Bug#1029845: harfbuzz: non-distributable font included in source

[Andres Salomon]

Hi Security Team & Jeremy,

I had originally planned to ask the release team about fixing #1029845 
(the bug below) in bullseye via t-p-u. However, it would appear that 
there's also an outstanding security bug in harfbuzz (CVE-2022-33068, 
tracked at #1013673). So instead, maybe it's better if we group the 
font removal and the security fix together and upload something like 
what I've attached (a debdiff against 2.7.4-1) to bullseye-security. 
What do folks think?

Jeremy, I created a bullseye branch over in my repo at 
https://salsa.debian.org/dilinger/harfbuzz/-/commits/bullseye
Based on what's decided, I can adjust it and do a MR to whatever your 
preferred branch name is.



On Sat, 28 Jan 2023 13:05:01 -0500 Andres Salomon <dilin...@queued.net> 
wrote:
> Source: harfbuzz
> Severity: serious
> Version: 6.0.0-1
> Justification: Policy 2.1
>
> Harfbuzz includes a nondistributable font in its test suite. I 
thought
> it was just in sid/bookworm, but it's apparently also in bullseye as
> well.
>
> In bullseye:
> 
test/shaping/data/in-house/fonts/641ca9d7808b01cafa9a666c13811c9b56eb9c52.ttf
>
> In sid:
> 
test/shape/data/in-house/fonts/641ca9d7808b01cafa9a666c13811c9b56eb9c52.ttf
>
>
> dilinger@hm90:~/sid-build/harfbuzz2$ exiftool -Copyright-en-US
> 
test/shape/data/in-house/fonts/641ca9d7808b01cafa9a666c13811c9b56eb9c52.ttf
> Copyright (en-US)               : The digitally signed machine 
readable
> Typeface(Font) licensed to you is copyrighted ©, (2010), King Fahd
> Glorious Quran Printing Complex...ISBN: 978-603-8010-15-0, Accession
> No. 1430/7278..All rights reserved. This Font is the property of King
> Fahd Glorious Quran Printing Complex, and may not be reproduced,
> modified without the express written approval of King Fahd Glorious
> Quran Printing Complex.
>
>
> Upstream has removed the font, and Debian should as well:
> https://github.com/harfbuzz/harfbuzz/issues/4059
>
>
>
>
>



diff -Nru harfbuzz-2.7.4/debian/changelog harfbuzz-2.7.4+dfsg/debian/changelog
--- harfbuzz-2.7.4/debian/changelog	2021-01-18 15:43:29.000000000 +0000
+++ harfbuzz-2.7.4+dfsg/debian/changelog	2023-02-01 06:19:01.000000000 +0000
@@ -1,3 +1,14 @@
+harfbuzz (2.7.4+dfsg-1+deb11u1) bullseye-security; urgency=high
+
+  * Team upload.
+  * Backport fix for integer overflow in hb-ot-shape-fallback.cc that can
+    allow attackers to cause a denial of service (CVE-2022-33068).
+  * Use Files-Excluded to exclude a non-free test font and generate a new
+    source tarball (closes: #1029845).
+  * Disable related font test.
+
+ -- Andres Salomon <dilin...@debian.org>  Wed, 01 Feb 2023 01:19:01 -0500
+
 harfbuzz (2.7.4-1) unstable; urgency=medium
 
   * New upstream version.
diff -Nru harfbuzz-2.7.4/debian/copyright harfbuzz-2.7.4+dfsg/debian/copyright
--- harfbuzz-2.7.4/debian/copyright	2021-01-18 15:43:29.000000000 +0000
+++ harfbuzz-2.7.4+dfsg/debian/copyright	2023-02-01 06:19:01.000000000 +0000
@@ -2,6 +2,8 @@
 Upstream-Name: HarfBuzz
 Upstream-Contact: Behdad Esfahbod
 Source: https://www.freedesktop.org/wiki/Software/HarfBuzz
+Files-excluded: test/shaping/data/in-house/fonts/641ca9d7808b01cafa9a666c13811c9b56eb9c52.ttf
+ test/shaping/data/in-house/tests/arabic-mark-attach.tests
 
