aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2022-05-18 12:57:26 +0200
committerNatanael Copa <ncopa@alpinelinux.org>2022-05-19 14:46:27 +0200
commita3ab88aa1aa858af93b196f47bca87dd32d37b75 (patch)
tree0b57ec860abec3affb23acbfbc1bfedf806a5a69
parentcc78d110b884b6d9ee1f8aad888e424aff2ae8d9 (diff)
downloadaports-a3ab88aa1aa858af93b196f47bca87dd32d37b75.tar.gz
aports-a3ab88aa1aa858af93b196f47bca87dd32d37b75.tar.bz2
aports-a3ab88aa1aa858af93b196f47bca87dd32d37b75.tar.xz
main/freetype: fix CVE-2022-27405 and CVE-2022-27406
(cherry picked from commit 2cac7499017def246acff43ed3bec6e9e857c240)
-rw-r--r--main/freetype/APKBUILD9
-rw-r--r--main/freetype/CVE-2022-27405.patch36
-rw-r--r--main/freetype/CVE-2022-27406.patch27
3 files changed, 71 insertions, 1 deletions
diff --git a/main/freetype/APKBUILD b/main/freetype/APKBUILD
index c4be348f1a..34532ab6c3 100644
--- a/main/freetype/APKBUILD
+++ b/main/freetype/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
pkgname=freetype
pkgver=2.10.4
-pkgrel=2
+pkgrel=3
pkgdesc="TrueType font rendering library"
url="https://www.freetype.org/"
arch="all"
@@ -14,9 +14,14 @@ source="https://download.savannah.gnu.org/releases/freetype/freetype-$pkgver.tar
0001-Enable-table-validation-modules.patch
subpixel.patch
CVE-2022-27404.patch
+ CVE-2022-27405.patch
+ CVE-2022-27406.patch
"
# secfixes:
+# 2.10.4-r3:
+# - CVE-2022-27405
+# - CVE-2022-27406
# 2.10.4-r2:
# - CVE-2022-27404
# 2.10.4-r0:
@@ -59,4 +64,6 @@ sha512sums="
580fe59acddfd41966e387bdb6a88336b8bc119cc3d60d8689be20c96fb0dd07c5138ea31f6cb9c854f497ecb41c3adc49eb3ec16a34b2e010e8294851770763 0001-Enable-table-validation-modules.patch
72883fa203fd2552a7b1b8c39b4aaa68d407c62c289236031cd0fa1c8cdc6ad38e90d3b53f8ee682064986d09c9455961f4941c80566b150d15d5539a716c190 subpixel.patch
a00040fddd30f8b7add990c4614cbe69a04d702c471064eaf1f28b70a24c35e25e430bc8ae1d90f198b3e432d90c8884519db30fab2e41e467892d79f5cdee8f CVE-2022-27404.patch
+4e4ed4b325ca8dbbd7362782867901b90eef48cb78d6a030769c33add029d4f61ddafe590c1cca35edd8e2b0c128106b7e01874acf52ac7c2b475f4ca6cf8cdf CVE-2022-27405.patch
+574f0a93a022ba8bae4440012dd4062841187e1af4e906e5a8f117549a7e528e9d4a0bd35833294248f3a71b299175cbf6d144231af29d8d2dd350bc7dc5b804 CVE-2022-27406.patch
"
diff --git a/main/freetype/CVE-2022-27405.patch b/main/freetype/CVE-2022-27405.patch
new file mode 100644
index 0000000000..4766867601
--- /dev/null
+++ b/main/freetype/CVE-2022-27405.patch
@@ -0,0 +1,36 @@
+From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 06:40:17 +0100
+Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard
+ `face_index`.
+
+We must ensure that the cast to `FT_Int` doesn't change the sign.
+
+Fixes #1139.
+---
+ src/base/ftobjs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 2c0f0e6c9..10952a6c6 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -2527,6 +2527,15 @@
+ #endif
+
+
++ /* only use lower 31 bits together with sign bit */
++ if ( face_index > 0 )
++ face_index &= 0x7FFFFFFFL;
++ else
++ {
++ face_index &= 0x7FFFFFFFL;
++ face_index = -face_index;
++ }
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+ FT_TRACE3(( "FT_Open_Face: " ));
+ if ( face_index < 0 )
+--
+GitLab
+
diff --git a/main/freetype/CVE-2022-27406.patch b/main/freetype/CVE-2022-27406.patch
new file mode 100644
index 0000000000..0fdef7d216
--- /dev/null
+++ b/main/freetype/CVE-2022-27406.patch
@@ -0,0 +1,27 @@
+From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 09:37:28 +0100
+Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
+
+Fixes #1140.
+---
+ src/base/ftobjs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 6492a1517..282c9121a 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -3409,6 +3409,9 @@
+ if ( !face )
+ return FT_THROW( Invalid_Face_Handle );
+
++ if ( !face->size )
++ return FT_THROW( Invalid_Size_Handle );
++
+ if ( !req || req->width < 0 || req->height < 0 ||
+ req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+ return FT_THROW( Invalid_Argument );
+--
+GitLab
+