Bug#1034634: marked as done (unblock: freetype/2.12.1+dfsg-5)

Debian Bug Tracking System Thu, 27 Apr 2023 12:42:37 -0700

Your message dated Thu, 27 Apr 2023 21:38:50 +0200
with message-id <8dd0a695-32f3-4162-4ea9-c9ee0b8a9...@debian.org>
and subject line Re: Bug#1034634: unblock: freetype/2.12.1+dfsg-5
has caused the Debian Bug report #1034634,
regarding unblock: freetype/2.12.1+dfsg-5
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1034634: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034634
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: freet...@packages.debian.org
Control: affects -1 + src:freetype

Please unblock package freetype.

[ Reason ]
An integer overflow vulnerability was discovered in FreeType (specifically, the
tt_hvadvance_adjust() function). This is CVE-2023-2004.

[ Impact ]
FreeType 2 can crash when getting TrueType font metrics due to the overflow.

[ Tests ]
Chromium's OSS-Fuzz project regularly fuzzes the FreeType source. After the
upstream fix was applied, the vulnerability was fixed.

[ Risks ]
The patch is non-invasive and very small.

[ Checklist ]
  [ x ] all changes are documented in the d/changelog
  [ x ] I reviewed all changes and I approve them
  [ x ] attach debdiff against the package in testing

unblock freetype/2.12.1+dfsg-5

diff -Nru freetype-2.12.1+dfsg/debian/changelog 
freetype-2.12.1+dfsg/debian/changelog
--- freetype-2.12.1+dfsg/debian/changelog       2023-01-12 23:05:22.000000000 
+1100
+++ freetype-2.12.1+dfsg/debian/changelog       2023-04-20 21:08:03.000000000 
+1000
@@ -1,3 +1,10 @@
+freetype (2.12.1+dfsg-5) unstable; urgency=medium
+
+  * debian/patches: Add a patch to fix CVE-2023-2004 (Closes: #1034612).
+    - Integer overflow in tt_hvadvance_adjust().
+
+ -- Hugh McMaster <hugh.mcmas...@outlook.com>  Thu, 20 Apr 2023 21:08:03 +1000
+
 freetype (2.12.1+dfsg-4) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru freetype-2.12.1+dfsg/debian/patches/CVE-2023-2004.patch 
freetype-2.12.1+dfsg/debian/patches/CVE-2023-2004.patch
--- freetype-2.12.1+dfsg/debian/patches/CVE-2023-2004.patch     1970-01-01 
10:00:00.000000000 +1000
+++ freetype-2.12.1+dfsg/debian/patches/CVE-2023-2004.patch     2023-04-20 
21:03:11.000000000 +1000
@@ -0,0 +1,42 @@
+Description: Prevent integer overflow in tt_hvadvance_adjust().
+ Fixes CVE-2023-2004.
+Author: Werner Lemberg <w...@gnu.org>
+Origin: 
https://gitlab.freedesktop.org/freetype/freetype/-/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611
+Bug-Debian: https://bugs.debian.org/1034612
+Last-Update: 2023-04-30
+
+--- a/src/truetype/ttgxvar.c
++++ b/src/truetype/ttgxvar.c
+@@ -42,6 +42,7 @@
+ #include <ft2build.h>
+ #include <freetype/internal/ftdebug.h>
+ #include FT_CONFIG_CONFIG_H
++#include <freetype/internal/ftcalc.h>
+ #include <freetype/internal/ftstream.h>
+ #include <freetype/internal/sfnt.h>
+ #include <freetype/tttags.h>
+@@ -1133,14 +1134,17 @@
+                                    outerIndex,
+                                    innerIndex );
+ 
+-    FT_TRACE5(( "%s value %d adjusted by %d unit%s (%s)\n",
+-                vertical ? "vertical height" : "horizontal width",
+-                *avalue,
+-                delta,
+-                delta == 1 ? "" : "s",
+-                vertical ? "VVAR" : "HVAR" ));
++    if ( delta )
++    {
++      FT_TRACE5(( "%s value %d adjusted by %d unit%s (%s)\n",
++                  vertical ? "vertical height" : "horizontal width",
++                  *avalue,
++                  delta,
++                  delta == 1 ? "" : "s",
++                  vertical ? "VVAR" : "HVAR" ));
+ 
+-    *avalue += delta;
++      *avalue = ADD_INT( *avalue, delta );
++    }
+ 
+   Exit:
+     return error;
diff -Nru freetype-2.12.1+dfsg/debian/patches/series 
freetype-2.12.1+dfsg/debian/patches/series
--- freetype-2.12.1+dfsg/debian/patches/series  2023-01-12 23:05:22.000000000 
+1100
+++ freetype-2.12.1+dfsg/debian/patches/series  2023-04-20 21:02:52.000000000 
+1000
@@ -5,3 +5,4 @@
 CVE-2022-31782.patch
 fix-wild-free-svg.patch
 hardening.patch
+CVE-2023-2004.patch

--- End Message ---

--- Begin Message ---
Hi,

On 20-04-2023 13:47, Hugh McMaster wrote:
unblock freetype/2.12.1+dfsg-5
done. Except it's currently udeb-blocked. Once RC 2 of the debian-installer is out, that block will be lifted.
Paul
OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---

Bug#1034634: marked as done (unblock: freetype/2.12.1+dfsg-5)

Reply via email to