From 86f48a8dbff4528d1351676f429fa6a3d0afefd5 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sat, 29 Apr 2017 11:55:33 -0400 Subject: [PATCH] gnu: freetype: Fix CVE-2017-{8105,8287}. * gnu/packages/patches/freetype-CVE-2017-8105.patch, gnu/packages/patches/freetype-CVE-2017-8287.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/fontutils.scm (freetype)[replacement]: New field. (freetype/fixed): New variable. --- gnu/local.mk | 2 + gnu/packages/fontutils.scm | 10 ++++ .../patches/freetype-CVE-2017-8105.patch | 56 +++++++++++++++++++ .../patches/freetype-CVE-2017-8287.patch | 44 +++++++++++++++ 4 files changed, 112 insertions(+) create mode 100644 gnu/packages/patches/freetype-CVE-2017-8105.patch create mode 100644 gnu/packages/patches/freetype-CVE-2017-8287.patch diff --git a/gnu/local.mk b/gnu/local.mk index 117da28fb3..da2e82f475 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -575,6 +575,8 @@ dist_patch_DATA = \ %D%/packages/patches/freeimage-CVE-2015-0852.patch \ %D%/packages/patches/freeimage-CVE-2016-5684.patch \ %D%/packages/patches/freeimage-fix-build-with-gcc-5.patch \ + %D%/packages/patches/freetype-CVE-2017-8105.patch \ + %D%/packages/patches/freetype-CVE-2017-8287.patch \ %D%/packages/patches/fuse-overlapping-headers.patch \ %D%/packages/patches/gawk-shell.patch \ %D%/packages/patches/gcc-arm-bug-71399.patch \ diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm index cc6d1df597..1c4d7d07ff 100644 --- a/gnu/packages/fontutils.scm +++ b/gnu/packages/fontutils.scm @@ -48,6 +48,7 @@ (define-public freetype (package (name "freetype") + (replacement freetype/fixed) (version "2.7.1") (source (origin (method url-fetch) @@ -73,6 +74,15 @@ anti-aliased glyph bitmap generation with 256 gray levels.") (license license:freetype) ; some files have other licenses (home-page "https://www.freetype.org/"))) +(define freetype/fixed + (package + (inherit freetype) + (source + (origin + (inherit (package-source freetype)) + (patches (search-patches "freetype-CVE-2017-8105.patch" + "freetype-CVE-2017-8287.patch")))))) + (define-public ttfautohint (package (name "ttfautohint") diff --git a/gnu/packages/patches/freetype-CVE-2017-8105.patch b/gnu/packages/patches/freetype-CVE-2017-8105.patch new file mode 100644 index 0000000000..1891c4ab5f --- /dev/null +++ b/gnu/packages/patches/freetype-CVE-2017-8105.patch @@ -0,0 +1,56 @@ +Fix CVE-2017-8105: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105 +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 + +Patch copied from upstream source repository: + +https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 + +From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Fri, 24 Mar 2017 09:15:10 +0100 +Subject: [PATCH] [psaux] Better protect `flex' handling. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 + +* src/psaux/t1decode.c (t1_decoder_parse_charstrings) +: Since there is not a single flex operator but a +series of subroutine calls, malformed fonts can call arbitrary other +operators after the start of a flex, possibly adding points. For +this reason we have to check the available number of points before +inserting a point. +--- + ChangeLog | 15 +++++++++++++++ + src/psaux/t1decode.c | 9 +++++++++ + 2 files changed, 24 insertions(+) + +diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c +index af7b465e..7dd45135 100644 +--- a/src/psaux/t1decode.c ++++ b/src/psaux/t1decode.c +@@ -780,10 +780,19 @@ + /* point without adding any point to the outline */ + idx = decoder->num_flex_vectors++; + if ( idx > 0 && idx < 7 ) ++ { ++ /* in malformed fonts it is possible to have other */ ++ /* opcodes in the middle of a flex (which don't */ ++ /* increase `num_flex_vectors'); we thus have to */ ++ /* check whether we can add a point */ ++ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) ) ++ goto Syntax_Error; ++ + t1_builder_add_point( builder, + x, + y, + (FT_Byte)( idx == 3 || idx == 6 ) ); ++ } + } + break; + +-- +2.12.2 + diff --git a/gnu/packages/patches/freetype-CVE-2017-8287.patch b/gnu/packages/patches/freetype-CVE-2017-8287.patch new file mode 100644 index 0000000000..d1145a87ee --- /dev/null +++ b/gnu/packages/patches/freetype-CVE-2017-8287.patch @@ -0,0 +1,44 @@ +Fix CVE-2017-8287: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8287 +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941 + +Patch copied from upstream source repository: +https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=3774fc08b502c3e685afca098b6e8a195aded6a0 + +From 3774fc08b502c3e685afca098b6e8a195aded6a0 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Sun, 26 Mar 2017 08:32:09 +0200 +Subject: [PATCH] * src/psaux/psobjs.c (t1_builder_close_contour): Add safety + guard. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941 +--- + ChangeLog | 8 ++++++++ + src/psaux/psobjs.c | 8 ++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c +index d18e821a..0baf8368 100644 +--- a/src/psaux/psobjs.c ++++ b/src/psaux/psobjs.c +@@ -1718,6 +1718,14 @@ + first = outline->n_contours <= 1 + ? 0 : outline->contours[outline->n_contours - 2] + 1; + ++ /* in malformed fonts it can happen that a contour was started */ ++ /* but no points were added */ ++ if ( outline->n_contours && first == outline->n_points ) ++ { ++ outline->n_contours--; ++ return; ++ } ++ + /* We must not include the last point in the path if it */ + /* is located on the first point. */ + if ( outline->n_points > 1 ) +-- +2.12.2 +