 20:42:13 +0000
Subject: [sfnt] Fix Savannah bug #43591.
* src/sfnt/ttsbit.c (tt_sbit_decoder_init): Protect against addition
and multiplication overflow.
---
diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c
index da6b01b..b37bd7d 100644
--- a/src/sfnt/ttsbit.c
+++ b/src/sfnt/ttsbit.c
@@ -380,9 +380,11 @@
p += 34;
decoder->bit_depth = *p;
- if ( decoder->strike_index_array > face->sbit_table_size ||
- decoder->strike_index_array + 8 * decoder->strike_index_count >
- face->sbit_table_size )
+ /* decoder->strike_index_array + */
+ /* 8 * decoder->strike_index_count > face->sbit_table_size ? */
+ if ( decoder->strike_index_array > face->sbit_table_size ||
+ decoder->strike_index_count >
+ ( face->sbit_table_size - decoder->strike_index_array ) / 8 )
error = FT_THROW( Invalid_File_Format );
}
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9667.patch:
ttload.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9667.patch ---
>From 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Wed, 12 Nov 2014 20:26:44 +0000
Subject: [sfnt] Fix Savannah bug #43590.
* src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir):
Protect against addition overflow.
---
diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c
index 0a3cd29..8338150 100644
--- a/src/sfnt/ttload.c
+++ b/src/sfnt/ttload.c
@@ -5,7 +5,7 @@
/* Load the basic TrueType tables, i.e., tables that can be either in */
/* TTF or OTF fonts (body). */
/* */
-/* Copyright 1996-2010, 2012, 2013 by */
+/* Copyright 1996-2010, 2012-2014 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -207,7 +207,10 @@
}
/* we ignore invalid tables */
- if ( table.Offset + table.Length > stream->size )
+
+ /* table.Offset + table.Length > stream->size ? */
+ if ( table.Length > stream->size ||
+ table.Offset > stream->size - table.Length )
{
FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
continue;
@@ -395,7 +398,10 @@
entry->Length = FT_GET_ULONG();
/* ignore invalid tables */
- if ( entry->Offset + entry->Length > stream->size )
+
+ /* entry->Offset + entry->Length > stream->size ? */
+ if ( entry->Length > stream->size ||
+ entry->Offset > stream->size - entry->Length )
continue;
else
{
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9668.patch:
sfobjs.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9668.patch ---
>From f46add13895337ece929b18bb8f036431b3fb538 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Wed, 12 Nov 2014 20:06:08 +0000
Subject: [sfnt] Fix Savannah bug #43589.
* src/sfnt/sfobjs.c (woff_open_font): Protect against addition
overflow.
---
diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
index cfea9cd..70b988d 100644
--- a/src/sfnt/sfobjs.c
+++ b/src/sfnt/sfobjs.c
@@ -574,8 +574,10 @@
if ( table->Offset != woff_offset ||
- table->Offset + table->CompLength > woff.length ||
- sfnt_offset + table->OrigLength > woff.totalSfntSize ||
+ table->CompLength > woff.length ||
+ table->Offset > woff.length - table->CompLength ||
+ table->OrigLength > woff.totalSfntSize ||
+ sfnt_offset > woff.totalSfntSize - table->OrigLength ||
table->CompLength > table->OrigLength )
{
error = FT_THROW( Invalid_Table );
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9669.patch:
ttcmap.c | 40 ++++++++++++++++++++++++++++++----------
1 file changed, 30 insertions(+), 10 deletions(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9669.patch ---
>From 602040b1112c9f94d68e200be59ea7ac3d104565 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Wed, 12 Nov 2014 19:51:20 +0000
Subject: [sfnt] Fix Savannah bug #43588.
* src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate,
tt_cmap12_validate, tt_cmap13_validate, tt_cmap14_validate): Protect
against overflow in additions and multiplications.
