[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: gnu: freetype: Fix CVE-2017-{8105,8287}.
From: |
Leo Famulari |
Subject: |
01/01: gnu: freetype: Fix CVE-2017-{8105,8287}. |
Date: |
Sat, 29 Apr 2017 12:19:50 -0400 (EDT) |
lfam pushed a commit to branch master
in repository guix.
commit 86f48a8dbff4528d1351676f429fa6a3d0afefd5
Author: Leo Famulari <address@hidden>
Date: Sat Apr 29 11:55:33 2017 -0400
gnu: freetype: Fix CVE-2017-{8105,8287}.
* gnu/packages/patches/freetype-CVE-2017-8105.patch,
gnu/packages/patches/freetype-CVE-2017-8287.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/fontutils.scm (freetype)[replacement]: New field.
(freetype/fixed): New variable.
---
gnu/local.mk | 2 +
gnu/packages/fontutils.scm | 10 ++++
gnu/packages/patches/freetype-CVE-2017-8105.patch | 56 +++++++++++++++++++++++
gnu/packages/patches/freetype-CVE-2017-8287.patch | 44 ++++++++++++++++++
4 files changed, 112 insertions(+)
diff --git a/gnu/local.mk b/gnu/local.mk
index 117da28..da2e82f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -575,6 +575,8 @@ dist_patch_DATA =
\
%D%/packages/patches/freeimage-CVE-2015-0852.patch \
%D%/packages/patches/freeimage-CVE-2016-5684.patch \
%D%/packages/patches/freeimage-fix-build-with-gcc-5.patch \
+ %D%/packages/patches/freetype-CVE-2017-8105.patch \
+ %D%/packages/patches/freetype-CVE-2017-8287.patch \
%D%/packages/patches/fuse-overlapping-headers.patch
\
%D%/packages/patches/gawk-shell.patch \
%D%/packages/patches/gcc-arm-bug-71399.patch \
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index cc6d1df..1c4d7d0 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -48,6 +48,7 @@
(define-public freetype
(package
(name "freetype")
+ (replacement freetype/fixed)
(version "2.7.1")
(source (origin
(method url-fetch)
@@ -73,6 +74,15 @@ anti-aliased glyph bitmap generation with 256 gray levels.")
(license license:freetype) ; some files have other licenses
(home-page "https://www.freetype.org/")))
+(define freetype/fixed
+ (package
+ (inherit freetype)
+ (source
+ (origin
+ (inherit (package-source freetype))
+ (patches (search-patches "freetype-CVE-2017-8105.patch"
+ "freetype-CVE-2017-8287.patch"))))))
+
(define-public ttfautohint
(package
(name "ttfautohint")
diff --git a/gnu/packages/patches/freetype-CVE-2017-8105.patch
b/gnu/packages/patches/freetype-CVE-2017-8105.patch
new file mode 100644
index 0000000..1891c4a
--- /dev/null
+++ b/gnu/packages/patches/freetype-CVE-2017-8105.patch
@@ -0,0 +1,56 @@
+Fix CVE-2017-8105:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
+
+Patch copied from upstream source repository:
+
+https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee431bef8d4d466b40c9cb2d4dbcb7791
+
+From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <address@hidden>
+Date: Fri, 24 Mar 2017 09:15:10 +0100
+Subject: [PATCH] [psaux] Better protect `flex' handling.
+
+Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
+
+* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+<callothersubr>: Since there is not a single flex operator but a
+series of subroutine calls, malformed fonts can call arbitrary other
+operators after the start of a flex, possibly adding points. For
+this reason we have to check the available number of points before
+inserting a point.
+---
+ ChangeLog | 15 +++++++++++++++
+ src/psaux/t1decode.c | 9 +++++++++
+ 2 files changed, 24 insertions(+)
+
+diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
+index af7b465e..7dd45135 100644
+--- a/src/psaux/t1decode.c
++++ b/src/psaux/t1decode.c
+@@ -780,10 +780,19 @@
+ /* point without adding any point to the outline */
+ idx = decoder->num_flex_vectors++;
+ if ( idx > 0 && idx < 7 )
++ {
++ /* in malformed fonts it is possible to have other */
++ /* opcodes in the middle of a flex (which don't */
++ /* increase `num_flex_vectors'); we thus have to */
++ /* check whether we can add a point */
++ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
++ goto Syntax_Error;
++
+ t1_builder_add_point( builder,
+ x,
+ y,
+ (FT_Byte)( idx == 3 || idx == 6 ) );
++ }
+ }
+ break;
+
+--
+2.12.2
+
diff --git a/gnu/packages/patches/freetype-CVE-2017-8287.patch
b/gnu/packages/patches/freetype-CVE-2017-8287.patch
new file mode 100644
index 0000000..d1145a8
--- /dev/null
+++ b/gnu/packages/patches/freetype-CVE-2017-8287.patch
@@ -0,0 +1,44 @@
+Fix CVE-2017-8287:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8287
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941
+
+Patch copied from upstream source repository:
+https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=3774fc08b502c3e685afca098b6e8a195aded6a0
+
+From 3774fc08b502c3e685afca098b6e8a195aded6a0 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <address@hidden>
+Date: Sun, 26 Mar 2017 08:32:09 +0200
+Subject: [PATCH] * src/psaux/psobjs.c (t1_builder_close_contour): Add safety
+ guard.
+
+Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941
+---
+ ChangeLog | 8 ++++++++
+ src/psaux/psobjs.c | 8 ++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c
+index d18e821a..0baf8368 100644
+--- a/src/psaux/psobjs.c
++++ b/src/psaux/psobjs.c
+@@ -1718,6 +1718,14 @@
+ first = outline->n_contours <= 1
+ ? 0 : outline->contours[outline->n_contours - 2] + 1;
+
++ /* in malformed fonts it can happen that a contour was started */
++ /* but no points were added */
++ if ( outline->n_contours && first == outline->n_points )
++ {
++ outline->n_contours--;
++ return;
++ }
++
+ /* We must not include the last point in the path if it */
+ /* is located on the first point. */
+ if ( outline->n_points > 1 )
+--
+2.12.2
+