On Wed, May 30, 2007 at 01:10:44PM -0700, Kees Cook wrote:
> Package: freetype
> Version: 2.2.1-6
> Severity: important
> Tags: patch, security
> As I understand it, freetype was impacted by CVE-2007-1351 as well as
> libxfont (which was updated). Attached in the patch for fixing bdf
> overflows in freetype.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351
> http://packages.debian.org/changelogs/pool/main/libx/libxfont/current/changelog
I've prepared a freetype 2.2.1-5+etch2 package which addresses this security
bug, and uploaded it to <http://people.debian.org/~vorlon/freetype/>.
Security Team, please advise whether I should upload this to security.d.o.
AIUI, uploading this package should not interfere with the pending oldstable
security update for the previous security hole.
The diff for the etch upload, taken from upstream, is attached to this mail.
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
[EMAIL PROTECTED] http://www.debian.org/
diff -u freetype-2.2.1/debian/patches-freetype/series freetype-2.2.1/debian/patches-freetype/series
--- freetype-2.2.1/debian/patches-freetype/series
+++ freetype-2.2.1/debian/patches-freetype/series
@@ -8,0 +9 @@
+CVE-2007-1351_bdf-overflow -p0
diff -u freetype-2.2.1/debian/changelog freetype-2.2.1/debian/changelog
--- freetype-2.2.1/debian/changelog
+++ freetype-2.2.1/debian/changelog
@@ -1,3 +1,11 @@
+freetype (2.2.1-5+etch2) stable-security; urgency=high
+
+ * debian/patches-freetype/CVE-2007-1351_pdf-overflow: address
+ CVE-2007-1351, an integer overflow bug in the handling of BDF fonts.
+ Closes: #426771.
+
+ -- Steve Langasek <[EMAIL PROTECTED]> Mon, 09 Jul 2007 17:21:11 -0700
+
freetype (2.2.1-5+etch1) stable-security; urgency=high
* debian/patches-freetype/CVE-2007-2754_ttgfload: address CVE-2007-2754,
only in patch2:
unchanged:
--- freetype-2.2.1.orig/debian/patches-freetype/CVE-2007-1351_bdf-overflow
+++ freetype-2.2.1/debian/patches-freetype/CVE-2007-1351_bdf-overflow
@@ -0,0 +1,59 @@
+Index: src/bdf/bdflib.c
+===================================================================
+RCS file: /sources/freetype/freetype2/src/bdf/bdflib.c,v
+retrieving revision 1.33
+retrieving revision 1.34
+diff -u -w -r1.33 -r1.34
+--- src/bdf/bdflib.c 12 Feb 2007 21:44:09 -0000 1.33
++++ src/bdf/bdflib.c 28 Mar 2007 07:17:17 -0000 1.34
+@@ -385,8 +385,10 @@
+ } _bdf_parse_t;
+
+
+-#define setsbit( m, cc ) ( m[(cc) >> 3] |= (FT_Byte)( 1 << ( (cc) & 7 ) ) )
+-#define sbitset( m, cc ) ( m[(cc) >> 3] & ( 1 << ( (cc) & 7 ) ) )
++#define setsbit( m, cc ) \
++ ( m[(FT_Byte)(cc) >> 3] |= (FT_Byte)( 1 << ( (cc) & 7 ) ) )
++#define sbitset( m, cc ) \
++ ( m[(FT_Byte)(cc) >> 3] & ( 1 << ( (cc) & 7 ) ) )
+
+
+ static void
+@@ -1130,7 +1132,7 @@
+ bdf_options_t* opts )
+ {
+ unsigned long len;
+- char name[128];
++ char name[256];
+ _bdf_list_t list;
+ FT_Memory memory;
+ FT_Error error = BDF_Err_Ok;
+@@ -1149,6 +1151,13 @@
+ font->spacing = opts->font_spacing;
+
+ len = (unsigned long)( ft_strlen( font->name ) + 1 );
++ /* Limit ourselves to 256 characters in the font name. */
++ if ( len >= 256 )
++ {
++ error = BDF_Err_Invalid_Argument;
++ goto Exit;
++ }
++
+ FT_MEM_COPY( name, font->name, len );
+
+ error = _bdf_list_split( &list, (char *)"-", name, len );
+@@ -1467,6 +1476,14 @@
+ if ( p->cnt == 0 )
+ font->glyphs_size = 64;
+
++ /* Limit ourselves to 1,114,112 glyphs in the font (this is the */
++ /* number of code points available in Unicode). */
++ if ( p->cnt >= 1114112UL )
++ {
++ error = BDF_Err_Invalid_Argument;
++ goto Exit;
++ }
++
+ if ( FT_NEW_ARRAY( font->glyphs, font->glyphs_size ) )
+ goto Exit;
+