---
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index f9acf5d..712bd4f 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -1669,7 +1669,8 @@
p = is32 + 8192; /* skip `is32' array */
num_groups = TT_NEXT_ULONG( p );
- if ( p + num_groups * 12 > valid->limit )
+ /* p + num_groups * 12 > valid->limit ? */
+ if ( num_groups > (FT_UInt32)( valid->limit - p ) / 12 )
FT_INVALID_TOO_SHORT;
/* check groups, they must be in increasing order */
@@ -1694,7 +1695,12 @@
if ( valid->level >= FT_VALIDATE_TIGHT )
{
- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
+ FT_UInt32 d = end - start;
+
+
+ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
+ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
+ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
FT_INVALID_GLYPH_ID;
count = (FT_UInt32)( end - start + 1 );
@@ -1892,7 +1898,9 @@
count = TT_NEXT_ULONG( p );
if ( length > (FT_ULong)( valid->limit - table ) ||
- length < 20 + count * 2 )
+ /* length < 20 + count * 2 ? */
+ length < 20 ||
+ ( length - 20 ) / 2 < count )
FT_INVALID_TOO_SHORT;
/* check glyph indices */
@@ -2079,7 +2087,9 @@
num_groups = TT_NEXT_ULONG( p );
if ( length > (FT_ULong)( valid->limit - table ) ||
- length < 16 + 12 * num_groups )
+ /* length < 16 + 12 * num_groups ? */
+ length < 16 ||
+ ( length - 16 ) / 12 < num_groups )
FT_INVALID_TOO_SHORT;
/* check groups, they must be in increasing order */
@@ -2101,7 +2111,12 @@
if ( valid->level >= FT_VALIDATE_TIGHT )
{
- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
+ FT_UInt32 d = end - start;
+
+
+ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
+ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
+ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
FT_INVALID_GLYPH_ID;
}
@@ -2401,7 +2416,9 @@
num_groups = TT_NEXT_ULONG( p );
if ( length > (FT_ULong)( valid->limit - table ) ||
- length < 16 + 12 * num_groups )
+ /* length < 16 + 12 * num_groups ? */
+ length < 16 ||
+ ( length - 16 ) / 12 < num_groups )
FT_INVALID_TOO_SHORT;
/* check groups, they must be in increasing order */
@@ -2787,7 +2804,9 @@
num_selectors = TT_NEXT_ULONG( p );
if ( length > (FT_ULong)( valid->limit - table ) ||
- length < 10 + 11 * num_selectors )
+ /* length < 10 + 11 * num_selectors ? */
+ length < 10 ||
+ ( length - 10 ) / 11 < num_selectors )
FT_INVALID_TOO_SHORT;
/* check selectors, they must be in increasing order */
@@ -2823,7 +2842,8 @@
FT_ULong lastBase = 0;
- if ( defp + numRanges * 4 > valid->limit )
+ /* defp + numRanges * 4 > valid->limit ? */
+ if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 )
FT_INVALID_TOO_SHORT;
for ( i = 0; i < numRanges; ++i )
@@ -2850,7 +2870,8 @@
FT_ULong i, lastUni = 0;
- if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
+ /* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */
+ if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 )
FT_INVALID_TOO_SHORT;
for ( i = 0; i < numMappings; ++i )
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9670.patch:
pcfread.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9670.patch ---
>From ef1eba75187adfac750f326b563fe543dd5ff4e6 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Thu, 06 Nov 2014 22:25:05 +0000
Subject: Fix Savannah bug #43548.
* src/pcf/pcfread (pcf_get_encodings): Add sanity checks for row and
column values.
---
diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
index 8db31bd..668c962 100644
--- a/src/pcf/pcfread.c
+++ b/src/pcf/pcfread.c
@@ -812,6 +812,15 @@ THE SOFTWARE.
if ( !PCF_FORMAT_MATCH( format, PCF_DEFAULT_FORMAT ) )
return FT_THROW( Invalid_File_Format );
+ /* sanity checks */
+ if ( firstCol < 0 ||
+ firstCol > lastCol ||
+ lastCol > 0xFF ||
+ firstRow < 0 ||
+ firstRow > lastRow ||
+ lastRow > 0xFF )
+ return FT_THROW( Invalid_Table );
+
FT_TRACE4(( "pdf_get_encodings:\n" ));
FT_TRACE4(( " firstCol %d, lastCol %d, firstRow %d, lastRow %d\n",
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9671.patch:
pcfread.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9671.patch ---
>From 0e2f5d518c60e2978f26400d110eff178fa7e3c3 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Thu, 06 Nov 2014 21:32:46 +0000
Subject: Fix Savannah bug #43547.
* src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset'
values.
---
diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
index f63377b..8db31bd 100644
--- a/src/pcf/pcfread.c
+++ b/src/pcf/pcfread.c
@@ -151,6 +151,21 @@ THE SOFTWARE.
break;
}
+ /* we now check whether the `size' and `offset' values are reasonable: */
+ /* `offset' + `size' must not exceed the stream size */
+ tables = face->toc.tables;
+ for ( n = 0; n < toc->count; n++ )
+ {
+ /* we need two checks to avoid overflow */
+ if ( ( tables->size > stream->size ) ||
+ ( tables->offset > stream->size - tables->size ) )
+ {
+ error = FT_THROW( Invalid_Table );
+ goto Exit;
+ }
+ tables++;
+ }
+
#ifdef FT_DEBUG_LEVEL_TRACE
{
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9672.patch:
ftmac.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9672.patch ---
>From 18a8f0d9943369449bc4de92d411c78fb08d616c Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki at hiroshima-u.ac.jp>
Date: Wed, 26 Nov 2014 07:11:38 +0000
Subject: Fix Savannah bug #43540.
