Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: freet...@packages.debian.org Control: affects -1 + src:freetype
[ Reason ] FreeType 2.12.1 shipped with experimental COLRv1 support enabled. This was unintentional, as the implementation shipped in this release was incomplete and incompatible with the final COLRv1 API. Upstream's intention was to enable COLRv1 support in FreeType 2.13.0. Applications attempting to use the partial COLRv1 API in FreeType 2.12.1 will get unexpected (and incorrect) results. FreeType 2.12.1 is the only version affected. The patch included in this stable-p-u upload effectively disables COLRv1 support by making the public methods consistently return failure instead of attempting to parse a format somewhat different from the final specification. [ Impact ] Applications attempting to use the partial COLRv1 API implementation in FreeType 2.12.1 will get unexpected (and incorrect) results. [ Risks ] The patch is trivial. Calls to the public COLRv1-related methods consistently fail, which is expected behaviour with the patch applied. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Other info ] I realise this isn't a 'standard' special case, as described in Section 5.5.1 of the Developer's Reference [0]. For instance, the bug doesn't impact unstable, as it's not an issue in that more recent version. However, due to the significant differences in API behaviour between this partial version and the final specification, it is important to disable the partial COLRv1 support, which was never supposed to be enabled. I'm seeking your approval to make the upload to stable-p-u. [0] https://www.debian.org/doc/manuals/developers-reference/pkgs.html#special- case-uploads-to-the-stable-and-oldstable-distributions
diff -Nru freetype-2.12.1+dfsg/debian/changelog freetype-2.12.1+dfsg/debian/changelog --- freetype-2.12.1+dfsg/debian/changelog 2023-04-20 21:08:03.000000000 +1000 +++ freetype-2.12.1+dfsg/debian/changelog 2023-09-22 21:48:19.000000000 +1000 @@ -1,3 +1,10 @@ +freetype (2.12.1+dfsg-5+deb12u1) bookworm; urgency=medium + + * debian/patches: Disable COLRv1 support, which was unintentionally enabled + by upstream in this version of FreeType (Closes: #1051816). + + -- Hugh McMaster <hugh.mcmas...@outlook.com> Fri, 22 Sep 2023 21:48:19 +1000 + freetype (2.12.1+dfsg-5) unstable; urgency=medium * debian/patches: Add a patch to fix CVE-2023-2004 (Closes: #1034612). diff -Nru freetype-2.12.1+dfsg/debian/patches/disable_COLRv1.patch freetype-2.12.1+dfsg/debian/patches/disable_COLRv1.patch --- freetype-2.12.1+dfsg/debian/patches/disable_COLRv1.patch 1970-01-01 10:00:00.000000000 +1000 +++ freetype-2.12.1+dfsg/debian/patches/disable_COLRv1.patch 2023-09-22 21:42:32.000000000 +1000 @@ -0,0 +1,22 @@ +Description: Disable COLRv1 support in FreeType 2.12.1. + FreeType 2.12.1 shipped with COLRv1 support enabled. This was unintentional, + as the partial implementation shipped is incomplete and incompatible with + the final COLRv1 API. + . + Applications attempting to use this version of the COLRv1 API will get + unexpected (and incorrect) results. +Author: Hugh McMaster <hugh.mcmas...@outlook.com> +Bug-Debian: https://bugs.debian.org/1051816 +Last-Update: 2023-09-22 + +--- a/src/sfnt/sfdriver.c ++++ b/src/sfnt/sfdriver.c +@@ -1220,7 +1220,7 @@ + #define PUT_SVG_SUPPORT( a ) NULL + #endif + +-#define PUT_COLOR_LAYERS_V1( a ) PUT_COLOR_LAYERS( a ) ++#define PUT_COLOR_LAYERS_V1( a ) NULL + + #ifdef TT_CONFIG_OPTION_POSTSCRIPT_NAMES + #define PUT_PS_NAMES( a ) a diff -Nru freetype-2.12.1+dfsg/debian/patches/series freetype-2.12.1+dfsg/debian/patches/series --- freetype-2.12.1+dfsg/debian/patches/series 2023-04-20 21:08:03.000000000 +1000 +++ freetype-2.12.1+dfsg/debian/patches/series 2023-09-22 21:34:52.000000000 +1000 @@ -6,3 +6,4 @@ fix-wild-free-svg.patch hardening.patch CVE-2023-2004.patch +disable_COLRv1.patch
