gnu: freetype: Fix CVE-2017-{8105,8287}.
* gnu/packages/patches/freetype-CVE-2017-8105.patch, gnu/packages/patches/freetype-CVE-2017-8287.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/fontutils.scm (freetype)[replacement]: New field. (freetype/fixed): New variable.
This commit is contained in:
Leo Famulari
parent
e24d527131
commit
86f48a8dbf
4 changed files with 112 additions and 0 deletions
|
|
@ -575,6 +575,8 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/freeimage-CVE-2015-0852.patch \
|
||||
%D%/packages/patches/freeimage-CVE-2016-5684.patch \
|
||||
%D%/packages/patches/freeimage-fix-build-with-gcc-5.patch \
|
||||
%D%/packages/patches/freetype-CVE-2017-8105.patch \
|
||||
%D%/packages/patches/freetype-CVE-2017-8287.patch \
|
||||
%D%/packages/patches/fuse-overlapping-headers.patch \
|
||||
%D%/packages/patches/gawk-shell.patch \
|
||||
%D%/packages/patches/gcc-arm-bug-71399.patch \
|
||||
|
|
|
|||
|
|
@ -48,6 +48,7 @@
|
|||
(define-public freetype
|
||||
(package
|
||||
(name "freetype")
|
||||
(replacement freetype/fixed)
|
||||
(version "2.7.1")
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
|
|
@ -73,6 +74,15 @@ anti-aliased glyph bitmap generation with 256 gray levels.")
|
|||
(license license:freetype) ; some files have other licenses
|
||||
(home-page "https://www.freetype.org/")))
|
||||
|
||||
(define freetype/fixed
|
||||
(package
|
||||
(inherit freetype)
|
||||
(source
|
||||
(origin
|
||||
(inherit (package-source freetype))
|
||||
(patches (search-patches "freetype-CVE-2017-8105.patch"
|
||||
"freetype-CVE-2017-8287.patch"))))))
|
||||
|
||||
(define-public ttfautohint
|
||||
(package
|
||||
(name "ttfautohint")
|
||||
|
|
|
|||
56
gnu/packages/patches/freetype-CVE-2017-8105.patch
Normal file
56
gnu/packages/patches/freetype-CVE-2017-8105.patch
Normal file
|
|
@ -0,0 +1,56 @@
|
|||
Fix CVE-2017-8105:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee431bef8d4d466b40c9cb2d4dbcb7791
|
||||
|
||||
From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001
|
||||
From: Werner Lemberg <wl@gnu.org>
|
||||
Date: Fri, 24 Mar 2017 09:15:10 +0100
|
||||
Subject: [PATCH] [psaux] Better protect `flex' handling.
|
||||
|
||||
Reported as
|
||||
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
|
||||
|
||||
* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
|
||||
<callothersubr>: Since there is not a single flex operator but a
|
||||
series of subroutine calls, malformed fonts can call arbitrary other
|
||||
operators after the start of a flex, possibly adding points. For
|
||||
this reason we have to check the available number of points before
|
||||
inserting a point.
|
||||
---
|
||||
ChangeLog | 15 +++++++++++++++
|
||||
src/psaux/t1decode.c | 9 +++++++++
|
||||
2 files changed, 24 insertions(+)
|
||||
|
||||
diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
|
||||
index af7b465e..7dd45135 100644
|
||||
--- a/src/psaux/t1decode.c
|
||||
+++ b/src/psaux/t1decode.c
|
||||
@@ -780,10 +780,19 @@
|
||||
/* point without adding any point to the outline */
|
||||
idx = decoder->num_flex_vectors++;
|
||||
if ( idx > 0 && idx < 7 )
|
||||
+ {
|
||||
+ /* in malformed fonts it is possible to have other */
|
||||
+ /* opcodes in the middle of a flex (which don't */
|
||||
+ /* increase `num_flex_vectors'); we thus have to */
|
||||
+ /* check whether we can add a point */
|
||||
+ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
|
||||
+ goto Syntax_Error;
|
||||
+
|
||||
t1_builder_add_point( builder,
|
||||
x,
|
||||
y,
|
||||
(FT_Byte)( idx == 3 || idx == 6 ) );
|
||||
+ }
|
||||
}
|
||||
break;
|
||||
|
||||
--
|
||||
2.12.2
|
||||
|
||||
44
gnu/packages/patches/freetype-CVE-2017-8287.patch
Normal file
44
gnu/packages/patches/freetype-CVE-2017-8287.patch
Normal file
|
|
@ -0,0 +1,44 @@
|
|||
Fix CVE-2017-8287:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8287
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=3774fc08b502c3e685afca098b6e8a195aded6a0
|
||||
|
||||
From 3774fc08b502c3e685afca098b6e8a195aded6a0 Mon Sep 17 00:00:00 2001
|
||||
From: Werner Lemberg <wl@gnu.org>
|
||||
Date: Sun, 26 Mar 2017 08:32:09 +0200
|
||||
Subject: [PATCH] * src/psaux/psobjs.c (t1_builder_close_contour): Add safety
|
||||
guard.
|
||||
|
||||
Reported as
|
||||
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941
|
||||
---
|
||||
ChangeLog | 8 ++++++++
|
||||
src/psaux/psobjs.c | 8 ++++++++
|
||||
2 files changed, 16 insertions(+)
|
||||
|
||||
diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c
|
||||
index d18e821a..0baf8368 100644
|
||||
--- a/src/psaux/psobjs.c
|
||||
+++ b/src/psaux/psobjs.c
|
||||
@@ -1718,6 +1718,14 @@
|
||||
first = outline->n_contours <= 1
|
||||
? 0 : outline->contours[outline->n_contours - 2] + 1;
|
||||
|
||||
+ /* in malformed fonts it can happen that a contour was started */
|
||||
+ /* but no points were added */
|
||||
+ if ( outline->n_contours && first == outline->n_points )
|
||||
+ {
|
||||
+ outline->n_contours--;
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
/* We must not include the last point in the path if it */
|
||||
/* is located on the first point. */
|
||||
if ( outline->n_points > 1 )
|
||||
--
|
||||
2.12.2
|
||||
|
||||
Reference in a new issue