* src/base/ftmac.c (parse_fond): Prevent a buffer overrun
caused by a font including too many (> 63) strings to store
names[] table.
---
diff --git a/src/base/ftmac.c b/src/base/ftmac.c
index 9b49da8..184a2e1 100644
--- a/src/base/ftmac.c
+++ b/src/base/ftmac.c
@@ -440,9 +440,10 @@
style = (StyleTable*)p;
p += sizeof ( StyleTable );
string_count = EndianS16_BtoN( *(short*)(p) );
+ string_count = FT_MIN( 64, string_count );
p += sizeof ( short );
- for ( i = 0; i < string_count && i < 64; i++ )
+ for ( i = 0; i < string_count; i++ )
{
names[i] = p;
p += names[i][0];
@@ -459,7 +460,7 @@
ps_name[ps_name_len] = 0;
}
if ( style->indexes[face_index] > 1 &&
- style->indexes[face_index] <= FT_MIN( string_count, 64 ) )
+ style->indexes[face_index] <= string_count )
{
unsigned char* suffixes = names[style->indexes[face_index] - 1];
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9673.patch:
ftobjs.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9673.patch ---
>From 35252ae9aa1dd9343e9f4884e9ddb1fee10ef415 Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki at hiroshima-u.ac.jp>
Date: Wed, 26 Nov 2014 06:52:23 +0000
Subject: Fix Savannah bug #43539.
* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
by a broken POST table in resource-fork.
---
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index ffbbc32..922216e 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1627,6 +1627,11 @@
goto Exit2;
if ( FT_READ_LONG( rlen ) )
goto Exit;
+ if ( rlen < 0 )
+ {
+ error = FT_THROW( Invalid_Offset );
+ goto Exit2;
+ }
if ( FT_READ_USHORT( flags ) )
goto Exit;
FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
@@ -1644,7 +1649,14 @@
rlen = 0;
if ( ( flags >> 8 ) == type )
+ {
+ if ( 0x7FFFFFFFL - rlen < len )
+ {
+ error = FT_THROW( Array_Too_Large );
+ goto Exit2;
+ }
len += rlen;
+ }
else
{
if ( pfb_lenpos + 3 > pfb_len + 2 )
@@ -1673,6 +1685,11 @@
}
error = FT_ERR( Cannot_Open_Resource );
+ if ( rlen > 0x7FFFFFFFL - pfb_pos )
+ {
+ error = FT_THROW( Array_Too_Large );
+ goto Exit2;
+ }
if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
goto Exit2;
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9674a.patch:
ftobjs.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9674a.patch ---
>From 240c94a185cd8dae7d03059abec8a5662c35ecd3 Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki at hiroshima-u.ac.jp>
Date: Wed, 26 Nov 2014 06:43:29 +0000
Subject: Fix Savannah bug #43538.
* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
by a broken POST table in resource-fork.
---
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 4d60e88..ffbbc32 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1603,10 +1603,23 @@
goto Exit;
if ( FT_READ_LONG( temp ) )
goto Exit;
+ if ( 0 > temp )
+ error = FT_THROW( Invalid_Offset );
+ else if ( 0x7FFFFFFFL - 6 - pfb_len < temp )
+ error = FT_THROW( Array_Too_Large );
+
+ if ( error )
+ goto Exit;
+
pfb_len += temp + 6;
}
- if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) )
+ if ( 0x7FFFFFFFL - 2 < pfb_len )
+ error = FT_THROW( Array_Too_Large );
+ else
+ error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 );
+
+ if ( error )
goto Exit;
pfb_data[0] = 0x80;
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9674b.patch:
ftobjs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9674b.patch ---
>From cd4a5a26e591d01494567df9dec7f72d59551f6e Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki at hiroshima-u.ac.jp>
Date: Wed, 26 Nov 2014 15:20:48 +0000
Subject: * src/base/ftobj.c (Mac_Read_POST_Resource): Additional
overflow check in the summation of POST fragment lengths,
suggested by Mateusz Jurczyk <mjurczyk at google.com>.
