Bug#859625: unblock: freetype/2.6.3-3.1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#859625: unblock: freetype/2.6.3-3.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 05 Apr 2017 12:41:31 +0200
Message-id: <[🔎] 149138889184.19431.11681145532876561147.reportbug@lorien.valinor.li>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 859625@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Please unblock package freetype

The update fixes CVE-2016-10244, tracked as #856971.

The parse_charstrings function in does not ensure that a font contains
a glyph name, which allows remote attackers to cause a denial of
service via a crafted file.

Does not warrant a DSA for stable, but would be nice to have it
already fixed for stretch.

Needs a d-i 'ack' if accepted.

unblock freetype/2.6.3-3.1

Attached debdiff against the version in stretch.

Regards,
Salvatore

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

diff -u freetype-2.6.3/debian/changelog freetype-2.6.3/debian/changelog
--- freetype-2.6.3/debian/changelog
+++ freetype-2.6.3/debian/changelog
@@ -1,3 +1,12 @@
+freetype (2.6.3-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-10244: Heap-buffer-overflow
+    src/type1/t1load.c (parse_charstrings): Reject fonts that don't contain
+    glyph names. (Closes: #856971)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 30 Mar 2017 19:16:33 +0200
+
 freetype (2.6.3-3) unstable; urgency=medium
 
   * Install the now-available-upstream manpages for freetype-demos.
diff -u freetype-2.6.3/debian/patches-freetype/series freetype-2.6.3/debian/patches-freetype/series
--- freetype-2.6.3/debian/patches-freetype/series
+++ freetype-2.6.3/debian/patches-freetype/series
@@ -5,0 +6 @@
+CVE-2016-10244-type1-Fix-heap-buffer-overflow.patch
only in patch2:
unchanged:
--- freetype-2.6.3.orig/debian/patches-freetype/CVE-2016-10244-type1-Fix-heap-buffer-overflow.patch
+++ freetype-2.6.3/debian/patches-freetype/CVE-2016-10244-type1-Fix-heap-buffer-overflow.patch
@@ -0,0 +1,33 @@
+From a660e3de422731b94d4a134d27555430cbb6fb39 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Fri, 26 Aug 2016 00:23:27 +0200
+Subject: [PATCH] [type1] Fix heap buffer overflow.
+
+Reported as
+
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36
+
+* src/type1/t1load.c (parse_charstrings): Reject fonts that don't
+contain glyph names.
+---
+
+diff --git a/src/type1/t1load.c b/src/type1/t1load.c
+index c981adcf..f8bf3132 100644
+--- a/src/type1/t1load.c
++++ b/src/type1/t1load.c
+@@ -1776,6 +1776,12 @@
+       }
+     }
+ 
++    if ( !n )
++    {
++      error = FT_THROW( Invalid_File_Format );
++      goto Fail;
++    }
++
+     loader->num_glyphs = n;
+ 
+     /* if /.notdef is found but does not occupy index 0, do our magic. */
+-- 
+2.11.0
+

Reply to:

Follow-Ups:
- Bug#859625: unblock: freetype/2.6.3-3.1
  - From: Niels Thykier <niels@thykier.net>
- Bug#859625: marked as done (unblock: freetype/2.6.3-3.1)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#852395: unblock: gssproxy/0.5.1-2
Next by Date: Bug#859625: unblock: freetype/2.6.3-3.1
Previous by thread: Bug#852395: unblock: gssproxy/0.5.1-2
Next by thread: Bug#859625: unblock: freetype/2.6.3-3.1
Index(es):
- Date
- Thread