Date: Friday, May 5, 2017 @ 21:29:09 Author: jgc Revision: 295344 upgpkg: freetype2 2.7.1-2
Fix CVE-2017-8105, CVE-2017-8287. https://security.archlinux.org/AVG-257 Added: freetype2/trunk/CVE-2017-8105.patch freetype2/trunk/CVE-2017-8287.patch Modified: freetype2/trunk/PKGBUILD ---------------------+ CVE-2017-8105.patch | 47 +++++++++++++++++++++++++++++++++++++++++++++++ CVE-2017-8287.patch | 35 +++++++++++++++++++++++++++++++++++ PKGBUILD | 9 ++++++++- 3 files changed, 90 insertions(+), 1 deletion(-) Added: CVE-2017-8105.patch =================================================================== --- CVE-2017-8105.patch (rev 0) +++ CVE-2017-8105.patch 2017-05-05 21:29:09 UTC (rev 295344) @@ -0,0 +1,47 @@ +From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <w...@gnu.org> +Date: Fri, 24 Mar 2017 09:15:10 +0100 +Subject: [psaux] Better protect `flex' handling. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 + +* src/psaux/t1decode.c (t1_decoder_parse_charstrings) +<callothersubr>: Since there is not a single flex operator but a +series of subroutine calls, malformed fonts can call arbitrary other +operators after the start of a flex, possibly adding points. For +this reason we have to check the available number of points before +inserting a point. +--- + ChangeLog | 15 +++++++++++++++ + src/psaux/t1decode.c | 9 +++++++++ + 2 files changed, 24 insertions(+) + +diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c +index af7b465..7dd4513 100644 +--- a/src/psaux/t1decode.c ++++ b/src/psaux/t1decode.c +@@ -780,10 +780,19 @@ + /* point without adding any point to the outline */ + idx = decoder->num_flex_vectors++; + if ( idx > 0 && idx < 7 ) ++ { ++ /* in malformed fonts it is possible to have other */ ++ /* opcodes in the middle of a flex (which don't */ ++ /* increase `num_flex_vectors'); we thus have to */ ++ /* check whether we can add a point */ ++ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) ) ++ goto Syntax_Error; ++ + t1_builder_add_point( builder, + x, + y, + (FT_Byte)( idx == 3 || idx == 6 ) ); ++ } + } + break; + +-- +cgit v1.0-41-gc330 + Added: CVE-2017-8287.patch =================================================================== --- CVE-2017-8287.patch (rev 0) +++ CVE-2017-8287.patch 2017-05-05 21:29:09 UTC (rev 295344) @@ -0,0 +1,35 @@ +From 3774fc08b502c3e685afca098b6e8a195aded6a0 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <w...@gnu.org> +Date: Sun, 26 Mar 2017 08:32:09 +0200 +Subject: * src/psaux/psobjs.c (t1_builder_close_contour): Add safety guard. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941 +--- + ChangeLog | 8 ++++++++ + src/psaux/psobjs.c | 8 ++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c +index d18e821..0baf836 100644 +--- a/src/psaux/psobjs.c ++++ b/src/psaux/psobjs.c +@@ -1718,6 +1718,14 @@ + first = outline->n_contours <= 1 + ? 0 : outline->contours[outline->n_contours - 2] + 1; + ++ /* in malformed fonts it can happen that a contour was started */ ++ /* but no points were added */ ++ if ( outline->n_contours && first == outline->n_points ) ++ { ++ outline->n_contours--; ++ return; ++ } ++ + /* We must not include the last point in the path if it */ + /* is located on the first point. */ + if ( outline->n_points > 1 ) +-- +cgit v1.0-41-gc330 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2017-05-05 21:03:52 UTC (rev 295343) +++ PKGBUILD 2017-05-05 21:29:09 UTC (rev 295344) @@ -4,7 +4,7 @@ pkgbase=freetype2 pkgname=('freetype2' 'freetype2-demos') pkgver=2.7.1 -pkgrel=1 +pkgrel=2 arch=(i686 x86_64) license=('GPL') url="http://www.freetype.org/" @@ -18,6 +18,8 @@ 0002-Enable-subpixel-rendering.patch 0003-Enable-infinality-subpixel-hinting.patch 0005-freetype-2.5.2-more-demos.patch + CVE-2017-8105.patch + CVE-2017-8287.patch freetype2.sh) sha1sums=('4d08a9a6567c6332d58e9a5f9a7e9e3fbce66789' 'SKIP' @@ -29,6 +31,8 @@ 'b1494810ed3aca25cdd8e8cedf634e5adfe6c09e' '41d27140fd590945e22e012c9dce62de3d6f11e6' '72cfecbe738085eec475e012617661ad0cc9b76f' + '9ff76b0d0a079872279a62300af7806b15b6a51a' + '049ed3cb4471596396660896a8ccd95288001d8f' 'bc6df1661c4c33e20f5ce30c2da8ad3c2083665f') validpgpkeys=('58E0C111E39F5408C5D3EC76C1A60EACE707FDA5') @@ -41,6 +45,9 @@ patch -Np1 -i ../0002-Enable-subpixel-rendering.patch patch -Np1 -i ../0003-Enable-infinality-subpixel-hinting.patch + patch -Np1 -i ../CVE-2017-8105.patch + patch -Np1 -i ../CVE-2017-8287.patch + cd ../ft2demos-${pkgver} # enable more demos patch -Np1 -i ../0005-freetype-2.5.2-more-demos.patch