diff --git a/CVE-2022-33068-sbix-Limit-glyph-extents.patch b/CVE-2022-33068-sbix-Limit-glyph-extents.patch new file mode 100644 index 0000000000000000000000000000000000000000..c229a3c8a674d9444c0e4c249f13d1489bc2fb24 --- /dev/null +++ b/CVE-2022-33068-sbix-Limit-glyph-extents.patch @@ -0,0 +1,30 @@ +From 62e803b36173fd096d7ad460dd1d1db9be542593 Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod +Date: Wed, 1 Jun 2022 07:38:21 -0600 +Subject: [PATCH 001/363] [sbix] Limit glyph extents + +Fixes https://github.com/harfbuzz/harfbuzz/issues/3557 +--- + src/hb-ot-color-sbix-table.hh | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh +index 9741ebd45..6efae43cd 100644 +--- a/src/hb-ot-color-sbix-table.hh ++++ b/src/hb-ot-color-sbix-table.hh +@@ -298,6 +298,12 @@ struct sbix + + const PNGHeader &png = *blob->as(); + ++ if ((png.IHDR.height >= 65536) | (png.IHDR.width >= 65536)) ++ { ++ hb_blob_destroy (blob); ++ return false; ++ } ++ + extents->x_bearing = x_offset; + extents->y_bearing = png.IHDR.height + y_offset; + extents->width = png.IHDR.width; +-- +2.36.1 + diff --git a/dist b/dist new file mode 100644 index 0000000000000000000000000000000000000000..89c1faffc18349bb12eee2371e9dc43bf419b95c --- /dev/null +++ b/dist @@ -0,0 +1 @@ +an9 diff --git a/download b/download new file mode 100644 index 0000000000000000000000000000000000000000..9eb79957ca2db5c790d23da3c9410601e09adf30 --- /dev/null +++ b/download @@ -0,0 +1 @@ +6d8393e6fb84edfb15997d1c5ba35b1b harfbuzz-2.7.4.tar.xz diff --git a/harfbuzz-1.7.5.tar.bz2 b/harfbuzz-1.7.5.tar.bz2 deleted file mode 100644 index 1211c42fd0feb73cd7fb4af69276d0e5ff0cc5aa..0000000000000000000000000000000000000000 Binary files a/harfbuzz-1.7.5.tar.bz2 and /dev/null differ diff --git a/harfbuzz.spec b/harfbuzz.spec index 8b58020b63b456644629d019057ac2bf341568af..cec4775a57d64531b82ba349f6493183526474d9 100644 --- a/harfbuzz.spec +++ b/harfbuzz.spec @@ -1,19 +1,25 @@ +%define anolis_release .0.1 Name: harfbuzz -Version: 1.7.5 -Release: 3%{?dist} +Version: 2.7.4 +Release: 8%{anolis_release}%{?dist} Summary: Text shaping library License: MIT -URL: http://freedesktop.org/wiki/Software/HarfBuzz -Source0: http://www.freedesktop.org/software/harfbuzz/release/harfbuzz-%{version}.tar.bz2 +URL: https://harfbuzz.github.io/ +Source0: https://github.com/harfbuzz/harfbuzz/releases/download/%{version}/harfbuzz-%{version}.tar.xz + +# Upstream patch https://github.com/harfbuzz/harfbuzz/issues/3557 +Patch0: CVE-2022-33068-sbix-Limit-glyph-extents.patch BuildRequires: cairo-devel BuildRequires: freetype-devel BuildRequires: glib2-devel +BuildRequires: gobject-introspection-devel BuildRequires: libicu-devel BuildRequires: graphite2-devel BuildRequires: gtk-doc BuildRequires: gcc-c++ +BuildRequires: make %description HarfBuzz is an implementation of the OpenType Layout engine. @@ -35,52 +41,238 @@ Requires: %{name}%{?_isa} = %{version}-%{release} %description icu This package contains Harfbuzz ICU support library. -%prep -%autosetup +%package doc +Summary: Documents for %{name} +BuildArch: noarch +Requires: %{name} = %{version}-%{release} +%description doc +Doc pages for %{name}. -%build -%configure --disable-static --with-graphite2 +%prep +%autosetup -p1 -# Remove lib64 rpath -sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool -sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool -make %{?