[arch-commits] Commit in lib32-freetype2/trunk (3 files)

Jan de Groot jgc at archlinux.org
Fri May 5 21:32:28 UTC 2017 

    Date: Friday, May 5, 2017 @ 21:32:27
  Author: jgc
Revision: 227181

upgpkg: lib32-freetype2 2.7.1-2

Fix CVE-2017-8105, CVE-2017-8287. https://security.archlinux.org/AVG-258

Added:
  lib32-freetype2/trunk/CVE-2017-8105.patch
  lib32-freetype2/trunk/CVE-2017-8287.patch
Modified:
  lib32-freetype2/trunk/PKGBUILD

---------------------+
 CVE-2017-8105.patch |   47 +++++++++++++++++++++++++++++++++++++++++++++++
 CVE-2017-8287.patch |   35 +++++++++++++++++++++++++++++++++++
 PKGBUILD            |   13 ++++++++++---
 3 files changed, 92 insertions(+), 3 deletions(-)

Added: CVE-2017-8105.patch
===================================================================
--- CVE-2017-8105.patch	                        (rev 0)
+++ CVE-2017-8105.patch	2017-05-05 21:32:27 UTC (rev 227181)
@@ -0,0 +1,47 @@
+From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl at gnu.org>
+Date: Fri, 24 Mar 2017 09:15:10 +0100
+Subject: [psaux] Better protect `flex' handling.
+
+Reported as
+
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
+
+* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+<callothersubr>: Since there is not a single flex operator but a
+series of subroutine calls, malformed fonts can call arbitrary other
+operators after the start of a flex, possibly adding points.  For
+this reason we have to check the available number of points before
+inserting a point.
+---
+ ChangeLog            | 15 +++++++++++++++
+ src/psaux/t1decode.c |  9 +++++++++
+ 2 files changed, 24 insertions(+)
+
+diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
+index af7b465..7dd4513 100644
+--- a/src/psaux/t1decode.c
++++ b/src/psaux/t1decode.c
+@@ -780,10 +780,19 @@
+             /* point without adding any point to the outline    */
+             idx = decoder->num_flex_vectors++;
+             if ( idx > 0 && idx < 7 )
++            {
++              /* in malformed fonts it is possible to have other */
++              /* opcodes in the middle of a flex (which don't    */
++              /* increase `num_flex_vectors'); we thus have to   */
++              /* check whether we can add a point                */
++              if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
++                goto Syntax_Error;
++
+               t1_builder_add_point( builder,
+                                     x,
+                                     y,
+                                     (FT_Byte)( idx == 3 || idx == 6 ) );
++            }
+           }
+           break;
+ 
+-- 
+cgit v1.0-41-gc330
+

Added: CVE-2017-8287.patch
===================================================================
--- CVE-2017-8287.patch	                        (rev 0)
+++ CVE-2017-8287.patch	2017-05-05 21:32:27 UTC (rev 227181)
@@ -0,0 +1,35 @@
+From 3774fc08b502c3e685afca098b6e8a195aded6a0 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl at gnu.org>
+Date: Sun, 26 Mar 2017 08:32:09 +0200
+Subject: * src/psaux/psobjs.c (t1_builder_close_contour): Add safety guard.
+
+Reported as
+
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941
+---
+ ChangeLog          | 8 ++++++++
+ src/psaux/psobjs.c | 8 ++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c
+index d18e821..0baf836 100644
+--- a/src/psaux/psobjs.c
++++ b/src/psaux/psobjs.c
+@@ -1718,6 +1718,14 @@
+     first = outline->n_contours <= 1
+             ? 0 : outline->contours[outline->n_contours - 2] + 1;
+ 
++    /* in malformed fonts it can happen that a contour was started */
++    /* but no points were added                                    */
++    if ( outline->n_contours && first == outline->n_points )
++    {
++      outline->n_contours--;
++      return;
++    }
++
+     /* We must not include the last point in the path if it */
+     /* is located on the first point.                       */
+     if ( outline->n_points > 1 )
+-- 
+cgit v1.0-41-gc330
+

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2017-05-05 21:21:25 UTC (rev 227180)
+++ PKGBUILD	2017-05-05 21:32:27 UTC (rev 227181)
@@ -5,7 +5,7 @@
 _pkgbasename=freetype2
 pkgname=lib32-$_pkgbasename
 pkgver=2.7.1
-pkgrel=1
+pkgrel=2
 pkgdesc="TrueType font rendering library (32-bit)"
 arch=(x86_64)
 license=('GPL')
@@ -18,12 +18,16 @@
 source=(https://download.savannah.gnu.org/releases/freetype/freetype-${pkgver}.tar.bz2{,.sig}
         0001-Enable-table-validation-modules.patch
         0002-Enable-subpixel-rendering.patch
-        0003-Enable-infinality-subpixel-hinting.patch)
+        0003-Enable-infinality-subpixel-hinting.patch
+	CVE-2017-8105.patch
+	CVE-2017-8287.patch)
 sha1sums=('4d08a9a6567c6332d58e9a5f9a7e9e3fbce66789'
           'SKIP'
           'b31882ef5e8447e761acee1c4a44c0630cd4d465'
           'b1494810ed3aca25cdd8e8cedf634e5adfe6c09e'
-          '41d27140fd590945e22e012c9dce62de3d6f11e6')
+          '41d27140fd590945e22e012c9dce62de3d6f11e6'
+          '9ff76b0d0a079872279a62300af7806b15b6a51a'
+          '049ed3cb4471596396660896a8ccd95288001d8f')
 validpgpkeys=('58E0C111E39F5408C5D3EC76C1A60EACE707FDA5')
 
 prepare() {
@@ -34,6 +38,9 @@
   patch -Np1 -i ../0001-Enable-table-validation-modules.patch
   patch -Np1 -i ../0002-Enable-subpixel-rendering.patch
   patch -Np1 -i ../0003-Enable-infinality-subpixel-hinting.patch
+
+  patch -Np1 -i ../CVE-2017-8105.patch
+  patch -Np1 -i ../CVE-2017-8287.patch
 }
 
 build() {

More information about the arch-commits mailing list