[oe-commits] Scott Garman : freetype: patches for CVE-2012-5668, 5669, and 5670
git at git.openembedded.org
git at git.openembedded.org
Thu Jan 3 12:34:00 UTC 2013
Module: openembedded-core.git
Branch: denzil
Commit: be34916d81b71385a560a6990c7b30eba243b356
URL: http://git.openembedded.org/?p=openembedded-core.git&a=commit;h=be34916d81b71385a560a6990c7b30eba243b356
Author: Scott Garman <scott.a.garman at intel.com>
Date: Thu Dec 27 14:48:56 2012 -0800
freetype: patches for CVE-2012-5668, 5669, and 5670
For details of these security issues, please see:
http://www.openwall.com/lists/oss-security/2012/12/25/1
Thanks to Eren Turkay <eren at hambedded.org> for submitting source
patches that apply cleanly to freetype 2.4.9.
This fixes denzil bug [YOCTO #3649]
Signed-off-by: Scott Garman <scott.a.garman at intel.com>
---
.../freetype/freetype-2.4.9/CVE-2012-5668.patch | 31 ++++++++++++++++++++
.../freetype/freetype-2.4.9/CVE-2012-5669.patch | 31 ++++++++++++++++++++
.../freetype/freetype-2.4.9/CVE-2012-5670.patch | 29 ++++++++++++++++++
meta/recipes-graphics/freetype/freetype_2.4.9.bb | 7 +++-
4 files changed, 96 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5668.patch b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5668.patch
new file mode 100644
index 0000000..609d73d
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5668.patch
@@ -0,0 +1,31 @@
+From 9b6b5754b57c12b820e01305eb69b8863a161e5a Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl at gnu.org>
+Date: Sat, 15 Dec 2012 00:34:41 +0000
+Subject: [bdf] Fix Savannah bug #37905.
+
+* src/bdf/bdflib.c (_bdf_parse_start): Reset `props_size' to zero in
+case of allocation error; this value gets used in a loop in
+`bdf_free_font'.
+
+Upstream-Status: Pending
+
+Signed-off-by: Eren Turkay <eren at hambedded.org>
+Signed-off-by: Scott Garman <scott.a.garman at intel.com>
+---
+diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
+index ed08a6e..8d7f9a0 100644
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -2169,7 +2169,10 @@
+ p->cnt = p->font->props_size = _bdf_atoul( p->list.field[1], 0, 10 );
+
+ if ( FT_NEW_ARRAY( p->font->props, p->cnt ) )
++ {
++ p->font->props_size = 0;
+ goto Exit;
++ }
+
+ p->flags |= _BDF_PROPS;
+ *next = _bdf_parse_properties;
+--
+cgit v0.9.0.2
diff --git a/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5669.patch b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5669.patch
new file mode 100644
index 0000000..e4a991e
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5669.patch
@@ -0,0 +1,31 @@
+From 07bdb6e289c7954e2a533039dc93c1c136099d2d Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl at gnu.org>
+Date: Sat, 15 Dec 2012 01:02:23 +0000
+Subject: [bdf] Fix Savannah bug #37906.
+
+* src/bdf/bdflib.c (_bdf_parse_glyphs): Use correct array size for
+checking `glyph_enc'.
+
+Upstream-Status: Pending
+
+Signed-off-by: Eren Turkay <eren at hambedded.org>
+Signed-off-by: Scott Garman <scott.a.garman at intel.com>
+---
+diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
+index 8d7f9a0..f9c06ca 100644
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -1628,8 +1628,9 @@
+
+ /* Check that the encoding is in the Unicode range because */
+ /* otherwise p->have (a bitmap with static size) overflows. */
+- if ( p->glyph_enc > 0 &&
+- (size_t)p->glyph_enc >= sizeof ( p->have ) * 8 )
++ if ( p->glyph_enc > 0 &&
++ (size_t)p->glyph_enc >= sizeof ( p->have ) /
++ sizeof ( unsigned long ) * 32 )
+ {
+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG5, lineno, "ENCODING" ));
+ error = BDF_Err_Invalid_File_Format;
+--
+cgit v0.9.0.2
diff --git a/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5670.patch b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5670.patch
new file mode 100644
index 0000000..73a41ca
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5670.patch
@@ -0,0 +1,29 @@
+From 7f2e4f4f553f6836be7683f66226afac3fa979b8 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl at gnu.org>
+Date: Sat, 15 Dec 2012 08:39:41 +0000
+Subject: [bdf] Fix Savannah bug #37907.
+
+* src/bdf/bdflib.c (_bdf_parse_glyphs) <ENCODING>: Normalize
+negative second parameter of `ENCODING' field also.
+
+Upstream-Status: Pending
+
+Signed-off-by: Eren Turkay <eren at hambedded.org>
+Signed-off-by: Scott Garman <scott.a.garman at intel.com>
+---
+diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
+index f9c06ca..365e671 100644
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -1624,6 +1624,9 @@
+ if ( p->glyph_enc == -1 && p->list.used > 2 )
+ p->glyph_enc = _bdf_atol( p->list.field[2], 0, 10 );
+
++ if ( p->glyph_enc < -1 )
++ p->glyph_enc = -1;
++
+ FT_TRACE4(( DBGMSG2, p->glyph_enc ));
+
+ /* Check that the encoding is in the Unicode range because */
+--
+cgit v0.9.0.2
diff --git a/meta/recipes-graphics/freetype/freetype_2.4.9.bb b/meta/recipes-graphics/freetype/freetype_2.4.9.bb
index 31bee80..6aa0f60 100644
--- a/meta/recipes-graphics/freetype/freetype_2.4.9.bb
+++ b/meta/recipes-graphics/freetype/freetype_2.4.9.bb
@@ -13,10 +13,13 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE.TXT;md5=28d5381b1bef2649c59f20c20bae4f39
SECTION = "libs"
-PR = "r0"
+PR = "r1"
SRC_URI = "${SOURCEFORGE_MIRROR}/freetype/freetype-${PV}.tar.bz2 \
- file://no-hardcode.patch"
+ file://no-hardcode.patch \
+ file://CVE-2012-5668.patch \
+ file://CVE-2012-5669.patch \
+ file://CVE-2012-5670.patch"
SRC_URI[md5sum] = "77a893dae81fd5b896632715ca041179"
SRC_URI[sha256sum] = "c4204ac1d48e99d4375a2f32bf4f3f92780a9d9f015e64e57e852f6c004859b9"
More information about the Openembedded-commits
mailing list