Bug#1010305: buster-pu: package freetype/2.9.1-3+deb10u3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
This update fixes three security vulnerabilities in FreeType 2.9.1-3+deb10u2.
- CVE-2022-27404: heap buffer overflow via invalid integer decrement in
sfnt_init_face().
- CVE-2022-27405: segmentation violation via ft_open_face_internal() when
attempting to read the value of FT_LONG face_index.
- CVE-2022-27406: segmentation violation via FT_Request_Size() when attempting
to read the value of an unguarded face size handle.
It would be ideal to get these fixes into Buster.
diff -Nru freetype-2.9.1/debian/changelog freetype-2.9.1/debian/changelog
--- freetype-2.9.1/debian/changelog 2020-10-21 06:15:41.000000000 +1100
+++ freetype-2.9.1/debian/changelog 2022-04-28 21:11:36.000000000 +1000
@@ -1,3 +1,15 @@
+freetype (2.9.1-3+deb10u3) buster; urgency=medium
+
+ * Add upstream patches to fix multiple vulnerabilities. Closes: #1010183.
+ - CVE-2022-27404: heap buffer overflow via invalid integer decrement in
+ sfnt_init_face().
+ - CVE-2022-27405: segmentation violation via ft_open_face_internal() when
+ attempting to read the value of FT_LONG face_index.
+ - CVE-2022-27406: segmentation violation via FT_Request_Size() when
+ attempting to read the value of an unguarded face size handle.
+
+ -- Hugh McMaster <hugh.mcmaster@outlook.com> Thu, 28 Apr 2022 21:11:36 +1000
+
freetype (2.9.1-3+deb10u2) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru freetype-2.9.1/debian/patches/CVE-2022-27404.patch freetype-2.9.1/debian/patches/CVE-2022-27404.patch
--- freetype-2.9.1/debian/patches/CVE-2022-27404.patch 1970-01-01 10:00:00.000000000 +1000
+++ freetype-2.9.1/debian/patches/CVE-2022-27404.patch 2022-04-28 21:06:58.000000000 +1000
@@ -0,0 +1,19 @@
+Description: Check `face_index` before decrementing to prevent heap buffer
+ overflow (CVE-2022-27404).
+Author: Werner Lemberg
+Origin: https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1138
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/sfnt/sfobjs.c
++++ b/src/sfnt/sfobjs.c
+@@ -923,7 +923,7 @@
+ face_index = FT_ABS( face_instance_index ) & 0xFFFF;
+
+ /* value -(N+1) requests information on index N */
+- if ( face_instance_index < 0 )
++ if ( face_instance_index < 0 && face_index > 0 )
+ face_index--;
+
+ if ( face_index >= face->ttc_header.count )
diff -Nru freetype-2.9.1/debian/patches/CVE-2022-27405.patch freetype-2.9.1/debian/patches/CVE-2022-27405.patch
--- freetype-2.9.1/debian/patches/CVE-2022-27405.patch 1970-01-01 10:00:00.000000000 +1000
+++ freetype-2.9.1/debian/patches/CVE-2022-27405.patch 2022-04-28 21:08:12.000000000 +1000
@@ -0,0 +1,26 @@
+Description: Properly guard `face_index` before attempting to read its value
+ (CVE-2022-27405).
+Author: Werner Lemberg
+Origin: https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1139
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -2345,6 +2345,15 @@
+ #endif
+
+
++ /* only use lower 31 bits together with sign bit */
++ if ( face_index > 0 )
++ face_index &= 0x7FFFFFFFL;
++ else
++ {
++ face_index &= 0x7FFFFFFFL;
++ face_index = -face_index;
++ }
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+ FT_TRACE3(( "FT_Open_Face: " ));
+ if ( face_index < 0 )
diff -Nru freetype-2.9.1/debian/patches/CVE-2022-27406.patch freetype-2.9.1/debian/patches/CVE-2022-27406.patch
--- freetype-2.9.1/debian/patches/CVE-2022-27406.patch 1970-01-01 10:00:00.000000000 +1000
+++ freetype-2.9.1/debian/patches/CVE-2022-27406.patch 2022-04-28 21:09:23.000000000 +1000
@@ -0,0 +1,20 @@
+Description: Guard the `face->size` handle before attempting to read its value
+ (CVE-2022-27406).
+Author: Werner Lemberg
+Origin: https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2
+Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1140
+Bug-Debian: https://bugs.debian.org/1010183
+Last-Update: 2022-04-28
+
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -3209,6 +3209,9 @@
+ if ( !face )
+ return FT_THROW( Invalid_Face_Handle );
+
++ if ( !face->size )
++ return FT_THROW( Invalid_Size_Handle );
++
+ if ( !req || req->width < 0 || req->height < 0 ||
+ req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+ return FT_THROW( Invalid_Argument );
diff -Nru freetype-2.9.1/debian/patches/series freetype-2.9.1/debian/patches/series
--- freetype-2.9.1/debian/patches/series 2020-10-21 06:15:41.000000000 +1100
+++ freetype-2.9.1/debian/patches/series 2022-04-28 21:09:11.000000000 +1000
@@ -9,3 +9,6 @@
no-web-fonts.patch
hide-donations-information.patch
sfnt-Fix-heap-buffer-overflow-59308.patch
+CVE-2022-27404.patch
+CVE-2022-27405.patch
+CVE-2022-27406.patch
Reply to: