commit 646398f62640bf38aaa6016178eddc3690f64a0f Author: Marek Kasik <mka...@redhat.com> Date: Mon Oct 4 15:34:50 2010 +0200
Security bugfixes Add freetype-2.3.11-CVE-2010-2805.patch (Fix comparison.) Add freetype-2.3.11-CVE-2010-2806.patch (Protect against negative string_size. Fix comparison.) Add freetype-2.3.11-CVE-2010-2808.patch (Check the total length of collected POST segments.) Add freetype-2.3.11-CVE-2010-3311.patch (Don't seek behind end of stream.) Resolves: #638522 freetype-2.3.11-CVE-2010-2805.patch | 11 +++++++++ freetype-2.3.11-CVE-2010-2806.patch | 41 +++++++++++++++++++++++++++++++++++ freetype-2.3.11-CVE-2010-2808.patch | 21 ++++++++++++++++++ freetype-2.3.11-CVE-2010-3311.patch | 37 +++++++++++++++++++++++++++++++ freetype.spec | 21 +++++++++++++++++- 5 files changed, 130 insertions(+), 1 deletions(-) --- diff --git a/freetype-2.3.11-CVE-2010-2805.patch b/freetype-2.3.11-CVE-2010-2805.patch new file mode 100644 index 0000000..74ff6be --- /dev/null +++ b/freetype-2.3.11-CVE-2010-2805.patch @@ -0,0 +1,11 @@ +--- freetype-2.3.11/src/base/ftstream.c 2009-08-03 19:51:40.000000000 +0200 ++++ freetype-2.3.11/src/base/ftstream.c 2010-09-30 13:46:08.000000000 +0200 +@@ -275,7 +275,7 @@ + { + /* check current and new position */ + if ( stream->pos >= stream->size || +- stream->pos + count > stream->size ) ++ stream->size - stream->pos < count ) + { + FT_ERROR(( "FT_Stream_EnterFrame:" + " invalid i/o; pos = 0x%lx, count = %lu, size = 0x%lx\n", diff --git a/freetype-2.3.11-CVE-2010-2806.patch b/freetype-2.3.11-CVE-2010-2806.patch new file mode 100644 index 0000000..564d6d3 --- /dev/null +++ b/freetype-2.3.11-CVE-2010-2806.patch @@ -0,0 +1,41 @@ +--- freetype-2.3.11/src/type42/t42parse.c 2009-07-03 15:28:24.000000000 +0200 ++++ freetype-2.3.11/src/type42/t42parse.c 2010-09-23 12:15:56.000000000 +0200 +@@ -4,7 +4,7 @@ + /* */ + /* Type 42 font parser (body). */ + /* */ +-/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */ ++/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */ + /* Roberto Alameda. */ + /* */ + /* This file is part of the FreeType project, and may only be used, */ +@@ -575,6 +575,12 @@ + } + + string_size = T1_ToInt( parser ); ++ if ( string_size < 0 ) ++ { ++ FT_ERROR(( "t42_parse_sfnts: invalid string size\n" )); ++ error = T42_Err_Invalid_File_Format; ++ goto Fail; ++ } + + T1_Skip_PS_Token( parser ); /* `RD' */ + if ( parser->root.error ) +@@ -582,13 +588,14 @@ + + string_buf = parser->root.cursor + 1; /* one space after `RD' */ + +- parser->root.cursor += string_size + 1; +- if ( parser->root.cursor >= limit ) ++ if ( limit - parser->root.cursor < string_size ) + { + FT_ERROR(( "t42_parse_sfnts: too many binary data\n" )); + error = T42_Err_Invalid_File_Format; + goto Fail; + } ++ else ++ parser->root.cursor += string_size + 1; + } + + if ( !string_buf ) diff --git a/freetype-2.3.11-CVE-2010-2808.patch b/freetype-2.3.11-CVE-2010-2808.patch new file mode 100644 index 0000000..a68a06f --- /dev/null +++ b/freetype-2.3.11-CVE-2010-2808.patch @@ -0,0 +1,21 @@ +--- freetype-2.3.11/src/base/ftobjs.c 2010-09-30 13:58:50.000000000 +0200 ++++ freetype-2.3.11/src/base/ftobjs.c 2010-09-30 13:59:31.000000000 +0200 +@@ -1529,6 +1529,7 @@ + FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", + i, offsets[i], rlen, flags )); + ++ /* postpone the check of rlen longer than buffer until