Bug#696918: unblock: freetype/2.4.9-1.1

[Salvatore Bonaccorso <carnil@debian.org>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team

Please unblock package freetype (but we can wait first the two day
period to have the changes in unstable witouh an already granted
unblock).

The upload fixes three CVEs for freetype, see #696691:

 CVE-2012-5668: NULL Pointer Dereference in bdf_free_font.
 CVE-2012-5669: Out-of-bounds read in _bdf_parse_glyphs.
 CVE-2012-5670: Out-of-bounds write in _bdf_parse_glyphs.

The package also provides a udeb, so this needs an explicit ACK by
Cyril?

I have attached the full debdiff against the current version in
testing.

unblock freetype/2.4.9-1.1

Many thanks for your work, and

Regards,
Salvatore

Base version: freetype_2.4.9-1 from testing
Target version: freetype_2.4.9-1.1 from unstable

Hints in place:
==> freeze
  # These udebs can be handled directly by britney
  # but are currently blocked at the d-i RM's request
  block-udeb freetype

 debian/patches-freetype/savannah-bug-37905.patch |   26 +++++++++++++++++++++++
 debian/patches-freetype/savannah-bug-37906.patch |   26 +++++++++++++++++++++++
 debian/patches-freetype/savannah-bug-37907.patch |   24 +++++++++++++++++++++
 freetype-2.4.9/debian/changelog                  |   16 ++++++++++++++
 freetype-2.4.9/debian/patches-freetype/series    |    3 ++
 5 files changed, 95 insertions(+)

diff -u freetype-2.4.9/debian/changelog freetype-2.4.9/debian/changelog
--- freetype-2.4.9/debian/changelog
+++ freetype-2.4.9/debian/changelog
@@ -1,3 +1,19 @@
+freetype (2.4.9-1.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+    Upload ACKed by Steve Langasek <vorlon@debian.org> on #debian-devel.
+  * Add savannah-bug-37905.patch patch
+    [SECURITY] CVE-2012-5668: NULL Pointer Dereference in bdf_free_font.
+    (Closes: #696691)
+  * Add savannah-bug-37906.patch patch
+    [SECURITY] CVE-2012-5669: Out-of-bounds read in _bdf_parse_glyphs.
+    (Closes: #696691)
+  * Add savannah-bug-37907.patch patch
+    [SECURITY] CVE-2012-5670: Out-of-bounds write in _bdf_parse_glyphs.
+    (Closes: #696691)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 28 Dec 2012 21:32:28 +0100
+
 freetype (2.4.9-1) unstable; urgency=low
 
   * New upstream release
diff -u freetype-2.4.9/debian/patches-freetype/series freetype-2.4.9/debian/patches-freetype/series
--- freetype-2.4.9/debian/patches-freetype/series
+++ freetype-2.4.9/debian/patches-freetype/series
@@ -5,0 +6,3 @@
+savannah-bug-37905.patch
+savannah-bug-37906.patch
+savannah-bug-37907.patch
only in patch2:
unchanged:
--- freetype-2.4.9.orig/debian/patches-freetype/savannah-bug-37905.patch
+++ freetype-2.4.9/debian/patches-freetype/savannah-bug-37905.patch
@@ -0,0 +1,26 @@
+From 9b6b5754b57c12b820e01305eb69b8863a161e5a Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 15 Dec 2012 00:34:41 +0000
+Subject: [bdf] Fix Savannah bug #37905.
+
+* src/bdf/bdflib.c (_bdf_parse_start): Reset `props_size' to zero in
+case of allocation error; this value gets used in a loop in
+`bdf_free_font'.
+---
+diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
+index ed08a6e..8d7f9a0 100644
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -2169,7 +2169,10 @@
+       p->cnt = p->font->props_size = _bdf_atoul( p->list.field[1], 0, 10 );
+ 
+       if ( FT_NEW_ARRAY( p->font->props, p->cnt ) )
++      {
++        p->font->props_size = 0;
+         goto Exit;
++      }
+ 
+       p->flags |= _BDF_PROPS;
+       *next     = _bdf_parse_properties;
+--
+cgit v0.9.0.2
only in patch2:
unchanged:
--- freetype-2.4.9.orig/debian/patches-freetype/savannah-bug-37907.patch
+++ freetype-2.4.9/debian/patches-freetype/savannah-bug-37907.patch
@@ -0,0 +1,24 @@
+From 7f2e4f4f553f6836be7683f66226afac3fa979b8 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 15 Dec 2012 08:39:41 +0000
+Subject: [bdf] Fix Savannah bug #37907.
+
+* src/bdf/bdflib.c (_bdf_parse_glyphs) <ENCODING>: Normalize
+negative second parameter of `ENCODING' field also.
+---
+diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
+index f9c06ca..365e671 100644
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -1624,6 +1624,9 @@
+       if ( p->glyph_enc == -1 && p->list.used > 2 )
+         p->glyph_enc = _bdf_atol( p->list.field[2], 0, 10 );
+ 
++      if ( p->glyph_enc < -1 )
++        p->glyph_enc = -1;
++
+       FT_TRACE4(( DBGMSG2, p->glyph_enc ));
+ 
+       /* Check that the encoding is in the Unicode range because  */
+--
+cgit v0.9.0.2
only in patch2:
unchanged:
--- freetype-2.4.9.orig/debian/patches-freetype/savannah-bug-37906.patch
+++ freetype-2.4.9/debian/patches-freetype/savannah-bug-37906.patch
@@ -0,0 +1,26 @@
+From 07bdb6e289c7954e2a533039dc93c1c136099d2d Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 15 Dec 2012 01:02:23 +0000
+Subject: [bdf] Fix Savannah bug #37906.
+
+* src/bdf/bdflib.c (_bdf_parse_glyphs): Use correct array size for
+checking `glyph_enc'.
+---
+diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
+index 8d7f9a0..f9c06ca 100644
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -1628,8 +1628,9 @@
+ 
+       /* Check that the encoding is in the Unicode range because  */
+       /* otherwise p->have (a bitmap with static size) overflows. */
+-      if ( p->glyph_enc > 0                               &&
+-           (size_t)p->glyph_enc >= sizeof ( p->have ) * 8 )
++      if ( p->glyph_enc > 0                                      &&
++           (size_t)p->glyph_enc >= sizeof ( p->have ) /
++                                   sizeof ( unsigned long ) * 32 )
+       {
+         FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG5, lineno, "ENCODING" ));
+         error = BDF_Err_Invalid_File_Format;
+--
+cgit v0.9.0.2

Attachment: signature.asc
Description: Digital signature