Bug#1029845: harfbuzz: non-distributable font included in source

Wed, 01 Feb 2023 01:12:13 -0800 

On 01/02/2023 09:47, Andres Salomon wrote:

Hi Security Team & Jeremy,
I had originally planned to ask the release team about fixing #1029845 (the bug below) in bullseye via t-p-u. However, it would appear that there's also an outstanding security bug in harfbuzz (CVE-2022-33068, tracked at #1013673). So instead, maybe it's better if we group the font removal and the security fix together and upload something like what I've attached (a debdiff against 2.7.4-1) to bullseye-security. What do folks think?
Jeremy, I created a bullseye branch over in my repo at https://salsa.debian.org/dilinger/harfbuzz/-/commits/bullseye Based on what's decided, I can adjust it and do a MR to whatever your preferred branch name is. 

Can you also include this change to fix a compiler warning on that security fix?

https://github.com/harfbuzz/harfbuzz/commit/e421613e8f825508afa9a0b54d33085557c37441

Cheers,
Emilio





On Sat, 28 Jan 2023 13:05:01 -0500 Andres Salomon <dilin...@queued.net> wrote:
 > Source: harfbuzz
 > Severity: serious
 > Version: 6.0.0-1
 > Justification: Policy 2.1
 >
 > Harfbuzz includes a nondistributable font in its test suite. I thought
 > it was just in sid/bookworm, but it's apparently also in bullseye as
 > well.
 >
 > In bullseye:
 > test/shaping/data/in-house/fonts/641ca9d7808b01cafa9a666c13811c9b56eb9c52.ttf
 >
 > In sid:
 > test/shape/data/in-house/fonts/641ca9d7808b01cafa9a666c13811c9b56eb9c52.ttf
 >
 >
 > dilinger@hm90:~/sid-build/harfbuzz2$ exiftool -Copyright-en-US
 > test/shape/data/in-house/fonts/641ca9d7808b01cafa9a666c13811c9b56eb9c52.ttf
 > Copyright (en-US)               : The digitally signed machine readable
 > Typeface(Font) licensed to you is copyrighted ©, (2010), King Fahd
 > Glorious Quran Printing Complex...ISBN: 978-603-8010-15-0, Accession
 > No. 1430/7278..All rights reserved. This Font is the property of King
 > Fahd Glorious Quran Printing Complex, and may not be reproduced,
 > modified without the express written approval of King Fahd Glorious
 > Quran Printing Complex.
 >
 >
 > Upstream has removed the font, and Debian should as well:
 > https://github.com/harfbuzz/harfbuzz/issues/4059
 >
 >
 >
 >
 >

Reply via email to