Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: freet...@packages.debian.org
Control: affects -1 + src:freetype

[ Reason ]
FreeType 2.12.1 shipped with experimental COLRv1 support enabled. This was
unintentional, as the implementation shipped in this release was incomplete and
incompatible with the final COLRv1 API.

Upstream's intention was to enable COLRv1 support in FreeType 2.13.0.

Applications attempting to use the partial COLRv1 API in FreeType 2.12.1 will
get unexpected (and incorrect) results.

FreeType 2.12.1 is the only version affected.

The patch included in this stable-p-u upload effectively disables COLRv1
support by making the public methods consistently return failure instead of
attempting to parse a format somewhat different from the final specification.

[ Impact ]
Applications attempting to use the partial COLRv1 API implementation in
FreeType 2.12.1 will get unexpected (and incorrect) results.

[ Risks ]
The patch is trivial. Calls to the public COLRv1-related methods consistently
fail, which is expected behaviour with the patch applied.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Other info ]
I realise this isn't a 'standard' special case, as described in Section 5.5.1
of the Developer's Reference [0]. For instance, the bug doesn't impact
unstable, as it's not an issue in that more recent version. However, due to the
significant differences in API behaviour between this partial version and the
final specification, it is important to disable the partial COLRv1 support,
which was never supposed to be enabled.

I'm seeking your approval to make the upload to stable-p-u.

[0] https://www.debian.org/doc/manuals/developers-reference/pkgs.html#special-
case-uploads-to-the-stable-and-oldstable-distributions
diff -Nru freetype-2.12.1+dfsg/debian/changelog 
freetype-2.12.1+dfsg/debian/changelog
--- freetype-2.12.1+dfsg/debian/changelog       2023-04-20 21:08:03.000000000 
+1000
+++ freetype-2.12.1+dfsg/debian/changelog       2023-09-22 21:48:19.000000000 
+1000
@@ -1,3 +1,10 @@
+freetype (2.12.1+dfsg-5+deb12u1) bookworm; urgency=medium
+
+  * debian/patches: Disable COLRv1 support, which was unintentionally enabled
+    by upstream in this version of FreeType (Closes: #1051816). 
+
+ -- Hugh McMaster <hugh.mcmas...@outlook.com>  Fri, 22 Sep 2023 21:48:19 +1000
+
 freetype (2.12.1+dfsg-5) unstable; urgency=medium
 
   * debian/patches: Add a patch to fix CVE-2023-2004 (Closes: #1034612).
diff -Nru freetype-2.12.1+dfsg/debian/patches/disable_COLRv1.patch 
freetype-2.12.1+dfsg/debian/patches/disable_COLRv1.patch
--- freetype-2.12.1+dfsg/debian/patches/disable_COLRv1.patch    1970-01-01 
10:00:00.000000000 +1000
+++ freetype-2.12.1+dfsg/debian/patches/disable_COLRv1.patch    2023-09-22 
21:42:32.000000000 +1000
@@ -0,0 +1,22 @@
+Description: Disable COLRv1 support in FreeType 2.12.1.
+ FreeType 2.12.1 shipped with COLRv1 support enabled. This was unintentional,
+ as the partial implementation shipped is incomplete and incompatible with
+ the final COLRv1 API.
+ .
+ Applications attempting to use this version of the COLRv1 API will get
+ unexpected (and incorrect) results.
+Author: Hugh McMaster <hugh.mcmas...@outlook.com>
+Bug-Debian: https://bugs.debian.org/1051816
+Last-Update: 2023-09-22
+
+--- a/src/sfnt/sfdriver.c
++++ b/src/sfnt/sfdriver.c
+@@ -1220,7 +1220,7 @@
+ #define PUT_SVG_SUPPORT( a )  NULL
+ #endif
+ 
+-#define PUT_COLOR_LAYERS_V1( a )  PUT_COLOR_LAYERS( a )
++#define PUT_COLOR_LAYERS_V1( a )  NULL
+ 
+ #ifdef TT_CONFIG_OPTION_POSTSCRIPT_NAMES
+ #define PUT_PS_NAMES( a )  a
diff -Nru freetype-2.12.1+dfsg/debian/patches/series 
freetype-2.12.1+dfsg/debian/patches/series
--- freetype-2.12.1+dfsg/debian/patches/series  2023-04-20 21:08:03.000000000 
+1000
+++ freetype-2.12.1+dfsg/debian/patches/series  2023-09-22 21:34:52.000000000 
+1000
@@ -6,3 +6,4 @@
 fix-wild-free-svg.patch
 hardening.patch
 CVE-2023-2004.patch
+disable_COLRv1.patch

Reply via email to