freetype: Fix CVEs for freetype

Apply below patches to fix the CVEs for freetype: CVE-2022-27404.patch Link: https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db.patch CVE-2022-27405.patch Link: https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5.patch CVE-2022-27406.patch Link: https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2.patch (From OE-Core rev: 51a92860bdbab28a2b487be3b054f103a54b86ac) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> 2022-05-17 15:14:11 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-05-20 10:08:00 +0100
commit: 5999f70889d435c288b4d49589280b1ba61c8fb9 (patch)
tree: 8a69cfcda62487776a996f518e196bf9e62afc73
parent: 37bbb105c93213cb8bf78c054b4e682378c9f50c (diff)
download: poky-5999f70889d435c288b4d49589280b1ba61c8fb9.tar.gz
4 files changed, 105 insertions, 0 deletions
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch
new file mode 100644
index 0000000000..e66400ddb1
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch
@@ -0,0 +1,33 @@
+From 53dfdcd8198d2b3201a23c4bad9190519ba918db Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Thu, 17 Mar 2022 19:24:16 +0100
+Subject: [PATCH] [sfnt] Avoid invalid face index.
+Fixes #1138.
+* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font):
+Check `face_index` before decrementing.
+CVE: CVE-2022-27404
+Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db.patch]
+Comment: Removed second hunk as sfwoff2.c file is not part of current v2.10.1 code
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+---
+ src/sfnt/sfobjs.c  | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
+index f9d4d3858..9771c35df 100644
+--- a/src/sfnt/sfobjs.c
+++ b/src/sfnt/sfobjs.c
+@@ -566,7 +566,7 @@
+     face_index = FT_ABS( face_instance_index ) & 0xFFFF;
+     /* value -(N+1) requests information on index N */
+-    if ( face_instance_index < 0 )
+    if ( face_instance_index < 0 && face_index > 0 )
+       face_index--;
+     if ( face_index >= face->ttc_header.count )
+-- 
+GitLab
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch
new file mode 100644
index 0000000000..08fccd5a3b
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch
@@ -0,0 +1,38 @@
+From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 06:40:17 +0100
+Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard
+ `face_index`.
+We must ensure that the cast to `FT_Int` doesn't change the sign.
+Fixes #1139.
+CVE: CVE-2022-27405
+Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5]
+Comment: No Change in any hunk
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+---
+ src/base/ftobjs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 2c0f0e6c9..10952a6c6 100644
+--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
+@@ -2527,6 +2527,15 @@
+ #endif
+ 
+ 
+    /* only use lower 31 bits together with sign bit */
+    if ( face_index > 0 )
+      face_index &= 0x7FFFFFFFL;
+    else
+    {
+      face_index &= 0x7FFFFFFFL;
+      face_index  = -face_index;
+    }
+
+ #ifdef FT_DEBUG_LEVEL_TRACE
+     FT_TRACE3(( "FT_Open_Face: " ));
+     if ( face_index < 0 )
+-- 
+GitLab
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch
new file mode 100644
index 0000000000..4b5e629f30
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch
@@ -0,0 +1,31 @@
+From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 09:37:28 +0100
+Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
+Fixes #1140.
+CVE: CVE-2022-27406
+Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2]
+Comment: No Change in any hunk
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+---
+ src/base/ftobjs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 6492a1517..282c9121a 100644
+--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
+@@ -3409,6 +3409,9 @@
+     if ( !face )
+       return FT_THROW( Invalid_Face_Handle );
+ 
+    if ( !face->size )
+      return FT_THROW( Invalid_Size_Handle );
+
+     if ( !req || req->width < 0 || req->height < 0 ||
+          req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+       return FT_THROW( Invalid_Argument );
+-- 
+GitLab
diff --git a/meta/recipes-graphics/freetype/freetype_2.10.1.bb b/meta/recipes-graphics/freetype/freetype_2.10.1.bb
index 2d444bbf19..72001c529a 100644
--- a/meta/recipes-graphics/freetype/freetype_2.10.1.bb
+++ b/meta/recipes-graphics/freetype/freetype_2.10.1.bb
@@ -15,6 +15,9 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE.TXT;md5=4af6221506f202774ef74f64932878a1
 SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \
           file://use-right-libtool.patch \
           file://0001-sfnt-Fix-heap-buffer-overflow-59308.patch \
+           file://CVE-2022-27404.patch \
+           file://CVE-2022-27405.patch \
+           file://CVE-2022-27406.patch \
          "
 SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f"
 SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f"
author	Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>	2022-05-17 15:14:11 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-05-20 10:08:00 +0100
commit	5999f70889d435c288b4d49589280b1ba61c8fb9 (patch)
tree	8a69cfcda62487776a996f518e196bf9e62afc73
parent	37bbb105c93213cb8bf78c054b4e682378c9f50c (diff)
download	poky-5999f70889d435c288b4d49589280b1ba61c8fb9.tar.gz

diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch new file mode 100644 index 0000000000..e66400ddb1 --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch
@@ -0,0 +1,33 @@
		1	From 53dfdcd8198d2b3201a23c4bad9190519ba918db Mon Sep 17 00:00:00 2001
		2	From: Werner Lemberg <wl@gnu.org>
		3	Date: Thu, 17 Mar 2022 19:24:16 +0100
		4	Subject: [PATCH] [sfnt] Avoid invalid face index.
		5
		6	Fixes #1138.
		7
		8	* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font):
		9	Check `face_index` before decrementing.
		10
		11	CVE: CVE-2022-27404
		12	Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db.patch]
		13	Comment: Removed second hunk as sfwoff2.c file is not part of current v2.10.1 code
		14	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		15	---
		16	src/sfnt/sfobjs.c \| 2 +-
		17	1 file changed, 1 insertion(+), 1 deletion(-)
		18
		19	diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
		20	index f9d4d3858..9771c35df 100644
		21	--- a/src/sfnt/sfobjs.c
		22	+++ b/src/sfnt/sfobjs.c
		23	@@ -566,7 +566,7 @@
		24	face_index = FT_ABS( face_instance_index ) & 0xFFFF;
		25
		26	/* value -(N+1) requests information on index N */
		27	- if ( face_instance_index < 0 )
		28	+ if ( face_instance_index < 0 && face_index > 0 )
		29	face_index--;
		30
		31	if ( face_index >= face->ttc_header.count )
		32	--
		33	GitLab


diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch new file mode 100644 index 0000000000..08fccd5a3b --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch
@@ -0,0 +1,38 @@
		1	From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001
		2	From: Werner Lemberg <wl@gnu.org>
		3	Date: Sat, 19 Mar 2022 06:40:17 +0100
		4	Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard
		5	`face_index`.
		6	We must ensure that the cast to `FT_Int` doesn't change the sign.
		7	Fixes #1139.
		8
		9	CVE: CVE-2022-27405
		10	Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5]
		11	Comment: No Change in any hunk
		12	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		13	---
		14	src/base/ftobjs.c \| 9 +++++++++
		15	1 file changed, 9 insertions(+)
		16
		17	diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
		18	index 2c0f0e6c9..10952a6c6 100644
		19	--- a/src/base/ftobjs.c
		20	+++ b/src/base/ftobjs.c
		21	@@ -2527,6 +2527,15 @@
		22	#endif
		23
		24
		25	+ /* only use lower 31 bits together with sign bit */
		26	+ if ( face_index > 0 )
		27	+ face_index &= 0x7FFFFFFFL;
		28	+ else
		29	+ {
		30	+ face_index &= 0x7FFFFFFFL;
		31	+ face_index = -face_index;
		32	+ }
		33	+
		34	#ifdef FT_DEBUG_LEVEL_TRACE
		35	FT_TRACE3(( "FT_Open_Face: " ));
		36	if ( face_index < 0 )
		37	--
		38	GitLab


diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch new file mode 100644 index 0000000000..4b5e629f30 --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch
@@ -0,0 +1,31 @@
		1	From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001
		2	From: Werner Lemberg <wl@gnu.org>
		3	Date: Sat, 19 Mar 2022 09:37:28 +0100
		4	Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
		5
		6	Fixes #1140.
		7
		8	CVE: CVE-2022-27406
		9	Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2]
		10	Comment: No Change in any hunk
		11	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		12	---
		13	src/base/ftobjs.c \| 3 +++
		14	1 file changed, 3 insertions(+)
		15
		16	diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
		17	index 6492a1517..282c9121a 100644
		18	--- a/src/base/ftobjs.c
		19	+++ b/src/base/ftobjs.c
		20	@@ -3409,6 +3409,9 @@
		21	if ( !face )
		22	return FT_THROW( Invalid_Face_Handle );
		23
		24	+ if ( !face->size )
		25	+ return FT_THROW( Invalid_Size_Handle );
		26	+
		27	if ( !req \|\| req->width < 0 \|\| req->height < 0 \|\|
		28	req->type >= FT_SIZE_REQUEST_TYPE_MAX )
		29	return FT_THROW( Invalid_Argument );
		30	--
		31	GitLab


diff --git a/meta/recipes-graphics/freetype/freetype_2.10.1.bb b/meta/recipes-graphics/freetype/freetype_2.10.1.bb index 2d444bbf19..72001c529a 100644 --- a/meta/recipes-graphics/freetype/freetype_2.10.1.bb +++ b/meta/recipes-graphics/freetype/freetype_2.10.1.bb
@@ -15,6 +15,9 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE.TXT;md5=4af6221506f202774ef74f64932878a1
15	SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \	15	SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \
16	file://use-right-libtool.patch \	16	file://use-right-libtool.patch \
17	file://0001-sfnt-Fix-heap-buffer-overflow-59308.patch \	17	file://0001-sfnt-Fix-heap-buffer-overflow-59308.patch \
		18	file://CVE-2022-27404.patch \
		19	file://CVE-2022-27405.patch \
		20	file://CVE-2022-27406.patch \
18	"	21	"
19	SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f"	22	SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f"
20	SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f"	23	SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f"