Fwd: Wrong patch [SECURITY] [DSA 1095-1] New freetype packages fix several vulnerabilities
Hello debian-security,
Because there has been no reaction to this my post to security@debian.org
(see below) I am forwarding it to this mailing list. This bug has been
reported by several ppl by now. A patch is available (below). See Bug #373581.
----- Forwarded message from Stanislav Maslovski <stanislav.maslovski@gmail.com> -----
Date: Mon, 12 Jun 2006 15:47:13 +0400
From: Stanislav Maslovski <stanislav.maslovski@gmail.com>
To: Martin Schulze <joey@infodrom.org>
Cc: security@debian.org
Subject: Re: [SECURITY] [DSA 1095-1] New freetype packages fix several vulnerabilities
User-Agent: Mutt/1.5.9i
Hello,
I noticed random crashes of xfs and other apps on my system after upgrading
libfreetype on sarge. The reason is in the incorrect patch
400-CVE-2006-2493_integer-overflows.diff
which introduces division by zero in certain situations.
A patch that solves this problem is attached. It should be applied after all
other patches.
On Sat, Jun 10, 2006 at 07:22:33AM +0200, Martin Schulze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 1095-1 security@debian.org
> http://www.debian.org/security/ Martin Schulze
> June 10th, 2006 http://www.debian.org/security/faq
> - --------------------------------------------------------------------------
>
> Package : freetype
> Vulnerability : integer overflows
> Problem type : local (remote)
> Debian-specific: no
> CVE IDs : CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661
> CERT advisory :
> BugTraq ID : 18034
> Debian Bug :
>
> Several problems have been discovered in the FreeType 2 font engine.
> The Common vulnerabilities and Exposures project identifies the
> following problems:
>
[ skipped ]
diff -urN a/src/raster/ftrend1.c b/src/raster/ftrend1.c
--- freetype-2.1.7.orig/src/raster/ftrend1.c 2006-06-12 14:10:19.000000000 +0400
+++ freetype-2.1.7/src/raster/ftrend1.c 2006-06-12 15:10:59.000000000 +0400
@@ -176,7 +176,7 @@
bitmap->rows = height;
bitmap->pitch = pitch;
- if ((FT_ULong)pitch > LONG_MAX/height)
+ if ( height == 0 || (FT_ULong)pitch > LONG_MAX/height )
goto Exit;
if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) )
diff -urN a/src/winfonts/winfnt.c b/src/winfonts/winfnt.c
--- freetype-2.1.7.orig/src/winfonts/winfnt.c 2006-06-12 14:10:19.000000000 +0400
+++ freetype-2.1.7/src/winfonts/winfnt.c 2006-06-12 15:15:16.000000000 +0400
@@ -616,7 +616,7 @@
/* note: since glyphs are stored in columns and not in rows we */
/* can't use ft_glyphslot_set_bitmap */
- if (pitch > LONG_MAX/bitmap->rows)
+ if ( bitmap->rows == 0 || pitch > LONG_MAX/bitmap->rows )
goto Exit;
if ( FT_ALLOC( bitmap->buffer, pitch * bitmap->rows ) )
----- End forwarded message -----
--
Станислав
Reply to: