Bug#1010305: marked as done (buster-pu: package freetype/2.9.1-3+deb10u3)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#1010305: marked as done (buster-pu: package freetype/2.9.1-3+deb10u3)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 10 Sep 2022 12:45:32 +0000
Message-id: <[🔎] handler.1010305.D1010305.166281376320810.ackdone@bugs.debian.org>
Reply-to: 1010305@bugs.debian.org
References: <2cfc9645343bdb910fe19c07bddfec2c428346a3.camel@adam-barratt.org.uk> <165114866965.80900.10961775171545237790.reportbug@debian>

Your message dated Sat, 10 Sep 2022 13:40:55 +0100
with message-id <2cfc9645343bdb910fe19c07bddfec2c428346a3.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 10.13
has caused the Debian Bug report #1010305,
regarding buster-pu: package freetype/2.9.1-3+deb10u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1010305: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010305
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: buster-pu: package freetype/2.9.1-3+deb10u3
From: Hugh McMaster <hugh.mcmaster@outlook.com>
Date: Thu, 28 Apr 2022 22:24:29 +1000
Message-id: <165114866965.80900.10961775171545237790.reportbug@debian>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

This update fixes three security vulnerabilities in FreeType 2.9.1-3+deb10u2.

- CVE-2022-27404: heap buffer overflow via invalid integer decrement in
sfnt_init_face().
- CVE-2022-27405: segmentation violation via ft_open_face_internal() when
attempting to read the value of FT_LONG face_index.
- CVE-2022-27406: segmentation violation via FT_Request_Size() when attempting
to read the value of an unguarded face size handle.

It would be ideal to get these fixes into Buster.

diff -Nru freetype-2.9.1/debian/changelog freetype-2.9.1/debian/changelog
--- freetype-2.9.1/debian/changelog	2020-10-21 06:15:41.000000000 +1100
+++ freetype-2.9.1/debian/changelog	2022-04-28 21:11:36.000000000 +1000
@@ -1,3 +1,15 @@
+freetype (2.9.1-3+deb10u3) buster; urgency=medium
+
+  * Add upstream patches to fix multiple vulnerabilities. Closes: #1010183.
+    - CVE-2022-27404: heap buffer overflow via invalid integer decrement in
+      sfnt_init_face().
+    - CVE-2022-27405: segmentation violation via ft_open_face_internal() when
+      attempting to read the value of FT_LONG face_index.
+    - CVE-2022-27406: segmentation violation via FT_Request_Size() when
+      attempting to read the value of an unguarded face size handle.
+
+ -- Hugh McMaster <hugh.mcmaster@outlook.com>  Thu, 28 Apr 2022 21:11:36 +1000
+
 freetype (2.9.1-3+deb10u2) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru freetype-2.9.1/debian/patches/CVE-2022-27404.patch freetype-2.9.1/debian/patches/CVE-2022-27404.patch
--- freetype-2.9.1/debian/patches/CVE-2022-27404.patch	1970-01-01 10:00:00.000000000 +1000
+++ freetype-2.9.1/debian/patches/CVE-2022-27404.patch	2022-04-28 21:06:58.000000000 +1000
@@ -0,0 +1,19 @@
+Description: Check `face_index` before decrementing to prevent heap buffer
+ overflow (CVE-2022-27404).
+Author: Werner Lemberg
+Origin: https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1138
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/sfnt/sfobjs.c
++++ b/src/sfnt/sfobjs.c
+@@ -923,7 +923,7 @@
+     face_index = FT_ABS( face_instance_index ) & 0xFFFF;
+ 
+     /* value -(N+1) requests information on index N */
+-    if ( face_instance_index < 0 )
++    if ( face_instance_index < 0 && face_index > 0 )
+       face_index--;
+ 
+     if ( face_index >= face->ttc_header.count )
diff -Nru freetype-2.9.1/debian/patches/CVE-2022-27405.patch freetype-2.9.1/debian/patches/CVE-2022-27405.patch
--- freetype-2.9.1/debian/patches/CVE-2022-27405.patch	1970-01-01 10:00:00.000000000 +1000
+++ freetype-2.9.1/debian/patches/CVE-2022-27405.patch	2022-04-28 21:08:12.000000000 +1000
@@ -0,0 +1,26 @@
+Description: Properly guard `face_index` before attempting to read its value
+ (CVE-2022-27405).
+Author: Werner Lemberg
+Origin: https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1139
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -2345,6 +2345,15 @@
+ #endif
+ 
+ 
++    /* only use lower 31 bits together with sign bit */
++    if ( face_index > 0 )
++      face_index &= 0x7FFFFFFFL;
++    else
++    {
++      face_index &= 0x7FFFFFFFL;
++      face_index  = -face_index;
++    }
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+     FT_TRACE3(( "FT_Open_Face: " ));
+     if ( face_index < 0 )
diff -Nru freetype-2.9.1/debian/patches/CVE-2022-27406.patch freetype-2.9.1/debian/patches/CVE-2022-27406.patch
--- freetype-2.9.1/debian/patches/CVE-2022-27406.patch	1970-01-01 10:00:00.000000000 +1000
+++ freetype-2.9.1/debian/patches/CVE-2022-27406.patch	2022-04-28 21:09:23.000000000 +1000
@@ -0,0 +1,20 @@
+Description: Guard the `face->size` handle before attempting to read its value
+ (CVE-2022-27406).
+Author: Werner Lemberg
+Origin: https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1140
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -3209,6 +3209,9 @@
+     if ( !face )
+       return FT_THROW( Invalid_Face_Handle );
+ 
++    if ( !face->size )
++      return FT_THROW( Invalid_Size_Handle );
++
+     if ( !req || req->width < 0 || req->height < 0 ||
+          req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+       return FT_THROW( Invalid_Argument );
diff -Nru freetype-2.9.1/debian/patches/series freetype-2.9.1/debian/patches/series
--- freetype-2.9.1/debian/patches/series	2020-10-21 06:15:41.000000000 +1100
+++ freetype-2.9.1/debian/patches/series	2022-04-28 21:09:11.000000000 +1000
@@ -9,3 +9,6 @@
 no-web-fonts.patch
 hide-donations-information.patch
 sfnt-Fix-heap-buffer-overflow-59308.patch
+CVE-2022-27404.patch
+CVE-2022-27405.patch
+CVE-2022-27406.patch

