Bug#859625: marked as done (unblock: freetype/2.6.3-3.1)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#859625: marked as done (unblock: freetype/2.6.3-3.1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 05 Apr 2017 14:30:03 +0000
Message-id: <[🔎] handler.859625.D859625.14914023632415.ackdone@bugs.debian.org>
References: <ee33b1cc-089b-9579-1b88-b9c61e4bac8d@thykier.net> <[🔎] 149138889184.19431.11681145532876561147.reportbug@lorien.valinor.li>

Your message dated Wed, 05 Apr 2017 14:24:00 +0000
with message-id <ee33b1cc-089b-9579-1b88-b9c61e4bac8d@thykier.net>
and subject line Re: Bug#859625: unblock: freetype/2.6.3-3.1
has caused the Debian Bug report #859625,
regarding unblock: freetype/2.6.3-3.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
859625: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859625
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: freetype/2.6.3-3.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 05 Apr 2017 12:41:31 +0200
Message-id: <[🔎] 149138889184.19431.11681145532876561147.reportbug@lorien.valinor.li>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Please unblock package freetype

The update fixes CVE-2016-10244, tracked as #856971.

The parse_charstrings function in does not ensure that a font contains
a glyph name, which allows remote attackers to cause a denial of
service via a crafted file.

Does not warrant a DSA for stable, but would be nice to have it
already fixed for stretch.

Needs a d-i 'ack' if accepted.

unblock freetype/2.6.3-3.1

Attached debdiff against the version in stretch.

Regards,
Salvatore

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

diff -u freetype-2.6.3/debian/changelog freetype-2.6.3/debian/changelog
--- freetype-2.6.3/debian/changelog
+++ freetype-2.6.3/debian/changelog
@@ -1,3 +1,12 @@
+freetype (2.6.3-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-10244: Heap-buffer-overflow
+    src/type1/t1load.c (parse_charstrings): Reject fonts that don't contain
+    glyph names. (Closes: #856971)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 30 Mar 2017 19:16:33 +0200
+
 freetype (2.6.3-3) unstable; urgency=medium
 
   * Install the now-available-upstream manpages for freetype-demos.
diff -u freetype-2.6.3/debian/patches-freetype/series freetype-2.6.3/debian/patches-freetype/series
--- freetype-2.6.3/debian/patches-freetype/series
+++ freetype-2.6.3/debian/patches-freetype/series
@@ -5,0 +6 @@
+CVE-2016-10244-type1-Fix-heap-buffer-overflow.patch
only in patch2:
unchanged:
--- freetype-2.6.3.orig/debian/patches-freetype/CVE-2016-10244-type1-Fix-heap-buffer-overflow.patch
+++ freetype-2.6.3/debian/patches-freetype/CVE-2016-10244-type1-Fix-heap-buffer-overflow.patch
@@ -0,0 +1,33 @@
+From a660e3de422731b94d4a134d27555430cbb6fb39 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Fri, 26 Aug 2016 00:23:27 +0200
+Subject: [PATCH] [type1] Fix heap buffer overflow.
+
+Reported as
+
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36
+
+* src/type1/t1load.c (parse_charstrings): Reject fonts that don't
+contain glyph names.
+---
+
+diff --git a/src/type1/t1load.c b/src/type1/t1load.c
+index c981adcf..f8bf3132 100644
+--- a/src/type1/t1load.c
++++ b/src/type1/t1load.c
+@@ -1776,6 +1776,12 @@
+       }
+     }
+ 
++    if ( !n )
++    {
++      error = FT_THROW( Invalid_File_Format );
++      goto Fail;
++    }
++
+     loader->num_glyphs = n;
+ 
+     /* if /.notdef is found but does not occupy index 0, do our magic. */
+-- 
+2.11.0
+

--- End Message ---

--- Begin Message ---

To: Cyril Brulebois <kibi@debian.org>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 859625-done@bugs.debian.org

Subject: Re: Bug#859625: unblock: freetype/2.6.3-3.1

From: Niels Thykier <niels@thykier.net>

Date: Wed, 05 Apr 2017 14:24:00 +0000

Message-id: <ee33b1cc-089b-9579-1b88-b9c61e4bac8d@thykier.net>

In-reply-to: <[🔎] 20170405140010.GC8151@mraw.org>

References: <[🔎] 149138889184.19431.11681145532876561147.reportbug@lorien.valinor.li> <[🔎] d869f33f-2897-7e81-a900-5186765200e1@thykier.net> <[🔎] 20170405140010.GC8151@mraw.org>
Cyril Brulebois:
> Niels Thykier <niels@thykier.net> (2017-04-05):
>> Salvatore Bonaccorso:
>>> Please unblock package freetype
>>>
>>> The update fixes CVE-2016-10244, tracked as #856971.
>>>
>>> The parse_charstrings function in does not ensure that a font contains
>>> a glyph name, which allows remote attackers to cause a denial of
>>> service via a crafted file.
>>>
>>> Does not warrant a DSA for stable, but would be nice to have it
>>> already fixed for stretch.
>>>
>>> Needs a d-i 'ack' if accepted.
> 
> No objections.
> 
> 
> KiBi.
> 

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#859625: unblock: freetype/2.6.3-3.1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#859625: unblock: freetype/2.6.3-3.1
Next by Date: Re: RFC: shorewall* 5.0.15.6 for stretch?
Previous by thread: Bug#859625: unblock: freetype/2.6.3-3.1
Next by thread: Bug#858841: marked as done (unblock: spyder/3.1.3+dfsg1-3 (pre-approval))
Index(es):
- Date
- Thread