control: tag -1 patch
Hi, I've uploaded an nmu fixing this issue. Please see attached patch.
Best wishes,
Mike
diff -u freetype-2.5.2/debian/changelog freetype-2.5.2/debian/changelog
--- freetype-2.5.2/debian/changelog
+++ freetype-2.5.2/debian/changelog
@@ -1,3 +1,12 @@
+freetype (2.5.2-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix two security issues in the CFF rasterizer (closes: #741299)
+ - CVE-2014-2240: out-of-bounds read/write in cf2hints.c.
+ - CVE-2014-2241: denial-of-service in cf2ft.c.
+
+ -- Michael Gilbert <mgilb...@debian.org> Mon, 28 Jul 2014 02:56:08 +0000
+
freetype (2.5.2-1) unstable; urgency=low
* New upstream release
diff -u freetype-2.5.2/debian/patches-freetype/series freetype-2.5.2/debian/patches-freetype/series
--- freetype-2.5.2/debian/patches-freetype/series
+++ freetype-2.5.2/debian/patches-freetype/series
@@ -3,0 +4,3 @@
+
+CVE-2014-2240.patch
+CVE-2014-2241.patch
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-2240.patch
+++ freetype-2.5.2/debian/patches-freetype/CVE-2014-2240.patch
@@ -0,0 +1,21 @@
+From 0eae6eb0645264c98812f0095e0f5df4541830e6 Mon Sep 17 00:00:00 2001
+From: Dave Arnold <darn...@adobe.com>
+Date: Fri, 28 Feb 2014 06:40:01 +0000
+Subject: Fix Savannah bug #41697, part 1.
+
+* src/cff/cf2hints.c (cf2_hintmap_build): Return when `hintMask' is
+invalid. In this case, it is not safe to use the length of
+`hStemHintArray'; the exception has already been recorded in
+`hintMask'.
+
+--- a/src/cff/cf2hints.c
++++ b/src/cff/cf2hints.c
+@@ -781,6 +781,8 @@
+ cf2_hintmask_setAll( hintMask,
+ cf2_arrstack_size( hStemHintArray ) +
+ cf2_arrstack_size( vStemHintArray ) );
++ if ( !cf2_hintmask_isValid( hintMask ) )
++ return; /* too many stem hints */
+ }
+
+ /* begin by clearing the map */
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-2241.patch
+++ freetype-2.5.2/debian/patches-freetype/CVE-2014-2241.patch
@@ -0,0 +1,48 @@
+From 135c3faebb96f8f550bd4f318716f2e1e095a969 Mon Sep 17 00:00:00 2001
+From: Dave Arnold <darn...@adobe.com>
+Date: Fri, 28 Feb 2014 06:42:42 +0000
+Subject: Fix Savannah bug #41697, part 2.
+
+* src/cff/cf2ft.c (cf2_initLocalRegionBuffer,
+cf2_initGlobalRegionBuffer): It is possible for a charstring to call
+a subroutine if no subroutines exist. This is an error but should
+not trigger an assert. Split the assert to account for this.
+
+--- a/src/cff/cf2ft.c
++++ b/src/cff/cf2ft.c
+@@ -508,7 +508,7 @@
+ CF2_UInt idx,
+ CF2_Buffer buf )
+ {
+- FT_ASSERT( decoder && decoder->globals );
++ FT_ASSERT( decoder );
+
+ FT_ZERO( buf );
+
+@@ -516,6 +516,8 @@
+ if ( idx >= decoder->num_globals )
+ return TRUE; /* error */
+
++ FT_ASSERT( decoder->globals );
++
+ buf->start =
+ buf->ptr = decoder->globals[idx];
+ buf->end = decoder->globals[idx + 1];
+@@ -581,7 +583,7 @@
+ CF2_UInt idx,
+ CF2_Buffer buf )
+ {
+- FT_ASSERT( decoder && decoder->locals );
++ FT_ASSERT( decoder );
+
+ FT_ZERO( buf );
+
+@@ -589,6 +591,8 @@
+ if ( idx >= decoder->num_locals )
+ return TRUE; /* error */
+
++ FT_ASSERT( decoder->locals );
++
+ buf->start =
+ buf->ptr = decoder->locals[idx];
+ buf->end = decoder->locals[idx + 1];
