Sun Dec 19 03:47:00 2010 UTC ()
Pullup ticket #3308 - requested by drochner
security updates for freetype2
Revisions pulled up:
- pkgsrc/graphics/freetype2/Makefile 1.75-1.77
- pkgsrc/graphics/freetype2/distinfo 1.37-1.39
Files added:
- pkgsrc/graphics/freetype2/patches/patch-ab 1.14, 1.15
- pkgsrc/graphics/freetype2/patches/patch-ac 1.6
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: drochner
Date: Fri Oct 22 16:14:13 UTC 2010
Modified Files:
pkgsrc/graphics/freetype2: Makefile distinfo
Log Message:
update to 2.4.3
changes:
A rendering regression of S-shaped cubic arcs (introduced in
version 2.4.0) has been fixed. Besides that, a bunch
of fixes have been applied to improve handling of broken fonts.
To generate a diff of this commit:
cvs rdiff -u -r1.74 -r1.75 pkgsrc/graphics/freetype2/Makefile
cvs rdiff -u -r1.36 -r1.37 pkgsrc/graphics/freetype2/distinfo
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: drochner
Date: Wed Nov 3 11:56:37 UTC 2010
Modified Files:
pkgsrc/graphics/freetype2: Makefile distinfo
Added Files:
pkgsrc/graphics/freetype2/patches: patch-ab
Log Message:
add patch from upstream CVS to fix a possible buffer overflow
when processing TrueType GX fonts (SA41738), bump PKGREVISION
To generate a diff of this commit:
cvs rdiff -u -r1.75 -r1.76 pkgsrc/graphics/freetype2/Makefile
cvs rdiff -u -r1.37 -r1.38 pkgsrc/graphics/freetype2/distinfo
cvs rdiff -u -r0 -r1.14 pkgsrc/graphics/freetype2/patches/patch-ab
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: drochner
Date: Wed Nov 24 18:44:55 UTC 2010
Modified Files:
pkgsrc/graphics/freetype2: Makefile distinfo
pkgsrc/graphics/freetype2/patches: patch-ab
Added Files:
pkgsrc/graphics/freetype2/patches: patch-ac
Log Message:
add patch from upstream CVS to fix handling the "SHZ" bytecode instruction
which could be exploited to cause a crash and potentially execute
arbitrary code via a specially crafted font (CVE-2010-3814)
bump PKGREV
being here, add CVE reference to an older patch
To generate a diff of this commit:
cvs rdiff -u -r1.76 -r1.77 pkgsrc/graphics/freetype2/Makefile
cvs rdiff -u -r1.38 -r1.39 pkgsrc/graphics/freetype2/distinfo
cvs rdiff -u -r1.14 -r1.15 pkgsrc/graphics/freetype2/patches/patch-ab
cvs rdiff -u -r0 -r1.6 pkgsrc/graphics/freetype2/patches/patch-ac
(sbd)
diff -r1.74 -r1.74.2.1 pkgsrc/graphics/freetype2/Makefile
diff -r1.36 -r1.36.2.1 pkgsrc/graphics/freetype2/distinfo
diff -r0 -r1.15.2.2 pkgsrc/graphics/freetype2/patches/patch-ab
diff -r0 -r1.6.2.2 pkgsrc/graphics/freetype2/patches/patch-ac
--- pkgsrc/graphics/freetype2/Makefile 2010/08/08 16:06:02 1.74
+++ pkgsrc/graphics/freetype2/Makefile 2010/12/19 03:47:00 1.74.2.1
| @@ -1,17 +1,18 @@ | | | @@ -1,17 +1,18 @@ |
1 | # $NetBSD: Makefile,v 1.74 2010/08/08 16:06:02 tnn Exp $ | | 1 | # $NetBSD: Makefile,v 1.74.2.1 2010/12/19 03:47:00 sbd Exp $ |
2 | | | 2 | |
3 | DISTNAME= freetype-2.4.2 | | 3 | DISTNAME= freetype-2.4.3 |
4 | PKGNAME= ${DISTNAME:S/-/2-/} | | 4 | PKGNAME= ${DISTNAME:S/-/2-/} |
| | | 5 | PKGREVISION= 2 |
5 | CATEGORIES= graphics | | 6 | CATEGORIES= graphics |
