tags 696691 + pending thanks Hi Steve
I have uploaded the NMU (without delay) versioned as 2.4.9-1.1, as you gave me the ACK on IRC. Attached the full debdiff for the upload! Regards, Salvatore
diff -u freetype-2.4.9/debian/changelog freetype-2.4.9/debian/changelog
--- freetype-2.4.9/debian/changelog
+++ freetype-2.4.9/debian/changelog
@@ -1,3 +1,19 @@
+freetype (2.4.9-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ Upload ACKed by Steve Langasek <vor...@debian.org> on #debian-devel.
+ * Add savannah-bug-37905.patch patch
+ [SECURITY] CVE-2012-5668: NULL Pointer Dereference in bdf_free_font.
+ (Closes: #696691)
+ * Add savannah-bug-37906.patch patch
+ [SECURITY] CVE-2012-5669: Out-of-bounds read in _bdf_parse_glyphs.
+ (Closes: #696691)
+ * Add savannah-bug-37907.patch patch
+ [SECURITY] CVE-2012-5670: Out-of-bounds write in _bdf_parse_glyphs.
+ (Closes: #696691)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Fri, 28 Dec 2012 21:32:28 +0100
+
freetype (2.4.9-1) unstable; urgency=low
* New upstream release
diff -u freetype-2.4.9/debian/patches-freetype/series freetype-2.4.9/debian/patches-freetype/series
--- freetype-2.4.9/debian/patches-freetype/series
+++ freetype-2.4.9/debian/patches-freetype/series
@@ -5,0 +6,3 @@
+savannah-bug-37905.patch
+savannah-bug-37906.patch
+savannah-bug-37907.patch
only in patch2:
unchanged:
--- freetype-2.4.9.orig/debian/patches-freetype/savannah-bug-37905.patch
+++ freetype-2.4.9/debian/patches-freetype/savannah-bug-37905.patch
@@ -0,0 +1,26 @@
+From 9b6b5754b57c12b820e01305eb69b8863a161e5a Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <w...@gnu.org>
+Date: Sat, 15 Dec 2012 00:34:41 +0000
+Subject: [bdf] Fix Savannah bug #37905.
+
+* src/bdf/bdflib.c (_bdf_parse_start): Reset `props_size' to zero in
+case of allocation error; this value gets used in a loop in
+`bdf_free_font'.
+---
+diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
+index ed08a6e..8d7f9a0 100644
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -2169,7 +2169,10 @@
+ p->cnt = p->font->props_size = _bdf_atoul( p->list.field[1], 0, 10 );
+
+ if ( FT_NEW_ARRAY( p->font->props, p->cnt ) )
++ {
++ p->font->props_size = 0;
+ goto Exit;
++ }
+
+ p->flags |= _BDF_PROPS;
+ *next = _bdf_parse_properties;
+--
+cgit v0.9.0.2
only in patch2:
unchanged:
--- freetype-2.4.9.orig/debian/patches-freetype/savannah-bug-37907.patch
+++ freetype-2.4.9/debian/patches-freetype/savannah-bug-37907.patch
@@ -0,0 +1,24 @@
+From 7f2e4f4f553f6836be7683f66226afac3fa979b8 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <w...@gnu.org>
+Date: Sat, 15 Dec 2012 08:39:41 +0000
+Subject: [bdf] Fix Savannah bug #37907.
+
+* src/bdf/bdflib.c (_bdf_parse_glyphs) <ENCODING>: Normalize
+negative second parameter of `ENCODING' field also.
+---
+diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
+index f9c06ca..365e671 100644
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -1624,6 +1624,9 @@
+ if ( p->glyph_enc == -1 && p->list.used > 2 )
+ p->glyph_enc = _bdf_atol( p->list.field[2], 0, 10 );
+
++ if ( p->glyph_enc < -1 )
++ p->glyph_enc = -1;
++
+ FT_TRACE4(( DBGMSG2, p->glyph_enc ));
+
+ /* Check that the encoding is in the Unicode range because */
+--
+cgit v0.9.0.2
only in patch2:
unchanged:
--- freetype-2.4.9.orig/debian/patches-freetype/savannah-bug-37906.patch
+++ freetype-2.4.9/debian/patches-freetype/savannah-bug-37906.patch
@@ -0,0 +1,26 @@
+From 07bdb6e289c7954e2a533039dc93c1c136099d2d Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <w...@gnu.org>
+Date: Sat, 15 Dec 2012 01:02:23 +0000
+Subject: [bdf] Fix Savannah bug #37906.
+
+* src/bdf/bdflib.c (_bdf_parse_glyphs): Use correct array size for
+checking `glyph_enc'.
+---
+diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
+index 8d7f9a0..f9c06ca 100644
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -1628,8 +1628,9 @@
+
+ /* Check that the encoding is in the Unicode range because */
+ /* otherwise p->have (a bitmap with static size) overflows. */
+- if ( p->glyph_enc > 0 &&
+- (size_t)p->glyph_enc >= sizeof ( p->have ) * 8 )
++ if ( p->glyph_enc > 0 &&
++ (size_t)p->glyph_enc >= sizeof ( p->have ) /
++ sizeof ( unsigned long ) * 32 )
+ {
+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG5, lineno, "ENCODING" ));
+ error = BDF_Err_Invalid_File_Format;
+--
+cgit v0.9.0.2
signature.asc
Description: Digital signature