---
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 4321126..b28216a 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1604,8 +1604,10 @@
if ( FT_READ_ULONG( temp ) )
goto Exit;
FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp));
- if ( 0x7FFFFFFFUL < temp )
+ if ( 0x7FFFFFFFUL < temp || pfb_len + temp + 6 < pfb_len )
{
+ FT_TRACE2(( " too long fragment length makes"
+ " pfb_len confused: temp=0x%08x\n", temp ));
error = FT_THROW( Invalid_Offset );
goto Exit;
}
--
cgit v0.9.0.2
freetype-2.5.3-CVE-2014-9675.patch:
bdflib.c | 62 +++++++++++++++++++++++++++++++++++++-------------------------
1 file changed, 37 insertions(+), 25 deletions(-)
--- NEW FILE freetype-2.5.3-CVE-2014-9675.patch ---
commit 2c4832d30939b45c05757f0a05128ce64c4cacc7
Author: Werner Lemberg <wl at gnu.org>
Date: Fri Nov 7 07:42:33 2014 +0100
Fix Savannah bug #43535.
* src/bdf/bdflib.c (_bdf_strncmp): New macro that checks one
character more than `strncmp'.
s/ft_strncmp/_bdf_strncmp/ everywhere.
diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
index 2eda11c..c128526 100644
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -169,6 +169,18 @@
sizeof ( _bdf_properties[0] );
+ /* An auxiliary macro to parse properties, to be used in conditionals. */
+ /* It behaves like `strncmp' but also tests the following character */
+ /* whether it is a whitespace or NULL. */
+ /* `property' is a constant string of length `n' to compare with. */
+#define _bdf_strncmp( name, property, n ) \
+ ( ft_strncmp( name, property, n ) || \
+ !( name[n] == ' ' || \
+ name[n] == '\0' || \
+ name[n] == '\n' || \
+ name[n] == '\r' || \
+ name[n] == '\t' ) )
+
/* Auto correction messages. */
#define ACMSG1 "FONT_ASCENT property missing. " \
"Added `FONT_ASCENT %hd'.\n"
@@ -1408,7 +1420,7 @@
/* If the property happens to be a comment, then it doesn't need */
/* to be added to the internal hash table. */
- if ( ft_strncmp( name, "COMMENT", 7 ) != 0 )
+ if ( _bdf_strncmp( name, "COMMENT", 7 ) != 0 )
{
/* Add the property to the font property table. */
error = hash_insert( fp->name,
@@ -1426,13 +1438,13 @@
/* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */
/* present, and the SPACING property should override the default */
/* spacing. */
- if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 )
+ if ( _bdf_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 )
font->default_char = fp->value.l;
- else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 )
+ else if ( _bdf_strncmp( name, "FONT_ASCENT", 11 ) == 0 )
font->font_ascent = fp->value.l;
- else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 )
+ else if ( _bdf_strncmp( name, "FONT_DESCENT", 12 ) == 0 )
font->font_descent = fp->value.l;
- else if ( ft_strncmp( name, "SPACING", 7 ) == 0 )
+ else if ( _bdf_strncmp( name, "SPACING", 7 ) == 0 )
{
if ( !fp->value.atom )
{
@@ -1490,7 +1502,7 @@
memory = font->memory;
/* Check for a comment. */
- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
+ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 )
{
linelen -= 7;
@@ -1507,7 +1519,7 @@
/* The very first thing expected is the number of glyphs. */
if ( !( p->flags & _BDF_GLYPHS ) )
{
- if ( ft_strncmp( line, "CHARS", 5 ) != 0 )
+ if ( _bdf_strncmp( line, "CHARS", 5 ) != 0 )
{
FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" ));
error = FT_THROW( Missing_Chars_Field );
@@ -1541,7 +1553,7 @@
}
/* Check for the ENDFONT field. */
- if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 )
+ if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 )
{
/* Sort the glyphs by encoding. */
ft_qsort( (char *)font->glyphs,
@@ -1555,7 +1567,7 @@
}
/* Check for the ENDCHAR field. */
- if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 )
+ if ( _bdf_strncmp( line, "ENDCHAR", 7 ) == 0 )
{
p->glyph_enc = 0;
p->flags &= ~_BDF_GLYPH_BITS;
@@ -1571,7 +1583,7 @@
goto Exit;
/* Check for the STARTCHAR field. */
- if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 )
+ if ( _bdf_strncmp( line, "STARTCHAR", 9 ) == 0 )
{
/* Set the character name in the parse info first until the */
