Bug#1034634: unblock: freetype/2.12.1+dfsg-5
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: freetype@packages.debian.org
Control: affects -1 + src:freetype
Please unblock package freetype.
[ Reason ]
An integer overflow vulnerability was discovered in FreeType (specifically, the
tt_hvadvance_adjust() function). This is CVE-2023-2004.
[ Impact ]
FreeType 2 can crash when getting TrueType font metrics due to the overflow.
[ Tests ]
Chromium's OSS-Fuzz project regularly fuzzes the FreeType source. After the
upstream fix was applied, the vulnerability was fixed.
[ Risks ]
The patch is non-invasive and very small.
[ Checklist ]
[ x ] all changes are documented in the d/changelog
[ x ] I reviewed all changes and I approve them
[ x ] attach debdiff against the package in testing
unblock freetype/2.12.1+dfsg-5
diff -Nru freetype-2.12.1+dfsg/debian/changelog freetype-2.12.1+dfsg/debian/changelog
--- freetype-2.12.1+dfsg/debian/changelog 2023-01-12 23:05:22.000000000 +1100
+++ freetype-2.12.1+dfsg/debian/changelog 2023-04-20 21:08:03.000000000 +1000
@@ -1,3 +1,10 @@
+freetype (2.12.1+dfsg-5) unstable; urgency=medium
+
+ * debian/patches: Add a patch to fix CVE-2023-2004 (Closes: #1034612).
+ - Integer overflow in tt_hvadvance_adjust().
+
+ -- Hugh McMaster <hugh.mcmaster@outlook.com> Thu, 20 Apr 2023 21:08:03 +1000
+
freetype (2.12.1+dfsg-4) unstable; urgency=medium
[ Debian Janitor ]
diff -Nru freetype-2.12.1+dfsg/debian/patches/CVE-2023-2004.patch freetype-2.12.1+dfsg/debian/patches/CVE-2023-2004.patch
--- freetype-2.12.1+dfsg/debian/patches/CVE-2023-2004.patch 1970-01-01 10:00:00.000000000 +1000
+++ freetype-2.12.1+dfsg/debian/patches/CVE-2023-2004.patch 2023-04-20 21:03:11.000000000 +1000
@@ -0,0 +1,42 @@
+Description: Prevent integer overflow in tt_hvadvance_adjust().
+ Fixes CVE-2023-2004.
+Author: Werner Lemberg <wl@gnu.org>
+Origin: https://gitlab.freedesktop.org/freetype/freetype/-/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611
+Bug-Debian: https://bugs.debian.org/1034612
+Last-Update: 2023-04-30
+
+--- a/src/truetype/ttgxvar.c
++++ b/src/truetype/ttgxvar.c
+@@ -42,6 +42,7 @@
+ #include <ft2build.h>
+ #include <freetype/internal/ftdebug.h>
+ #include FT_CONFIG_CONFIG_H
++#include <freetype/internal/ftcalc.h>
+ #include <freetype/internal/ftstream.h>
+ #include <freetype/internal/sfnt.h>
+ #include <freetype/tttags.h>
+@@ -1133,14 +1134,17 @@
+ outerIndex,
+ innerIndex );
+
+- FT_TRACE5(( "%s value %d adjusted by %d unit%s (%s)\n",
+- vertical ? "vertical height" : "horizontal width",
+- *avalue,
+- delta,
+- delta == 1 ? "" : "s",
+- vertical ? "VVAR" : "HVAR" ));
++ if ( delta )
++ {
++ FT_TRACE5(( "%s value %d adjusted by %d unit%s (%s)\n",
++ vertical ? "vertical height" : "horizontal width",
++ *avalue,
++ delta,
++ delta == 1 ? "" : "s",
++ vertical ? "VVAR" : "HVAR" ));
+
+- *avalue += delta;
++ *avalue = ADD_INT( *avalue, delta );
++ }
+
+ Exit:
+ return error;
diff -Nru freetype-2.12.1+dfsg/debian/patches/series freetype-2.12.1+dfsg/debian/patches/series
--- freetype-2.12.1+dfsg/debian/patches/series 2023-01-12 23:05:22.000000000 +1100
+++ freetype-2.12.1+dfsg/debian/patches/series 2023-04-20 21:02:52.000000000 +1000
@@ -5,3 +5,4 @@
CVE-2022-31782.patch
fix-wild-free-svg.patch
hardening.patch
+CVE-2023-2004.patch
Reply to: