~ruther/guix-local

86f48a8dbff4528d1351676f429fa6a3d0afefd5 — Leo Famulari 8 years ago e24d527 
gnu: freetype: Fix CVE-2017-{8105,8287}.

* gnu/packages/patches/freetype-CVE-2017-8105.patch,
gnu/packages/patches/freetype-CVE-2017-8287.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/fontutils.scm (freetype)[replacement]: New field.
(freetype/fixed): New variable.
patch browse .tar.gz 
4 files changed, 112 insertions(+), 0 deletions(-)

M gnu/local.mk
M gnu/packages/fontutils.scm
A gnu/packages/patches/freetype-CVE-2017-8105.patch
A gnu/packages/patches/freetype-CVE-2017-8287.patch

M gnu/local.mk => gnu/local.mk +2 -0
@@ 575,6 575,8 @@ dist_patch_DATA =						\
  %D%/packages/patches/freeimage-CVE-2015-0852.patch		\
  %D%/packages/patches/freeimage-CVE-2016-5684.patch		\
  %D%/packages/patches/freeimage-fix-build-with-gcc-5.patch	\
  %D%/packages/patches/freetype-CVE-2017-8105.patch		\
  %D%/packages/patches/freetype-CVE-2017-8287.patch		\
  %D%/packages/patches/fuse-overlapping-headers.patch				\
  %D%/packages/patches/gawk-shell.patch				\
  %D%/packages/patches/gcc-arm-bug-71399.patch			\


M gnu/packages/fontutils.scm => gnu/packages/fontutils.scm +10 -0
@@ 48,6 48,7 @@
(define-public freetype
  (package
   (name "freetype")
   (replacement freetype/fixed)
   (version "2.7.1")
   (source (origin
            (method url-fetch)


@@ 73,6 74,15 @@ anti-aliased glyph bitmap generation with 256 gray levels.")
   (license license:freetype)           ; some files have other licenses
   (home-page "https://www.freetype.org/")))

(define freetype/fixed
  (package
    (inherit freetype)
    (source
      (origin
        (inherit (package-source freetype))
        (patches (search-patches "freetype-CVE-2017-8105.patch"
                                 "freetype-CVE-2017-8287.patch"))))))

(define-public ttfautohint
  (package
    (name "ttfautohint")


A gnu/packages/patches/freetype-CVE-2017-8105.patch => gnu/packages/patches/freetype-CVE-2017-8105.patch +56 -0
@@ 0,0 1,56 @@
Fix CVE-2017-8105:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935

Patch copied from upstream source repository:

https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee431bef8d4d466b40c9cb2d4dbcb7791

From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 24 Mar 2017 09:15:10 +0100
Subject: [PATCH] [psaux] Better protect `flex' handling.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935

* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
<callothersubr>: Since there is not a single flex operator but a
series of subroutine calls, malformed fonts can call arbitrary other
operators after the start of a flex, possibly adding points.  For
this reason we have to check the available number of points before
inserting a point.
---
 ChangeLog            | 15 +++++++++++++++
 src/psaux/t1decode.c |  9 +++++++++
 2 files changed, 24 insertions(+)

diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
index af7b465e..7dd45135 100644
--- a/src/psaux/t1decode.c
+++ b/src/psaux/t1decode.c
@@ -780,10 +780,19 @@
             /* point without adding any point to the outline    */
             idx = decoder->num_flex_vectors++;
             if ( idx > 0 && idx < 7 )
+            {
+              /* in malformed fonts it is possible to have other */
+              /* opcodes in the middle of a flex (which don't    */
+              /* increase `num_flex_vectors'); we thus have to   */
+              /* check whether we can add a point                */
+              if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
+                goto Syntax_Error;
+
               t1_builder_add_point( builder,
                                     x,
                                     y,
                                     (FT_Byte)( idx == 3 || idx == 6 ) );
+            }
           }
           break;
 
-- 
2.12.2



A gnu/packages/patches/freetype-CVE-2017-8287.patch => gnu/packages/patches/freetype-CVE-2017-8287.patch +44 -0
@@ 0,0 1,44 @@
Fix CVE-2017-8287:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8287
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941

Patch copied from upstream source repository:
https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=3774fc08b502c3e685afca098b6e8a195aded6a0

From 3774fc08b502c3e685afca098b6e8a195aded6a0 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sun, 26 Mar 2017 08:32:09 +0200
Subject: [PATCH] * src/psaux/psobjs.c (t1_builder_close_contour): Add safety
 guard.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941
---
 ChangeLog          | 8 ++++++++
 src/psaux/psobjs.c | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c
index d18e821a..0baf8368 100644
--- a/src/psaux/psobjs.c
+++ b/src/psaux/psobjs.c
@@ -1718,6 +1718,14 @@
     first = outline->n_contours <= 1
             ? 0 : outline->contours[outline->n_contours - 2] + 1;
 
+    /* in malformed fonts it can happen that a contour was started */
+    /* but no points were added                                    */
+    if ( outline->n_contours && first == outline->n_points )
+    {
+      outline->n_contours--;
+      return;
+    }
+
     /* We must not include the last point in the path if it */
     /* is located on the first point.                       */
     if ( outline->n_points > 1 )
-- 
2.12.2