/* encoding can be checked for an unencoded character. */
@@ -1605,7 +1617,7 @@
}
/* Check for the ENCODING field. */
- if ( ft_strncmp( line, "ENCODING", 8 ) == 0 )
+ if ( _bdf_strncmp( line, "ENCODING", 8 ) == 0 )
{
if ( !( p->flags & _BDF_GLYPH ) )
{
@@ -1791,7 +1803,7 @@
}
/* Expect the SWIDTH (scalable width) field next. */
- if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 )
+ if ( _bdf_strncmp( line, "SWIDTH", 6 ) == 0 )
{
if ( !( p->flags & _BDF_ENCODING ) )
goto Missing_Encoding;
@@ -1807,7 +1819,7 @@
}
/* Expect the DWIDTH (scalable width) field next. */
- if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 )
+ if ( _bdf_strncmp( line, "DWIDTH", 6 ) == 0 )
{
if ( !( p->flags & _BDF_ENCODING ) )
goto Missing_Encoding;
@@ -1835,7 +1847,7 @@
}
/* Expect the BBX field next. */
- if ( ft_strncmp( line, "BBX", 3 ) == 0 )
+ if ( _bdf_strncmp( line, "BBX", 3 ) == 0 )
{
if ( !( p->flags & _BDF_ENCODING ) )
goto Missing_Encoding;
@@ -1903,7 +1915,7 @@
}
/* And finally, gather up the bitmap. */
- if ( ft_strncmp( line, "BITMAP", 6 ) == 0 )
+ if ( _bdf_strncmp( line, "BITMAP", 6 ) == 0 )
{
unsigned long bitmap_size;
@@ -1978,7 +1990,7 @@
p = (_bdf_parse_t *) client_data;
/* Check for the end of the properties. */
- if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 )
+ if ( _bdf_strncmp( line, "ENDPROPERTIES", 13 ) == 0 )
{
/* If the FONT_ASCENT or FONT_DESCENT properties have not been */
/* encountered yet, then make sure they are added as properties and */
@@ -2019,12 +2031,12 @@
}
/* Ignore the _XFREE86_GLYPH_RANGES properties. */
- if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
+ if ( _bdf_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
goto Exit;
/* Handle COMMENT fields and properties in a special way to preserve */
/* the spacing. */
- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
+ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 )
{
name = value = line;
value += 7;
@@ -2088,7 +2100,7 @@
/* Check for a comment. This is done to handle those fonts that have */
/* comments before the STARTFONT line for some reason. */
- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
+ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 )
{
if ( p->opts->keep_comments != 0 && p->font != 0 )
{
@@ -2114,7 +2126,7 @@
{
memory = p->memory;
- if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 )
+ if ( _bdf_strncmp( line, "STARTFONT", 9 ) != 0 )
{
/* we don't emit an error message since this code gets */
/* explicitly caught one level higher */
@@ -2162,7 +2174,7 @@
}
/* Check for the start of the properties. */
- if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 )
+ if ( _bdf_strncmp( line, "STARTPROPERTIES", 15 ) == 0 )
{
if ( !( p->flags & _BDF_FONT_BBX ) )
{
@@ -2191,7 +2203,7 @@
}
/* Check for the FONTBOUNDINGBOX field. */
- if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
+ if ( _bdf_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
{
if ( !( p->flags & _BDF_SIZE ) )
{
@@ -2222,7 +2234,7 @@
}
/* The next thing to check for is the FONT field. */
- if ( ft_strncmp( line, "FONT", 4 ) == 0 )
+ if ( _bdf_strncmp( line, "FONT", 4 ) == 0 )
{
error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
if ( error )
@@ -2257,7 +2269,7 @@
}
/* Check for the SIZE field. */
- if ( ft_strncmp( line, "SIZE", 4 ) == 0 )
+ if ( _bdf_strncmp( line, "SIZE", 4 ) == 0 )
{
if ( !( p->flags & _BDF_FONT_NAME ) )
{
@@ -2311,7 +2323,7 @@
}
/* Check for the CHARS field -- font properties are optional */
- if ( ft_strncmp( line, "CHARS", 5 ) == 0 )
+ if ( _bdf_strncmp( line, "CHARS", 5 ) == 0 )
{
char nbuf[128];
freetype-2.5.3-unsigned-long.patch:
ftobjs.c | 59 ++++++++++++++++++++++++++++++-----------------------------
1 file changed, 30 insertions(+), 29 deletions(-)
--- NEW FILE freetype-2.5.3-unsigned-long.patch ---
commit 453316792fee912cfced48e9e270e9eb19892e64
Author: suzuki toshiya <mpsuzuki at hiroshima-u.ac.jp>
Date: Wed Nov 26 16:02:17 2014 +0900
* src/base/ftobjs.c (Mac_Read_POST_Resource): Use unsigned long
variables to read the lengths in POST fragments. Suggested by
Mateusz Jurczyk <mjurczyk at google.com>.
