Hi, Prepared the update for release via buster-security, attached the debdiff. https://salsa.debian.org/debian/freetype/-/merge_requests/2 contains as well the changes to be merged in the packaging repository.
Regards, Salvatore
diff -Nru freetype-2.9.1/debian/changelog freetype-2.9.1/debian/changelog --- freetype-2.9.1/debian/changelog 2019-07-27 15:19:28.000000000 +0200 +++ freetype-2.9.1/debian/changelog 2020-10-20 21:15:41.000000000 +0200 @@ -1,3 +1,10 @@ +freetype (2.9.1-3+deb10u2) buster-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix heap buffer overflow (CVE-2020-15999) (Closes: #972586) + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 20 Oct 2020 21:15:41 +0200 + freetype (2.9.1-3+deb10u1) buster; urgency=medium * debian/control: diff -Nru freetype-2.9.1/debian/patches/series freetype-2.9.1/debian/patches/series --- freetype-2.9.1/debian/patches/series 2019-07-27 15:19:28.000000000 +0200 +++ freetype-2.9.1/debian/patches/series 2020-10-20 21:15:41.000000000 +0200 @@ -8,3 +8,4 @@ revert-wrong-extern.patch no-web-fonts.patch hide-donations-information.patch +sfnt-Fix-heap-buffer-overflow-59308.patch diff -Nru freetype-2.9.1/debian/patches/sfnt-Fix-heap-buffer-overflow-59308.patch freetype-2.9.1/debian/patches/sfnt-Fix-heap-buffer-overflow-59308.patch --- freetype-2.9.1/debian/patches/sfnt-Fix-heap-buffer-overflow-59308.patch 1970-01-01 01:00:00.000000000 +0100 +++ freetype-2.9.1/debian/patches/sfnt-Fix-heap-buffer-overflow-59308.patch 2020-10-20 21:15:41.000000000 +0200 @@ -0,0 +1,50 @@ +From: Werner Lemberg <w...@gnu.org> +Date: Mon, 19 Oct 2020 23:45:28 +0200 +Subject: [sfnt] Fix heap buffer overflow (#59308). +Origin: https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd +Bug-Debian: https://bugs.debian.org/972586 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-15999 + +This is CVE-2020-15999. + +* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier. +--- + ChangeLog | 8 ++++++++ + src/sfnt/pngshim.c | 14 +++++++------- + 2 files changed, 15 insertions(+), 7 deletions(-) + +diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c +index 2e64e58463ad..f55016122c1c 100644 +--- a/src/sfnt/pngshim.c ++++ b/src/sfnt/pngshim.c +@@ -332,6 +332,13 @@ + + if ( populate_map_and_metrics ) + { ++ /* reject too large bitmaps similarly to the rasterizer */ ++ if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF ) ++ { ++ error = FT_THROW( Array_Too_Large ); ++ goto DestroyExit; ++ } ++ + metrics->width = (FT_UShort)imgWidth; + metrics->height = (FT_UShort)imgHeight; + +@@ -340,13 +347,6 @@ + map->pixel_mode = FT_PIXEL_MODE_BGRA; + map->pitch = (int)( map->width * 4 ); + map->num_grays = 256; +- +- /* reject too large bitmaps similarly to the rasterizer */ +- if ( map->rows > 0x7FFF || map->width > 0x7FFF ) +- { +- error = FT_THROW( Array_Too_Large ); +- goto DestroyExit; +- } + } + + /* convert palette/gray image to rgb */ +-- +2.28.0 +
