Hi guys, Looks like it's time for another try at freetype. CVE-2006-3467 appears to be a potentially exploitable integer overflow in freetype's PCF parser. I've uploaded freetype_2.1.7-6 to <http://people.debian.org/~vorlon/freetype-DSA/>, replacing the previous version there; signed sources, unsigned changes. Please do whatever's necessary with the package to make it suitable for a DSA release -- I won't be uploading it at all to the security.d.o dak queue, given the poor outcome of my other recent attempts.
debdiff vs. 2.1.7-5 in stable (r3) is also attached to this mail, in case that's more convenient. Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
diff -u freetype-2.1.7/debian/rules freetype-2.1.7/debian/rules
--- freetype-2.1.7/debian/rules
+++ freetype-2.1.7/debian/rules
@@ -178,6 +178,9 @@
# Fix integer overflows (CVE-2006-2493)
patch -p0 -i $(patchdir)/400-CVE-2006-2493_integer-overflows.diff
+ # Fix further integer overflows (CVE-2006-3467)
+ patch -p0 -i $(patchdir)/500-CVE-2006-3467_pcf-strlen.diff
+
cd $(freetype_u) && ./configure --prefix=/usr CFLAGS=\"$(CFLAGS)\"
# cd $(freetype_u) && ./configure --prefix=/usr
$(MAKE) -C $(freetype_u)
diff -u freetype-2.1.7/debian/changelog freetype-2.1.7/debian/changelog
--- freetype-2.1.7/debian/changelog
+++ freetype-2.1.7/debian/changelog
@@ -1,3 +1,12 @@
+freetype (2.1.7-6) stable-security; urgency=low
+
+ * Add debian/patches-freetype/CVE-2006-3467_pcf-strlen.patch for
+ CVE-2006-3467, a missing string length check in PCF files that
+ leads to a possibly exploitable integer overflow. Thanks to Martin
+ Pitt for the patch. Closes: #379920.
+
+ -- Steve Langasek <[EMAIL PROTECTED]> Tue, 12 Sep 2006 23:27:20 -0700
+
freetype (2.1.7-5) stable; urgency=low
* Backport the fix for bug #367579 (use CURDIR instead of PWD) so that
only in patch2:
unchanged:
--- freetype-2.1.7.orig/debian/patches/500-CVE-2006-3467_pcf-strlen.diff
+++ freetype-2.1.7/debian/patches/500-CVE-2006-3467_pcf-strlen.diff
@@ -0,0 +1,34 @@
+Index: freetype-2.1.7/src/pcf/pcfread.c
+===================================================================
+--- freetype-2.1.7.orig/src/pcf/pcfread.c 2006-07-26 12:59:30.000000000
+0200
++++ freetype-2.1.7/src/pcf/pcfread.c 2006-07-26 12:59:46.000000000 +0200
+@@ -433,6 +433,14 @@
+
+ for ( i = 0; i < nprops; i++ )
+ {
++ /* 2006:0500 (mbarnes) - Detect invalid string length.
++ * XXX Is this is best error code to return? */
++ if ( props[i].name < 0 )
++ {
++ error = FT_Err_Invalid_File_Format;
++ goto Bail;
++ }
++
+ /* XXX: make atom */
+ if ( FT_NEW_ARRAY( properties[i].name,
+ ft_strlen( strings + props[i].name ) + 1 ) )
+@@ -443,6 +451,14 @@
+
+ if ( props[i].isString )
+ {
++ /* 2006:0500 (mbarnes) - Detect invalid string length.
++ * XXX Is this the best error code to return? */
++ if ( props[i].value < 0 )
++ {
++ error = FT_Err_Invalid_File_Format;
++ goto Bail;
++ }
++
+ if ( FT_NEW_ARRAY( properties[i].value.atom,
+ ft_strlen( strings + props[i].value ) + 1 ) )
+ goto Bail;
signature.asc
Description: Digital signature