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 922216e..dfad24a 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1583,9 +1583,9 @@
FT_Memory memory = library->memory;
FT_Byte* pfb_data = NULL;
int i, type, flags;
- FT_Long len;
- FT_Long pfb_len, pfb_pos, pfb_lenpos;
- FT_Long rlen, temp;
+ FT_ULong len;
+ FT_ULong pfb_len, pfb_pos, pfb_lenpos;
+ FT_ULong rlen, temp;
if ( face_index == -1 )
@@ -1601,25 +1601,25 @@
error = FT_Stream_Seek( stream, offsets[i] );
if ( error )
goto Exit;
- if ( FT_READ_LONG( temp ) )
+ if ( FT_READ_ULONG( temp ) )
goto Exit;
- if ( 0 > temp )
+ FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp));
+ if ( 0x7FFFFFFFUL < temp )
+ {
error = FT_THROW( Invalid_Offset );
- else if ( 0x7FFFFFFFL - 6 - pfb_len < temp )
- error = FT_THROW( Array_Too_Large );
-
- if ( error )
goto Exit;
+ }
pfb_len += temp + 6;
}
- if ( 0x7FFFFFFFL - 2 < pfb_len )
+ FT_TRACE2(( " total buffer size to concatenate %d POST fragments: 0x%08x\n",
+ resource_cnt, pfb_len + 2));
+ if ( pfb_len + 2 < 6 ) {
error = FT_THROW( Array_Too_Large );
- else
- error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 );
-
- if ( error )
+ goto Exit;
+ }
+ if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) )
goto Exit;
pfb_data[0] = 0x80;
@@ -1638,21 +1640,25 @@
error = FT_Stream_Seek( stream, offsets[i] );
if ( error )
goto Exit2;
- if ( FT_READ_LONG( rlen ) )
+ if ( FT_READ_ULONG( rlen ) )
goto Exit;
- if ( rlen < 0 )
+ if ( 0x7FFFFFFFUL < rlen )
{
error = FT_THROW( Invalid_Offset );
goto Exit2;
}
if ( FT_READ_USHORT( flags ) )
goto Exit;
FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
i, offsets[i], rlen, flags ));
+ error = FT_ERR( Array_Too_Large );
/* postpone the check of rlen longer than buffer until FT_Stream_Read() */
if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */
+ {
+ FT_TRACE3(( " Skip POST fragment #%d because it is a comment\n", i ));
continue;
+ }
/* the flags are part of the resource, so rlen >= 2. */
/* but some fonts declare rlen = 0 for empty fragment */
@@ -1662,16 +1670,10 @@
rlen = 0;
if ( ( flags >> 8 ) == type )
- {
- if ( 0x7FFFFFFFL - rlen < len )
- {
- error = FT_THROW( Array_Too_Large );
- goto Exit2;
- }
len += rlen;
- }
else
{
+ FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos ));
if ( pfb_lenpos + 3 > pfb_len + 2 )
goto Exit2;
pfb_data[pfb_lenpos ] = (FT_Byte)( len );
@@ -1682,6 +1684,7 @@
if ( ( flags >> 8 ) == 5 ) /* End of font mark */
break;
+ FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_pos ));
if ( pfb_pos + 6 > pfb_len + 2 )
goto Exit2;
pfb_data[pfb_pos++] = 0x80;
@@ -1697,21 +1700,17 @@
pfb_data[pfb_pos++] = 0;
}
- error = FT_ERR( Cannot_Open_Resource );
- if ( rlen > 0x7FFFFFFFL - pfb_pos )
- {
- error = FT_THROW( Array_Too_Large );
- goto Exit2;
- }
if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
goto Exit2;
+ FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos ));
error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
if ( error )
goto Exit2;
pfb_pos += rlen;
}
+ error = FT_ERR( Array_Too_Large );
if ( pfb_pos + 2 > pfb_len + 2 )
goto Exit2;
pfb_data[pfb_pos++] = 0x80;
@@ -1732,6 +1731,12 @@
aface );
Exit2:
+ if ( error == FT_ERR( Array_Too_Large ) )
+ FT_TRACE2(( " Abort due to too-short buffer to store all POST fragments\n" ));
+ else if ( error == FT_ERR( Invalid_Offset ) )
+ FT_TRACE2(( " Abort due to invalid offset in a POST fragment\n" ));
+ if ( error )
+ error = FT_ERR( Cannot_Open_Resource );
FT_FREE( pfb_data );
Exit:
Index: freetype-freeworld.spec
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/devel/freetype-freeworld.spec,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- freetype-freeworld.spec 12 Dec 2014 03:58:15 -0000 1.37
+++ freetype-freeworld.spec 18 Feb 2015 01:32:07 -0000 1.38
@@ -1,7 +1,7 @@
Summary: A free and portable font rendering engine
Name: freetype-freeworld
Version: 2.5.3
-Release: 3%{?dist}
+Release: 4%{?dist}
License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
URL: http://www.freetype.org
Source: http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.tar.bz2
@@ -12,10 +12,37 @@
Patch46: freetype-2.2.1-enable-valid.patch
## Security fixes:
-# https://bugzilla.gnome.org/show_bug.cgi?id=1172634
+# https://bugzilla.redhat.com/show_bug.cgi?id=1172634
Patch93: freetype-2.5.3-hintmask.patch
Patch94: freetype-2.5.3-hintmap.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1191099
+# https://bugzilla.redhat.com/show_bug.cgi?id=1191191
+# https://bugzilla.redhat.com/show_bug.cgi?id=1191193
+Patch95: freetype-2.5.3-CVE-2014-9656.patch
+Patch96: freetype-2.5.3-CVE-2014-9657.patch
+Patch97: freetype-2.5.3-CVE-2014-9658.patch
+Patch98: freetype-2.5.3-CVE-2014-9675.patch
+Patch99: freetype-2.5.3-CVE-2014-9660.patch
+Patch100: freetype-2.5.3-CVE-2014-9661a.patch
+Patch101: freetype-2.5.3-CVE-2014-9661b.patch
+Patch102: freetype-2.5.3-CVE-2014-9662.patch
+Patch103: freetype-2.5.3-CVE-2014-9663.patch
+Patch104: freetype-2.5.3-CVE-2014-9664a.patch
+Patch105: freetype-2.5.3-CVE-2014-9664b.patch
+Patch106: freetype-2.5.3-CVE-2014-9665.patch
+Patch107: freetype-2.5.3-CVE-2014-9666.patch
+Patch108: freetype-2.5.3-CVE-2014-9667.patch
+Patch109: freetype-2.5.3-CVE-2014-9668.patch
+Patch110: freetype-2.5.3-CVE-2014-9669.patch
+Patch111: freetype-2.5.3-CVE-2014-9670.patch
+Patch112: freetype-2.5.3-CVE-2014-9671.patch
+Patch113: freetype-2.5.3-CVE-2014-9672.patch
+Patch114: freetype-2.5.3-CVE-2014-9673.patch
+Patch115: freetype-2.5.3-CVE-2014-9674a.patch
+Patch116: freetype-2.5.3-unsigned-long.patch
+Patch117: freetype-2.5.3-CVE-2014-9674b.patch
+
Provides: freetype-bytecode
Provides: freetype-subpixel
@@ -47,6 +74,30 @@
%patch93 -p1 -b .hintmask
%patch94 -p1 -b .hintmap
+%patch95 -p1 -b .CVE-2014-9656
+%patch96 -p1 -b .CVE-2014-9657
+%patch97 -p1 -b .CVE-2014-9658
+%patch98 -p1 -b .CVE-2014-9675
+%patch99 -p1 -b .CVE-2014-9660
+%patch100 -p1 -b .CVE-2014-9661a
+%patch101 -p1 -b .CVE-2014-9661b
+%patch102 -p1 -b .CVE-2014-9662
+%patch103 -p1 -b .CVE-2014-9663
+%patch104 -p1 -b .CVE-2014-9664a
+%patch105 -p1 -b .CVE-2014-9664b
+%patch106 -p1 -b .CVE-2014-9665
+%patch107 -p1 -b .CVE-2014-9666
+%patch108 -p1 -b .CVE-2014-9667
+%patch109 -p1 -b .CVE-2014-9668
+%patch110 -p1 -b .CVE-2014-9669
+%patch111 -p1 -b .CVE-2014-9670
+%patch112 -p1 -b .CVE-2014-9671
+%patch113 -p1 -b .CVE-2014-9672
+%patch114 -p1 -b .CVE-2014-9673
+%patch115 -p1 -b .CVE-2014-9674a
+%patch116 -p1 -b .unsigned-long
+%patch117 -p1 -b .CVE-2014-9674b
+
%build
%configure --disable-static
@@ -85,6 +136,56 @@
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
%changelog
+* Wed Feb 18 2015 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.5.3-4
+- Add freetype-2.5.3-CVE-2014-9656.patch from Fedora freetype (rh#1191099)
+ (Check `p' before `num_glyphs'.)