6 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=freetype/} \ | | 7 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=freetype/} \ |
7 | ftp://ring.aist.go.jp/pub/graphics/freetype/freetype2/ | | 8 | ftp://ring.aist.go.jp/pub/graphics/freetype/freetype2/ |
8 | EXTRACT_SUFX= .tar.bz2 | | 9 | EXTRACT_SUFX= .tar.bz2 |
9 | | | 10 | |
10 | MAINTAINER= rh@NetBSD.org | | 11 | MAINTAINER= rh@NetBSD.org |
11 | HOMEPAGE= http://www.freetype.org/ | | 12 | HOMEPAGE= http://www.freetype.org/ |
12 | COMMENT= Font rendering engine and library API | | 13 | COMMENT= Font rendering engine and library API |
13 | | | 14 | |
14 | PKG_INSTALLATION_TYPES= overwrite pkgviews | | 15 | PKG_INSTALLATION_TYPES= overwrite pkgviews |
15 | PKG_DESTDIR_SUPPORT= user-destdir | | 16 | PKG_DESTDIR_SUPPORT= user-destdir |
16 | | | 17 | |
17 | USE_LIBTOOL= yes | | 18 | USE_LIBTOOL= yes |
--- pkgsrc/graphics/freetype2/distinfo 2010/08/08 16:06:02 1.36
+++ pkgsrc/graphics/freetype2/distinfo 2010/12/19 03:47:00 1.36.2.1
| @@ -1,6 +1,8 @@ | | | @@ -1,6 +1,8 @@ |
1 | $NetBSD: distinfo,v 1.36 2010/08/08 16:06:02 tnn Exp $ | | 1 | $NetBSD: distinfo,v 1.36.2.1 2010/12/19 03:47:00 sbd Exp $ |
2 | | | 2 | |
3 | SHA1 (freetype-2.4.2.tar.bz2) = cc257ceda2950b8c80950d780ccf3ce665a815d1 | | 3 | SHA1 (freetype-2.4.3.tar.bz2) = 16e5ba0ff23b2de372149a790b7245a762022912 |
4 | RMD160 (freetype-2.4.2.tar.bz2) = 5e3970f3a9e242255489111f77fe880d5d524860 | | 4 | RMD160 (freetype-2.4.3.tar.bz2) = befa7c66a9574c682b45d69a1088d072d8f119d9 |
5 | Size (freetype-2.4.2.tar.bz2) = 1433843 bytes | | 5 | Size (freetype-2.4.3.tar.bz2) = 1437406 bytes |
6 | SHA1 (patch-aa) = 85bf9979802e04345a9f5ac3ada2cac9520dabcb | | 6 | SHA1 (patch-aa) = 85bf9979802e04345a9f5ac3ada2cac9520dabcb |
| | | 7 | SHA1 (patch-ab) = fd2823043c3bf1488529167a56af69ecd036a920 |
| | | 8 | SHA1 (patch-ac) = bbd59b48a7827eb5e9c4905572f13b789a2d9c88 |
$NetBSD: patch-ab,v 1.15.2.2 2010/12/19 03:47:00 sbd Exp $
CVE-2010-3855
--- src/truetype/ttgxvar.c.orig 2010-07-12 19:03:49.000000000 +0000
+++ src/truetype/ttgxvar.c
@@ -154,7 +154,7 @@
runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK;
first = points[i++] = FT_GET_USHORT();
- if ( runcnt < 1 )
+ if ( runcnt < 1 || i + runcnt >= n )
goto Exit;
/* first point not included in runcount */
@@ -165,7 +165,7 @@
{
first = points[i++] = FT_GET_BYTE();
- if ( runcnt < 1 )
+ if ( runcnt < 1 || i + runcnt >= n )
goto Exit;
for ( j = 0; j < runcnt; ++j )
$NetBSD: patch-ac,v 1.6.2.2 2010/12/19 03:47:00 sbd Exp $
CVE-2010-3814
--- src/truetype/ttinterp.c.orig 2010-10-01 06:08:19.000000000 +0000
+++ src/truetype/ttinterp.c
@@ -5795,7 +5795,16 @@
if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 )
last_point = (FT_UShort)( CUR.zp2.n_points - 1 );
else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 )
+ {
last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] );
+
+ if ( BOUNDS( last_point, CUR.zp2.n_points ) )
+ {
+ if ( CUR.pedantic_hinting )
+ CUR.error = TT_Err_Invalid_Reference;
+ return;
+ }
+ }
else
last_point = 0;