 Files: *
 Copyright: 2010,2011,2013-2018  Google, Inc.
diff -Nru harfbuzz-2.7.4/debian/patches/disable-test.patch harfbuzz-2.7.4+dfsg/debian/patches/disable-test.patch
--- harfbuzz-2.7.4/debian/patches/disable-test.patch	1970-01-01 00:00:00.000000000 +0000
+++ harfbuzz-2.7.4+dfsg/debian/patches/disable-test.patch	2023-02-01 06:19:01.000000000 +0000
@@ -0,0 +1,33 @@
+author: Behdad Esfahbod
+description: fix build for the upstream test we removed
+
+This is pulled from upstream:
+https://github.com/harfbuzz/harfbuzz/commit/e4cdaa1d3f7aa9725ba1d2beed4096287a8d59ce
+
+We're stripping a test font out of the source tarball, so we need
+to adjust things accordingly.
+
+diff --git a/test/shaping/data/in-house/Makefile.sources b/test/shaping/data/in-house/Makefile.sources
+index b3fdca274..af81cba51 100644
+--- a/test/shaping/data/in-house/Makefile.sources
++++ b/test/shaping/data/in-house/Makefile.sources
+@@ -4,7 +4,6 @@ TESTS = \
+ 	tests/arabic-fallback-shaping.tests \
+ 	tests/arabic-feature-order.tests \
+ 	tests/arabic-like-joining.tests \
+-	tests/arabic-mark-attach.tests \
+ 	tests/arabic-mark-order.tests \
+ 	tests/arabic-stch.tests \
+ 	tests/automatic-fractions.tests \
+diff --git a/test/shaping/data/in-house/meson.build b/test/shaping/data/in-house/meson.build
+index 0bd1a9dcd..3946b6b3a 100644
+--- a/test/shaping/data/in-house/meson.build
++++ b/test/shaping/data/in-house/meson.build
+@@ -4,7 +4,6 @@ in_house_tests = [
+   'arabic-fallback-shaping.tests',
+   'arabic-feature-order.tests',
+   'arabic-like-joining.tests',
+-  'arabic-mark-attach.tests',
+   'arabic-mark-order.tests',
+   'arabic-stch.tests',
+   'automatic-fractions.tests',
diff -Nru harfbuzz-2.7.4/debian/patches/int-overflow.patch harfbuzz-2.7.4+dfsg/debian/patches/int-overflow.patch
--- harfbuzz-2.7.4/debian/patches/int-overflow.patch	1970-01-01 00:00:00.000000000 +0000
+++ harfbuzz-2.7.4+dfsg/debian/patches/int-overflow.patch	2023-02-01 06:19:01.000000000 +0000
@@ -0,0 +1,19 @@
+description: fix for CVE-2022-33068 (int overflow causing denial of service)
+
+diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh
+index 09da11597..d6b632b50 100644
+--- a/src/hb-ot-color-sbix-table.hh
++++ b/src/hb-ot-color-sbix-table.hh
+@@ -298,6 +298,12 @@ struct sbix
+ 
+       const PNGHeader &png = *blob->as<PNGHeader>();
+ 
++      if (png.IHDR.height >= 65536 | png.IHDR.width >= 65536)
++      {
++	hb_blob_destroy (blob);
++	return false;
++      }
++
+       extents->x_bearing = x_offset;
+       extents->y_bearing = png.IHDR.height + y_offset;
+       extents->width     = png.IHDR.width;
diff -Nru harfbuzz-2.7.4/debian/patches/series harfbuzz-2.7.4+dfsg/debian/patches/series
--- harfbuzz-2.7.4/debian/patches/series	2021-01-18 15:43:29.000000000 +0000
+++ harfbuzz-2.7.4+dfsg/debian/patches/series	2023-02-01 06:19:01.000000000 +0000
@@ -0,0 +1,2 @@
+int-overflow.patch
+disable-test.patch
Binary files /tmp/h3MFPyAQvv/harfbuzz-2.7.4/test/shaping/data/in-house/fonts/641ca9d7808b01cafa9a666c13811c9b56eb9c52.ttf and /tmp/JSCCICuqyi/harfbuzz-2.7.4+dfsg/test/shaping/data/in-house/fonts/641ca9d7808b01cafa9a666c13811c9b56eb9c52.ttf differ
diff -Nru harfbuzz-2.7.4/test/shaping/data/in-house/tests/arabic-mark-attach.tests harfbuzz-2.7.4+dfsg/test/shaping/data/in-house/tests/arabic-mark-attach.tests
--- harfbuzz-2.7.4/test/shaping/data/in-house/tests/arabic-mark-attach.tests	2020-12-27 00:01:18.000000000 +0000
+++ harfbuzz-2.7.4+dfsg/test/shaping/data/in-house/tests/arabic-mark-attach.tests	1970-01-01 00:00:00.000000000 +0000
@@ -1 +0,0 @@
-../fonts/641ca9d7808b01cafa9a666c13811c9b56eb9c52.ttf::U+064A,U+0633,U+06E1,U+200D,U+0654,U+064E,U+0644:[afii57444.zz04=6+1091|afii57454=1@75,925+0|uni0654=1+0|space=1+0|uni06E1=1@950,1115+0|afii57427.zz03_calt=1+1847|afii57450.zz21=0+345]