+- Add freetype-2.5.3-CVE-2014-9657.patch from Fedora freetype (rh#1191099)
+ (Check minimum size of `record_size'.)
+- Add freetype-2.5.3-CVE-2014-9658.patch from Fedora freetype (rh#1191099)
+ (Use correct value for minimum table length test.)
+- Add freetype-2.5.3-CVE-2014-9675.patch from Fedora freetype (rh#1191193)
+ (New macro that checks one character more than `strncmp'.)
+- Add freetype-2.5.3-CVE-2014-9660.patch from Fedora freetype (rh#1191099)
+ (Check `_BDF_GLYPH_BITS'.)
+- Add freetype-2.5.3-CVE-2014-9661a.patch from Fedora freetype (rh#1191099)
+ (Initialize `face->ttf_size'. Always set `face->ttf_size' directly.)
+- Add freetype-2.5.3-CVE-2014-9661b.patch from Fedora freetype (rh#1191099)
+ (Exclusively use the `truetype' font driver for loading the font contained
+ in the `sfnts' array.)
+- Add freetype-2.5.3-CVE-2014-9662.patch from Fedora freetype (rh#1191099)
+ (Handle return values of point allocation routines.)
+- Add freetype-2.5.3-CVE-2014-9663.patch from Fedora freetype (rh#1191099)
+ (Fix order of validity tests.)
+- Add freetype-2.5.3-CVE-2014-9664a.patch from Fedora freetype (rh#1191099)
+ (Add another boundary testing.)
+- Add freetype-2.5.3-CVE-2014-9664b.patch from Fedora freetype (rh#1191099)
+ (Fix boundary testing.)
+- Add freetype-2.5.3-CVE-2014-9665.patch from Fedora freetype (rh#1191099)
+ (Protect against too large bitmaps.)
+- Add freetype-2.5.3-CVE-2014-9666.patch from Fedora freetype (rh#1191099)
+ (Protect against addition and multiplication overflow.)
+- Add freetype-2.5.3-CVE-2014-9667.patch from Fedora freetype (rh#1191099)
+ (Protect against addition overflow.)
+- Add freetype-2.5.3-CVE-2014-9668.patch from Fedora freetype (rh#1191099)
+ (Protect against addition overflow.)
+- Add freetype-2.5.3-CVE-2014-9669.patch from Fedora freetype (rh#1191099)
+ (Protect against overflow in additions and multiplications.)
+- Add freetype-2.5.3-CVE-2014-9670.patch from Fedora freetype (rh#1191099)
+ (Add sanity checks for row and column values.)
+- Add freetype-2.5.3-CVE-2014-9671.patch from Fedora freetype (rh#1191099)
+ (Check `size' and `offset' values.)
+- Add freetype-2.5.3-CVE-2014-9672.patch from Fedora freetype (rh#1191095)
+ (Prevent a buffer overrun caused by a font including too many (> 63) strings
+ to store names[] table.)
+- Add freetype-2.5.3-CVE-2014-9673.patch from Fedora freetype (rh#1191096)
+ (Fix integer overflow by a broken POST table in resource-fork.)
+- Add freetype-2.5.3-CVE-2014-9674a.patch from Fedora freetype (rh#1191191)
+ (Fix integer overflow by a broken POST table in resource-fork.)
+- Add freetype-2.5.3-unsigned-long.patch from Fedora freetype (rh#1191191)
+ (Use unsigned long variables to read the lengths in POST fragments.)
+- Add freetype-2.5.3-CVE-2014-9674b.patch from Fedora freetype (rh#1191191)
+ (Additional overflow check in the summation of POST fragment lengths.)
+
* Fri Dec 12 2014 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.5.3-3
- Add freetype-2.5.3-hintmask.patch from Fedora freetype (rh#1172634)
(Don't append to stem arrays after hintmask is constructed.)
- Previous message: rpms/vdr-softhddevice/devel .cvsignore, 1.17, 1.18 sources, 1.17, 1.18 vdr-softhddevice.spec, 1.20, 1.21
- Next message: rpms/freetype-freeworld/F-20 freetype-2.5.0-CVE-2014-9656.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9657.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9658.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9660.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9661a.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9661b.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9662.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9663.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9664a.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9664b.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9666.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9667.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9669.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9670.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9671.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9672.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9673.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9674a.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9674b.patch, NONE, 1.1 freetype-2.5.0-CVE-2014-9675.patch, NONE, 1.1 freetype-2.5.0-ft-strncmp.patch, NONE, 1.1 freetype-2.5.0-unsigned-long.patch, NONE, 1.1 freetype-freeworld.spec, 1.33, 1.34
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the rpmfusion-commits
mailing list