Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: freet...@packages.debian.org Control: affects -1 + src:freetype
Please unblock package freetype. [ Reason ] An integer overflow vulnerability was discovered in FreeType (specifically, the tt_hvadvance_adjust() function). This is CVE-2023-2004. [ Impact ] FreeType 2 can crash when getting TrueType font metrics due to the overflow. [ Tests ] Chromium's OSS-Fuzz project regularly fuzzes the FreeType source. After the upstream fix was applied, the vulnerability was fixed. [ Risks ] The patch is non-invasive and very small. [ Checklist ] [ x ] all changes are documented in the d/changelog [ x ] I reviewed all changes and I approve them [ x ] attach debdiff against the package in testing unblock freetype/2.12.1+dfsg-5
diff -Nru freetype-2.12.1+dfsg/debian/changelog freetype-2.12.1+dfsg/debian/changelog --- freetype-2.12.1+dfsg/debian/changelog 2023-01-12 23:05:22.000000000 +1100 +++ freetype-2.12.1+dfsg/debian/changelog 2023-04-20 21:08:03.000000000 +1000 @@ -1,3 +1,10 @@ +freetype (2.12.1+dfsg-5) unstable; urgency=medium + + * debian/patches: Add a patch to fix CVE-2023-2004 (Closes: #1034612). + - Integer overflow in tt_hvadvance_adjust(). + + -- Hugh McMaster <hugh.mcmas...@outlook.com> Thu, 20 Apr 2023 21:08:03 +1000 + freetype (2.12.1+dfsg-4) unstable; urgency=medium [ Debian Janitor ] diff -Nru freetype-2.12.1+dfsg/debian/patches/CVE-2023-2004.patch freetype-2.12.1+dfsg/debian/patches/CVE-2023-2004.patch --- freetype-2.12.1+dfsg/debian/patches/CVE-2023-2004.patch 1970-01-01 10:00:00.000000000 +1000 +++ freetype-2.12.1+dfsg/debian/patches/CVE-2023-2004.patch 2023-04-20 21:03:11.000000000 +1000 @@ -0,0 +1,42 @@ +Description: Prevent integer overflow in tt_hvadvance_adjust(). + Fixes CVE-2023-2004. +Author: Werner Lemberg <w...@gnu.org> +Origin: https://gitlab.freedesktop.org/freetype/freetype/-/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611 +Bug-Debian: https://bugs.debian.org/1034612 +Last-Update: 2023-04-30 + +--- a/src/truetype/ttgxvar.c ++++ b/src/truetype/ttgxvar.c +@@ -42,6 +42,7 @@ + #include <ft2build.h> + #include <freetype/internal/ftdebug.h> + #include FT_CONFIG_CONFIG_H ++#include <freetype/internal/ftcalc.h> + #include <freetype/internal/ftstream.h> + #include <freetype/internal/sfnt.h> + #include <freetype/tttags.h> +@@ -1133,14 +1134,17 @@ + outerIndex, + innerIndex ); + +- FT_TRACE5(( "%s value %d adjusted by %d unit%s (%s)\n", +- vertical ? "vertical height" : "horizontal width", +- *avalue, +- delta, +- delta == 1 ? "" : "s", +- vertical ? "VVAR" : "HVAR" )); ++ if ( delta ) ++ { ++ FT_TRACE5(( "%s value %d adjusted by %d unit%s (%s)\n", ++ vertical ? "vertical height" : "horizontal width", ++ *avalue, ++ delta, ++ delta == 1 ? "" : "s", ++ vertical ? "VVAR" : "HVAR" )); + +- *avalue += delta; ++ *avalue = ADD_INT( *avalue, delta ); ++ } + + Exit: + return error; diff -Nru freetype-2.12.1+dfsg/debian/patches/series freetype-2.12.1+dfsg/debian/patches/series --- freetype-2.12.1+dfsg/debian/patches/series 2023-01-12 23:05:22.000000000 +1100 +++ freetype-2.12.1+dfsg/debian/patches/series 2023-04-20 21:02:52.000000000 +1000 @@ -5,3 +5,4 @@ CVE-2022-31782.patch fix-wild-free-svg.patch hardening.patch +CVE-2023-2004.patch