FT_Stream_Read() */ + if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */ + continue; + +@@ -1568,6 +1569,10 @@ + pfb_data[pfb_pos++] = 0; + } + ++ error = FT_Err_Cannot_Open_Resource; ++ if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) ++ goto Exit2; ++ + error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen ); + if ( error ) + goto Exit2; diff --git a/freetype-2.3.11-CVE-2010-3311.patch b/freetype-2.3.11-CVE-2010-3311.patch new file mode 100644 index 0000000..3645591 --- /dev/null +++ b/freetype-2.3.11-CVE-2010-3311.patch @@ -0,0 +1,37 @@ +--- freetype-2.3.11/src/base/ftstream.c 2010-09-30 14:12:38.000000000 +0200 ++++ freetype-2.3.11/src/base/ftstream.c 2010-09-30 14:12:59.000000000 +0200 +@@ -59,8 +59,17 @@ + { + FT_Error error = FT_Err_Ok; + ++ /* note that seeking to the first position after the file is valid */ ++ if ( pos > stream->size ) ++ { ++ FT_ERROR(( "FT_Stream_Seek:" ++ " invalid i/o; pos = 0x%lx, size = 0x%lx\n", ++ pos, stream->size )); + +- if ( stream->read ) ++ error = FT_Err_Invalid_Stream_Operation; ++ } ++ ++ if ( !error && stream->read ) + { + if ( stream->read( stream, pos, 0, 0 ) ) + { +@@ -71,15 +80,6 @@ + error = FT_Err_Invalid_Stream_Operation; + } + } +- /* note that seeking to the first position after the file is valid */ +- else if ( pos > stream->size ) +- { +- FT_ERROR(( "FT_Stream_Seek:" +- " invalid i/o; pos = 0x%lx, size = 0x%lx\n", +- pos, stream->size )); +- +- error = FT_Err_Invalid_Stream_Operation; +- } + + if ( !error ) + stream->pos = pos; diff --git a/freetype.spec b/freetype.spec index 6c2603f..e128f67 100644 --- a/freetype.spec +++ b/freetype.spec @@ -9,7 +9,7 @@ Summary: A free and portable font rendering engine Name: freetype Version: 2.3.11 -Release: 5%{?dist} +Release: 6%{?dist} License: FTL or GPLv2+ Group: System Environment/Libraries URL: http://www.freetype.org @@ -38,6 +38,10 @@ Patch93: freetype-2.3.11-CVE-2010-2520.patch Patch94: freetype-2.3.11-CVE-2010-2527.patch Patch95: freetype-2.3.11-CVE-2010-2541.patch Patch96: freetype-2.3.11-CVE-2010-1797.patch +Patch97: freetype-2.3.11-CVE-2010-2805.patch +Patch98: freetype-2.3.11-CVE-2010-2806.patch +Patch99: freetype-2.3.11-CVE-2010-2808.patch +Patch100: freetype-2.3.11-CVE-2010-3311.patch Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n) @@ -114,6 +118,10 @@ popd %patch94 -p1 -b .CVE-2010-2527 %patch95 -p1 -b .CVE-2010-2541 %patch96 -p1 -b .CVE-2010-1797 +%patch97 -p1 -b .CVE-2010-2805 +%patch98 -p1 -b .CVE-2010-2806 +%patch99 -p1 -b .CVE-2010-2808 +%patch100 -p1 -b .CVE-2010-3311 %build @@ -246,6 +254,17 @@ rm -rf $RPM_BUILD_ROOT %doc docs/tutorial %changelog +* Mon Oct 4 2010 Marek Kasik <mka...@redhat.com> 2.3.11-6 +- Add freetype-2.3.11-CVE-2010-2805.patch + (Fix comparison.) +- Add freetype-2.3.11-CVE-2010-2806.patch + (Protect against negative string_size. Fix comparison.) +- Add freetype-2.3.11-CVE-2010-2808.patch + (Check the total length of collected POST segments.) +- Add freetype-2.3.11-CVE-2010-3311.patch + (Don't seek behind end of stream.) +- Resolves: #638522 + * Mon Oct 4 2010 Marek Kasik <mka...@redhat.com> 2.3.11-5 - Add freetype-2.3.11-CVE-2010-1797.patch (Check stack after execution of operations too. _______________________________________________ fonts-bugs mailing list fonts-bugs@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/fonts-bugs http://fonts.fedoraproject.org/