Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
This update fixes three security vulnerabilities in FreeType 2.10.4+dfsg-1. - CVE-2022-27404: heap buffer overflow via invalid integer decrement in sfnt_init_face() and woff2_open_font(). - CVE-2022-27405: segmentation violation via ft_open_face_internal() when attempting to read the value of FT_LONG face_index. - CVE-2022-27406: segmentation violation via FT_Request_Size() when attempting to read the value of an unguarded face size handle. It would be ideal to get these fixes into Bullseye.
diff -Nru freetype-2.10.4+dfsg/debian/changelog freetype-2.10.4+dfsg/debian/changelog --- freetype-2.10.4+dfsg/debian/changelog 2020-12-05 19:20:58.000000000 +1100 +++ freetype-2.10.4+dfsg/debian/changelog 2022-04-28 19:54:23.000000000 +1000 @@ -1,3 +1,15 @@ +freetype (2.10.4+dfsg-1+deb11u1) bullseye; urgency=medium + + * Add upstream patches to fix multiple vulnerabilities. Closes: #1010183. + - CVE-2022-27404: heap buffer overflow via invalid integer decrement in + sfnt_init_face() and woff2_open_font(). + - CVE-2022-27405: segmentation violation via ft_open_face_internal() when + attempting to read the value of FT_LONG face_index. + - CVE-2022-27406: segmentation violation via FT_Request_Size() when + attempting to read the value of an unguarded face size handle. + + -- Hugh McMaster <hugh.mcmas...@outlook.com> Thu, 28 Apr 2022 19:54:23 +1000 + freetype (2.10.4+dfsg-1) unstable; urgency=medium * New upstream version: diff -Nru freetype-2.10.4+dfsg/debian/patches/CVE-2022-27404.patch freetype-2.10.4+dfsg/debian/patches/CVE-2022-27404.patch --- freetype-2.10.4+dfsg/debian/patches/CVE-2022-27404.patch 1970-01-01 10:00:00.000000000 +1000 +++ freetype-2.10.4+dfsg/debian/patches/CVE-2022-27404.patch 2022-04-28 19:54:23.000000000 +1000 @@ -0,0 +1,30 @@ +Description: Check `face_index` before decrementing to prevent heap buffer + overflow (CVE-2022-27404). +Author: Werner Lemberg +Origin: https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db +Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1138 +Bug-Debian: https://bugs.debian.org/1010183 +Last-Update: 2022-04-28 + +--- a/src/sfnt/sfobjs.c ++++ b/src/sfnt/sfobjs.c +@@ -553,7 +553,7 @@ + face_index = FT_ABS( face_instance_index ) & 0xFFFF; + + /* value -(N+1) requests information on index N */ +- if ( face_instance_index < 0 ) ++ if ( face_instance_index < 0 && face_index > 0 ) + face_index--; + + if ( face_index >= face->ttc_header.count ) +--- a/src/sfnt/sfwoff2.c ++++ b/src/sfnt/sfwoff2.c +@@ -2098,7 +2098,7 @@ + /* Validate requested face index. */ + *num_faces = woff2.num_fonts; + /* value -(N+1) requests information on index N */ +- if ( *face_instance_index < 0 ) ++ if ( *face_instance_index < 0 && face_index > 0 ) + face_index--; + + if ( face_index >= woff2.num_fonts ) diff -Nru freetype-2.10.4+dfsg/debian/patches/CVE-2022-27405.patch freetype-2.10.4+dfsg/debian/patches/CVE-2022-27405.patch --- freetype-2.10.4+dfsg/debian/patches/CVE-2022-27405.patch 1970-01-01 10:00:00.000000000 +1000 +++ freetype-2.10.4+dfsg/debian/patches/CVE-2022-27405.patch 2022-04-28 19:54:23.000000000 +1000 @@ -0,0 +1,26 @@ +Description: Properly guard `face_index` before attempting to read its value + (CVE-2022-27405). +Author: Werner Lemberg +Origin: https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 +Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1139 +Bug-Debian: https://bugs.debian.org/1010183 +Last-Update: 2022-04-28 + +--- a/src/base/ftobjs.c ++++ b/src/base/ftobjs.c +@@ -2407,6 +2407,15 @@ + #endif + + ++ /* only use lower 31 bits together with sign bit */ ++ if ( face_index > 0 ) ++ face_index &= 0x7FFFFFFFL; ++ else ++ { ++ face_index &= 0x7FFFFFFFL; ++ face_index = -face_index; ++ } ++ + #ifdef FT_DEBUG_LEVEL_TRACE + FT_TRACE3(( "FT_Open_Face: " )); + if ( face_index < 0 ) diff -Nru freetype-2.10.4+dfsg/debian/patches/CVE-2022-27406.patch freetype-2.10.4+dfsg/debian/patches/CVE-2022-27406.patch --- freetype-2.10.4+dfsg/debian/patches/CVE-2022-27406.patch 1970-01-01 10:00:00.000000000 +1000 +++ freetype-2.10.4+dfsg/debian/patches/CVE-2022-27406.patch 2022-04-28 19:54:23.000000000 +1000 @@ -0,0 +1,20 @@ +Description: Guard the `face->size` handle before attempting to read its value + (CVE-2022-27406). +Author: Werner Lemberg +Origin: https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2 +Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1140 +Bug-Debian: https://bugs.debian.org/1010183 +Last-Update: 2022-04-28 + +--- a/src/base/ftobjs.c ++++ b/src/base/ftobjs.c +@@ -3273,6 +3273,9 @@ + if ( !face ) + return FT_THROW( Invalid_Face_Handle ); + ++ if ( !face->size ) ++ return FT_THROW( Invalid_Size_Handle ); ++ + if ( !req || req->width < 0 || req->height < 0 || + req->type >= FT_SIZE_REQUEST_TYPE_MAX ) + return FT_THROW( Invalid_Argument ); diff -Nru freetype-2.10.4+dfsg/debian/patches/series freetype-2.10.4+dfsg/debian/patches/series --- freetype-2.10.4+dfsg/debian/patches/series 2020-12-05 19:20:58.000000000 +1100 +++ freetype-2.10.4+dfsg/debian/patches/series 2022-04-28 19:54:23.000000000 +1000 @@ -5,3 +5,6 @@ remove-gstatic-code.patch no-web-fonts.patch hide-donations-information.patch +CVE-2022-27404.patch +CVE-2022-27405.patch +CVE-2022-27406.patch