_smp_mflags} V=1 +%build +%configure --disable-static --with-graphite2 --with-gobject --enable-introspection +%{make_build} %install -make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" +%{make_install} rm -f $RPM_BUILD_ROOT%{_libdir}/*.la -%post -p /sbin/ldconfig -%postun -p /sbin/ldconfig +%ldconfig_scriptlets -%post icu -p /sbin/ldconfig -%postun icu -p /sbin/ldconfig +%ldconfig_scriptlets icu %files %license COPYING -%doc NEWS AUTHORS README -%{_libdir}/libharfbuzz.so.* +%{_libdir}/libharfbuzz.so.0* +%{_libdir}/libharfbuzz-gobject.so.0* +%{_libdir}/libharfbuzz-subset.so.0* +%dir %{_libdir}/girepository-1.0 +%{_libdir}/girepository-1.0/HarfBuzz-0.0.typelib %files devel %doc %{_datadir}/gtk-doc %{_bindir}/hb-view %{_bindir}/hb-ot-shape-closure %{_bindir}/hb-shape +%{_bindir}/hb-subset %{_includedir}/harfbuzz/ %{_libdir}/libharfbuzz.so -%{_libdir}/pkgconfig/harfbuzz.pc +%{_libdir}/libharfbuzz-gobject.so %{_libdir}/libharfbuzz-icu.so +%{_libdir}/libharfbuzz-subset.so +%{_libdir}/pkgconfig/harfbuzz.pc +%{_libdir}/pkgconfig/harfbuzz-gobject.pc %{_libdir}/pkgconfig/harfbuzz-icu.pc +%{_libdir}/pkgconfig/harfbuzz-subset.pc +%{_libdir}/cmake/harfbuzz/ +%dir %{_datadir}/gir-1.0 +%{_datadir}/gir-1.0/HarfBuzz-0.0.gir %files icu %{_libdir}/libharfbuzz-icu.so.* +%files doc +%doc NEWS AUTHORS README + %changelog +* Mon May 15 2023 Chang Gao - 2.7.4-8.0.1 +- Add doc subpack + +* Mon Jul 18 2022 Parag Nemade - 2.7.4-8 +- Resolves:rh#2103849 +- Update tests.yaml + +* Mon Jul 18 2022 Parag Nemade - 2.7.4-7 +- Resolves:rh#2103849 CVE-2022-33068 +- Fix Covscan compiler warning for inclusion of parenthesis +- Update tests.yaml + +* Fri Jul 15 2022 Parag Nemade - 2.7.4-6 +- Resolves:rh#2103849 CVE-2022-33068 + harfbuzz: integer overflow in the component hb-ot-shape-fallback.c + +* Mon Aug 09 2021 Mohan Boddu - 2.7.4-5 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Fri Apr 16 2021 Mohan Boddu - 2.7.4-4 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Fri Feb 5 2021 Marek Kasik - 2.7.4-3 +- Build HarfBuzz with bootstrapped freetype + +* Tue Jan 26 2021 Fedora Release Engineering - 2.7.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Sun Dec 27 20:48:11 IST 2020 Parag Nemade - 2.7.4-1 +- Update to 2.7.4 version (#1911046) + +* Fri Dec 25 14:01:50 IST 2020 Parag Nemade - 2.7.3-1 +- Update to 2.7.3 version (#1910482) + +* Sat Aug 29 2020 Parag Nemade - 2.7.2-1 +- Update to 2.7.2 version (#1873689) + +* Thu Aug 20 2020 Parag Nemade - 2.7.1-1 +- Update to 2.7.1 version (#1860607) + +* Tue Jul 28 2020 Fedora Release Engineering - 2.6.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jun 23 2020 Parag Nemade - 2.6.8-1 +- Update to 2.6.8 version (#1849805) + +* Thu Jun 04 2020 Parag Nemade - 2.6.7-1 +- Update to 2.6.7 version (#1843592) + +* Fri May 15 2020 Pete Walter - 2.6.6-2 +- Rebuild for ICU 67 + +* Tue May 12 2020 Parag Nemade - 2.6.6-1 +- Update to 2.6.6 version (#1834887) + +* Wed Mar 18 2020 Parag Nemade - 2.6.4-4 +- Use make_build and make_install macros + +* Wed Jan 29 2020 Fedora Release Engineering - 2.6.