summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorScott Garman <scott.a.garman@intel.com>2012-12-27 22:48:56 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2013-01-03 12:34:25 (GMT)
commit156c2554b76cde2d6d9350aaaf9848986201375d (patch)
tree55325615f9a104ab15c9b49d6b0c94821b5530f0
parentb6037b6d2fc9cb4e8a3564468da0f796ed9235d8 (diff)
downloadpoky-156c2554b76cde2d6d9350aaaf9848986201375d.tar.gz
freetype: patches for CVE-2012-5668, 5669, and 5670
For details of these security issues, please see: http://www.openwall.com/lists/oss-security/2012/12/25/1 Thanks to Eren Turkay <eren@hambedded.org> for submitting source patches that apply cleanly to freetype 2.4.9. This fixes denzil bug [YOCTO #3649] (From OE-Core rev: be34916d81b71385a560a6990c7b30eba243b356) Signed-off-by: Scott Garman <scott.a.garman@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5668.patch31
-rw-r--r--meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5669.patch31
-rw-r--r--meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5670.patch29
-rw-r--r--meta/recipes-graphics/freetype/freetype_2.4.9.bb7
4 files changed, 96 insertions, 2 deletions
diff --git a/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5668.patch b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5668.patch
new file mode 100644
index 0000000..609d73d
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5668.patch
@@ -0,0 +1,31 @@
1From 9b6b5754b57c12b820e01305eb69b8863a161e5a Mon Sep 17 00:00:00 2001
2From: Werner Lemberg <wl@gnu.org>
3Date: Sat, 15 Dec 2012 00:34:41 +0000
4Subject: [bdf] Fix Savannah bug #37905.
5
6* src/bdf/bdflib.c (_bdf_parse_start): Reset `props_size' to zero in
7case of allocation error; this value gets used in a loop in
8`bdf_free_font'.
9
10Upstream-Status: Pending
11
12Signed-off-by: Eren Turkay <eren@hambedded.org>
13Signed-off-by: Scott Garman <scott.a.garman@intel.com>
14---
15diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
16index ed08a6e..8d7f9a0 100644
17--- a/src/bdf/bdflib.c
18+++ b/src/bdf/bdflib.c
19@@ -2169,7 +2169,10 @@
20 p->cnt = p->font->props_size = _bdf_atoul( p->list.field[1], 0, 10 );
21
22 if ( FT_NEW_ARRAY( p->font->props, p->cnt ) )
23+ {
24+ p->font->props_size = 0;
25 goto Exit;
26+ }
27
28 p->flags |= _BDF_PROPS;
29 *next = _bdf_parse_properties;
30--
31cgit v0.9.0.2
diff --git a/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5669.patch b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5669.patch
new file mode 100644
index 0000000..e4a991e
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5669.patch
@@ -0,0 +1,31 @@
1From 07bdb6e289c7954e2a533039dc93c1c136099d2d Mon Sep 17 00:00:00 2001
2From: Werner Lemberg <wl@gnu.org>
3Date: Sat, 15 Dec 2012 01:02:23 +0000
4Subject: [bdf] Fix Savannah bug #37906.
5
6* src/bdf/bdflib.c (_bdf_parse_glyphs): Use correct array size for
7checking `glyph_enc'.
8
9Upstream-Status: Pending
10
11Signed-off-by: Eren Turkay <eren@hambedded.org>
12Signed-off-by: Scott Garman <scott.a.garman@intel.com>
13---
14diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
15index 8d7f9a0..f9c06ca 100644
16--- a/src/bdf/bdflib.c
17+++ b/src/bdf/bdflib.c
18@@ -1628,8 +1628,9 @@
19
20 /* Check that the encoding is in the Unicode range because */
21 /* otherwise p->have (a bitmap with static size) overflows. */
22- if ( p->glyph_enc > 0 &&
23- (size_t)p->glyph_enc >= sizeof ( p->have ) * 8 )
24+ if ( p->glyph_enc > 0 &&
25+ (size_t)p->glyph_enc >= sizeof ( p->have ) /
26+ sizeof ( unsigned long ) * 32 )
27 {
28 FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG5, lineno, "ENCODING" ));
29 error = BDF_Err_Invalid_File_Format;
30--
31cgit v0.9.0.2
diff --git a/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5670.patch b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5670.patch
new file mode 100644
index 0000000..73a41ca
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype-2.4.9/CVE-2012-5670.patch
@@ -0,0 +1,29 @@
1From 7f2e4f4f553f6836be7683f66226afac3fa979b8 Mon Sep 17 00:00:00 2001
2From: Werner Lemberg <wl@gnu.org>
3Date: Sat, 15 Dec 2012 08:39:41 +0000
4Subject: [bdf] Fix Savannah bug #37907.
5
6* src/bdf/bdflib.c (_bdf_parse_glyphs) <ENCODING>: Normalize
7negative second parameter of `ENCODING' field also.
8
9Upstream-Status: Pending
10
11Signed-off-by: Eren Turkay <eren@hambedded.org>
12Signed-off-by: Scott Garman <scott.a.garman@intel.com>
13---
14diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
15index f9c06ca..365e671 100644
16--- a/src/bdf/bdflib.c
17+++ b/src/bdf/bdflib.c
18@@ -1624,6 +1624,9 @@
19 if ( p->glyph_enc == -1 && p->list.used > 2 )
20 p->glyph_enc = _bdf_atol( p->list.field[2], 0, 10 );
21
22+ if ( p->glyph_enc < -1 )
23+ p->glyph_enc = -1;
24+
25 FT_TRACE4(( DBGMSG2, p->glyph_enc ));
26
27 /* Check that the encoding is in the Unicode range because */
28--
29cgit v0.9.0.2
diff --git a/meta/recipes-graphics/freetype/freetype_2.4.9.bb b/meta/recipes-graphics/freetype/freetype_2.4.9.bb
index 31bee80..6aa0f60 100644
--- a/meta/recipes-graphics/freetype/freetype_2.4.9.bb
+++ b/meta/recipes-graphics/freetype/freetype_2.4.9.bb
@@ -13,10 +13,13 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE.TXT;md5=28d5381b1bef2649c59f20c20bae4f39
13 13
14SECTION = "libs" 14SECTION = "libs"
15 15
16PR = "r0" 16PR = "r1"
17 17
18SRC_URI = "${SOURCEFORGE_MIRROR}/freetype/freetype-${PV}.tar.bz2 \ 18SRC_URI = "${SOURCEFORGE_MIRROR}/freetype/freetype-${PV}.tar.bz2 \
19 file://no-hardcode.patch" 19 file://no-hardcode.patch \
20 file://CVE-2012-5668.patch \
21 file://CVE-2012-5669.patch \
22 file://CVE-2012-5670.patch"
20 23
21SRC_URI[md5sum] = "77a893dae81fd5b896632715ca041179" 24SRC_URI[md5sum] = "77a893dae81fd5b896632715ca041179"
22SRC_URI[sha256sum] = "c4204ac1d48e99d4375a2f32bf4f3f92780a9d9f015e64e57e852f6c004859b9" 25SRC_URI[sha256sum] = "c4204ac1d48e99d4375a2f32bf4f3f92780a9d9f015e64e57e852f6c004859b9"