--- End Message ---

--- Begin Message ---

To: 941901-done@bugs.debian.org, 945578-done@bugs.debian.org, 960396-done@bugs.debian.org, 966028-done@bugs.debian.org, 983841-done@bugs.debian.org, 987538-done@bugs.debian.org, 987941-done@bugs.debian.org, 990372-done@bugs.debian.org, 990739-done@bugs.debian.org, 991120-done@bugs.debian.org, 998390-done@bugs.debian.org, 1003293-done@bugs.debian.org, 1006182-done@bugs.debian.org, 1008056-done@bugs.debian.org, 1008062-done@bugs.debian.org, 1008154-done@bugs.debian.org, 1008163-done@bugs.debian.org, 1008578-done@bugs.debian.org, 1009065-done@bugs.debian.org, 1009076-done@bugs.debian.org, 1009251-done@bugs.debian.org, 1009652-done@bugs.debian.org, 1010060-done@bugs.debian.org, 1010193-done@bugs.debian.org, 1010305-done@bugs.debian.org, 1010380-done@bugs.debian.org, 1010388-done@bugs.debian.org, 1010615-done@bugs.debian.org, 1010858-done@bugs.debian.org, 1011030-done@bugs.debian.org, 1011272-done@bugs.debian.org, 1011286-done@bugs.debian.org, 1011360-done@bugs.debian.org, 1011745-done@bugs.debian.org, 1011943-done@bugs.debian.org, 1012048-done@bugs.debian.org, 1012066-done@bugs.debian.org, 1013347-done@bugs.debian.org, 1014145-done@bugs.debian.org, 1014200-done@bugs.debian.org, 1014346-done@bugs.debian.org, 1014860-done@bugs.debian.org, 1014907-done@bugs.debian.org, 1014909-done@bugs.debian.org, 1014912-done@bugs.debian.org, 1015243-done@bugs.debian.org, 1016169-done@bugs.debian.org, 1016176-done@bugs.debian.org, 1016198-done@bugs.debian.org, 1016439-done@bugs.debian.org, 1016671-done@bugs.debian.org, 1016733-done@bugs.debian.org, 1017112-done@bugs.debian.org, 1017393-done@bugs.debian.org, 1017998-done@bugs.debian.org, 1018048-done@bugs.debian.org, 1018080-done@bugs.debian.org, 1018086-done@bugs.debian.org, 1018092-done@bugs.debian.org, 1018095-done@bugs.debian.org, 1018096-done@bugs.debian.org, 1018097-done@bugs.debian.org, 1018101-done@bugs.debian.org, 1018107-done@bugs.debian.org, 1018108-done@bugs.debian.org, 1018151-done@bugs.debian.org, 1018152-done@bugs.debian.org, 1018178-done@bugs.debian.org, 1018179-done@bugs.debian.org, 1018182-done@bugs.debian.org, 1018184-done@bugs.debian.org, 1018185-done@bugs.debian.org, 1018199-done@bugs.debian.org, 1018241-done@bugs.debian.org, 1018244-done@bugs.debian.org, 1018246-done@bugs.debian.org, 1018250-done@bugs.debian.org

Subject: Closing requests for updates included in 10.13

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 10 Sep 2022 13:40:55 +0100

Message-id: <2cfc9645343bdb910fe19c07bddfec2c428346a3.camel@adam-barratt.org.uk>
Package: release.debian.org
Version: 10.13

Hi,

Each of the updates referenced in these bugs was included in today's
10.13 point release.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#1010193: marked as done (buster-pu: package distro-info-data/0.41+deb10u5)
Next by Date: Bug#1010380: marked as done (buster-pu: flac/1.3.2-3+deb10u2)
Previous by thread: Bug#1010193: marked as done (buster-pu: package distro-info-data/0.41+deb10u5)
Next by thread: Bug#1010380: marked as done (buster-pu: flac/1.3.2-3+deb10u2)
Index(es):
- Date
- Thread