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Nov 01 2019 Pete Walter - 2.6.4-2 +- Rebuild for ICU 65 + +* Wed Oct 30 2019 Parag Nemade - 2.6.4-1 +- Update to 2.6.4 version (#1766762) + +* Tue Oct 29 2019 Parag Nemade - 2.6.3-1 +- Update to 2.6.3 version (#1766396) + +* Tue Oct 01 2019 Parag Nemade - 2.6.2-1 +- Update to 2.6.2 version (#1757207) + +* Wed Sep 18 2019 Kalev Lember - 2.6.1-2 +- Build with --with-gobject --enable-introspection (#1737186) +- Tighten soname globs + +* Fri Aug 23 2019 Parag Nemade - 2.6.1-1 +- Update to 2.6.1 version (#1744835) + +* Sat Aug 17 2019 Parag Nemade - 2.6.0-1 +- Update to 2.6.0 version (#1742730) + +* Thu Jul 25 2019 Fedora Release Engineering - 2.5.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Jul 12 2019 Adam Williamson - 2.5.3-2 +- Revert the offending commit to avoid RHBZ #1689037 + +* Thu Jun 27 2019 Parag Nemade - 2.5.3-1 +- Update to 2.5.3 version (#1724317) + +* Fri Jun 21 2019 Parag Nemade - 2.5.2-1 +- Update to 2.5.2 version (#1722623) + +* Sat Jun 01 2019 Parag Nemade - 2.5.1-1 +- Update to 2.5.1 version (#1716024) + +* Sun May 26 2019 Parag Nemade - 2.5.0-1 +- Update to 2.5.0 version (#1713797) + +* Fri Apr 12 2019 Parag Nemade - 2.4.0-1 +- Update to 2.4.0 version (#1693940) + +* Thu Jan 31 2019 Parag Nemade - 2.3.1-1 +- Update to 2.3.1 version (#1671165) + +* Wed Jan 23 2019 Pete Walter - 2.1.3-2 +- Rebuild for ICU 63 + +* Fri Nov 23 2018 Parag Nemade - 2.1.3-1 +- Update to 2.1.3 version + +* Thu Nov 08 2018 Parag Nemade - 2.1.1-1 +- Update to 2.1.1 version + +* Sun Nov 04 2018 Parag Nemade - 2.1.0-1 +- Update to 2.1.0 version + +* Thu Nov 01 2018 Parag Nemade - 2.0.2-1 +- Update to 2.0.2 version + +* Sun Oct 28 2018 Parag Nemade - 2.0.1-1 +- Update to 2.0.1 version + +* Sat Oct 27 2018 Parag Nemade - 2.0.0-1 +- Update to 2.0.0 version + +* Fri Sep 07 2018 Parag Nemade - 1.8.8-1 +- Update to 1.8.8 version + +* Thu Aug 09 2018 Parag Nemade - 1.8.7-1 +- Update to 1.8.7 version (#1613591) + +* Thu Aug 02 2018 Parag Nemade - 1.8.5-1 +- Update to 1.8.5 version (#1611028) + +* Wed Jul 18 2018 Parag Nemade - 1.8.4-1 +- Update to 1.8.4 version (#1601890) + +* Fri Jul 13 2018 Parag Nemade - 1.8.3-1 +- Update to 1.8.3 version (#1600306) + +* Fri Jul 13 2018 Fedora Release Engineering - 1.8.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jul 10 2018 Pete Walter - 1.8.2-2 +- Rebuild for ICU 62 + +* Tue Jul 03 2018 Parag Nemade - 1.8.2-1 +- Update to 1.8.2 version (#1597679) + +* Thu Jun 14 2018 Parag Nemade - 1.8.1-1 +- Update to 1.8.1 version (#1590575) + +* Wed Jun 06 2018 Parag Nemade - 1.8.0-1 +- Update to 1.8.0 version (#1587987) + +* Wed Jun 06 2018 Parag Nemade - 1.7.7-1 +- Update to 1.7.7 version (#1552962) + +* Mon Apr 30 2018 Pete Walter - 1.7.6-2 +- Rebuild for ICU 61.1 + +* Thu Mar 08 2018 Parag Nemade - 1.7.6-1 +- Update to 1.7.6 version (#1552962) +- Added new lib libharfbuzz-subset by upstream +- Added harfbuzz cmake file +- Added hb-subset binary file + * Mon Feb 19 2018 Parag Nemade - 1.7.5-3 - Add BuildRequires: gcc-c++ as per packaging guidelines - Used %%autosetup