From 245bafa9cd7af8c195c0e106a9800a924ef9faad Mon Sep 17 00:00:00 2001 From: zhangpan Date: Mon, 14 Apr 2025 06:16:48 +0000 Subject: [PATCH] update CVE-2025-27363 patch --- backport-0001-CVE-2025-27363.patch | 147 ------------------ backport-0002-CVE-2025-27363.patch | 36 ----- ...imal-stop-gap-fix-for-CVE-2025-27363.patch | 44 ++++++ freetype.spec | 9 +- 4 files changed, 49 insertions(+), 187 deletions(-) delete mode 100644 backport-0001-CVE-2025-27363.patch delete mode 100644 backport-0002-CVE-2025-27363.patch create mode 100644 backport-Minimal-stop-gap-fix-for-CVE-2025-27363.patch diff --git a/backport-0001-CVE-2025-27363.patch b/backport-0001-CVE-2025-27363.patch deleted file mode 100644 index 3a12253..0000000 --- a/backport-0001-CVE-2025-27363.patch +++ /dev/null @@ -1,147 +0,0 @@ -From ef636696524b081f1b8819eb0c6a0b932d35757d Mon Sep 17 00:00:00 2001 -From: Alexei Podtelezhnikov -Date: Fri, 17 Mar 2023 23:25:45 -0400 -Subject: [PATCH] [truetype] Clean up zeroing and local variables. - -* src/truetype/ttgload.c (TT_Process_Simple_Glyph): Avoid zeroing. -(load_truetype_glyph): Avoid zeroing and clean local variables. - -Reference:https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d -Conflict:context adaptation and points->outline.points - ---- - src/truetype/ttgload.c | 82 ++++++++++++++---------------------------- - 1 file changed, 26 insertions(+), 56 deletions(-) - -diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c -index 2ca63d6..8c1fbbf 100644 ---- a/src/truetype/ttgload.c -+++ b/src/truetype/ttgload.c -@@ -981,7 +981,7 @@ - - if ( !IS_DEFAULT_INSTANCE( FT_FACE( loader->face ) ) ) - { -- if ( FT_NEW_ARRAY( unrounded, n_points ) ) -+ if ( FT_QNEW_ARRAY( unrounded, n_points ) ) - goto Exit; - - /* Deltas apply to the unscaled data. */ -@@ -1948,10 +1948,7 @@ - short i, limit; - FT_SubGlyph subglyph; - -- FT_Outline outline; -- FT_Vector* points = NULL; -- char* tags = NULL; -- short* contours = NULL; -+ FT_Outline outline = { 0, 0, NULL, NULL, NULL, 0 }; - FT_Vector* unrounded = NULL; - - -@@ -1959,19 +1956,14 @@ - - /* construct an outline structure for */ - /* communication with `TT_Vary_Apply_Glyph_Deltas' */ -- outline.n_points = (short)( gloader->current.num_subglyphs + 4 ); -- outline.n_contours = outline.n_points; -- -- outline.points = NULL; -- outline.tags = NULL; -- outline.contours = NULL; -- -- if ( FT_NEW_ARRAY( points, outline.n_points ) || -- FT_NEW_ARRAY( tags, outline.n_points ) || -- FT_NEW_ARRAY( contours, outline.n_points ) || -- FT_NEW_ARRAY( unrounded, outline.n_points ) ) -+ if ( FT_QNEW_ARRAY( outline.points, limit + 4 ) || -+ FT_QNEW_ARRAY( outline.tags, limit ) || -+ FT_QNEW_ARRAY( outline.contours, limit ) || -+ FT_QNEW_ARRAY( unrounded, limit + 4 ) ) - goto Exit1; - -+ outline.n_contours = outline.n_points = limit; -+ - subglyph = gloader->current.subglyphs; - - for ( i = 0; i < limit; i++, subglyph++ ) -@@ -1979,38 +1971,16 @@ - /* applying deltas for anchor points doesn't make sense, */ - /* but we don't have to specially check this since */ - /* unused delta values are zero anyways */ -- points[i].x = subglyph->arg1; -- points[i].y = subglyph->arg2; -- tags[i] = 1; -- contours[i] = i; -+ outline.points[i].x = subglyph->arg1; -+ outline.points[i].y = subglyph->arg2; -+ outline.tags[i] = ON_CURVE_POINT; -+ outline.contours[i] = i; - } - -- points[i].x = loader->pp1.x; -- points[i].y = loader->pp1.y; -- tags[i] = 1; -- contours[i] = i; -- -- i++; -- points[i].x = loader->pp2.x; -- points[i].y = loader->pp2.y; -- tags[i] = 1; -- contours[i] = i; -- -- i++; -- points[i].x = loader->pp3.x; -- points[i].y = loader->pp3.y; -- tags[i] = 1; -- contours[i] = i; -- -- i++; -- points[i].x = loader->pp4.x; -- points[i].y = loader->pp4.y; -- tags[i] = 1; -- contours[i] = i; -- -- outline.points = points; -- outline.tags = tags; -- outline.contours = contours; -+ outline.points[i++] = loader->pp1; -+ outline.points[i++] = loader->pp2; -+ outline.points[i++] = loader->pp3; -+ outline.points[i ] = loader->pp4; - - /* this call provides additional offsets */ - /* for each component's translation */ -@@ -2028,20 +1998,20 @@ - { - if ( subglyph->flags & ARGS_ARE_XY_VALUES ) - { -- subglyph->arg1 = (FT_Int16)points[i].x; -- subglyph->arg2 = (FT_Int16)points[i].y; -+ subglyph->arg1 = (FT_Int16)outline.points[i].x; -+ subglyph->arg2 = (FT_Int16)outline.points[i].y; - } - } - -- loader->pp1.x = points[i + 0].x; -- loader->pp1.y = points[i + 0].y; -- loader->pp2.x = points[i + 1].x; -- loader->pp2.y = points[i + 1].y; -+ loader->pp1.x = outline.points[i + 0].x; -+ loader->pp1.y = outline.points[i + 0].y; -+ loader->pp2.x = outline.points[i + 1].x; -+ loader->pp2.y = outline.points[i + 1].y; - -- loader->pp3.x = points[i + 2].x; -- loader->pp3.y = points[i + 2].y; -- loader->pp4.x = points[i + 3].x; -- loader->pp4.y = points[i + 3].y; -+ loader->pp3.x = outline.points[i + 2].x; -+ loader->pp3.y = outline.points[i + 2].y; -+ loader->pp4.x = outline.points[i + 3].x; -+ loader->pp4.y = outline.points[i + 3].y; - - /* recalculate linear horizontal and vertical advances */ - /* if we don't have HVAR and VVAR, respectively */ --- -2.33.0 - diff --git a/backport-0002-CVE-2025-27363.patch b/backport-0002-CVE-2025-27363.patch deleted file mode 100644 index 85e22d6..0000000 --- a/backport-0002-CVE-2025-27363.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 73720c7c9958e87b3d134a7574d1720ad2d24442 Mon Sep 17 00:00:00 2001 -From: Alexei Podtelezhnikov -Date: Sun, 23 Jun 2024 10:58:00 -0400 -Subject: [PATCH] * src/truetype/ttgload.c (load_truetype_glyph): Unsigned fix. - -Reference:https://gitlab.freedesktop.org/freetype/freetype/-/commit/73720c7c9958e87b3d134a7574d1720ad2d24442 -Conflict:NA - ---- - src/truetype/ttgload.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c -index 8cddc394c..b656ccf04 100644 ---- a/src/truetype/ttgload.c -+++ b/src/truetype/ttgload.c -@@ -1738,14 +1738,14 @@ - if ( FT_IS_NAMED_INSTANCE( FT_FACE( face ) ) || - FT_IS_VARIATION( FT_FACE( face ) ) ) - { -- short i, limit; -+ FT_UShort i, limit; - FT_SubGlyph subglyph; - - FT_Outline outline = { 0, 0, NULL, NULL, NULL, 0 }; - FT_Vector* unrounded = NULL; - - -- limit = (short)gloader->current.num_subglyphs; -+ limit = (FT_UShort)gloader->current.num_subglyphs; - - /* construct an outline structure for */ - /* communication with `TT_Vary_Apply_Glyph_Deltas' */ --- -GitLab - diff --git a/backport-Minimal-stop-gap-fix-for-CVE-2025-27363.patch b/backport-Minimal-stop-gap-fix-for-CVE-2025-27363.patch new file mode 100644 index 0000000..a4f22d8 --- /dev/null +++ b/backport-Minimal-stop-gap-fix-for-CVE-2025-27363.patch @@ -0,0 +1,44 @@ +From: Marc Deslauriers +Date: Fri, 14 Mar 2025 08:55:06 -0400 +Subject: [PATCH] Minimal stop-gap fix for CVE-2025-27363 +Origin: https://www.openwall.com/lists/oss-security/2025/03/14/3 +Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1322 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-27363 + +Reference:https://salsa.debian.org/debian/freetype/-/merge_requests/4 +Conflict:NA + +--- + src/truetype/ttgload.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c +index 2ca63d65a3a3..7ce6d2a6fb29 100644 +--- a/src/truetype/ttgload.c ++++ b/src/truetype/ttgload.c +@@ -1948,7 +1948,7 @@ + short i, limit; + FT_SubGlyph subglyph; + +- FT_Outline outline; ++ FT_Outline outline = { 0, 0, NULL, NULL, NULL, 0 }; + FT_Vector* points = NULL; + char* tags = NULL; + short* contours = NULL; +@@ -1957,6 +1957,13 @@ + + limit = (short)gloader->current.num_subglyphs; + ++ /* make sure this isn't negative as we're going to add 4 later */ ++ if ( limit < 0 ) ++ { ++ error = FT_THROW( Invalid_Argument ); ++ goto Exit; ++ } ++ + /* construct an outline structure for */ + /* communication with `TT_Vary_Apply_Glyph_Deltas' */ + outline.n_points = (short)( gloader->current.num_subglyphs + 4 ); +-- +2.47.2 + diff --git a/freetype.spec b/freetype.spec index 3b8031d..169eb89 100644 --- a/freetype.spec +++ b/freetype.spec @@ -4,7 +4,7 @@ Name: freetype Version: 2.12.1 -Release: 4 +Release: 5 Summary: FreeType is a freely available software library to render fonts License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement URL: http://www.freetype.org @@ -23,8 +23,7 @@ Patch6003: backport-freetype-2.8-multilib.patch Patch6004: backport-freetype-2.10.0-internal-outline.patch Patch6005: backport-freetype-2.10.1-debughook.patch Patch6006: backport-CVE-2023-2004.patch -Patch6007: backport-0001-CVE-2025-27363.patch -Patch6008: backport-0002-CVE-2025-27363.patch +Patch6007: backport-Minimal-stop-gap-fix-for-CVE-2025-27363.patch BuildRequires: gcc libX11-devel libpng-devel zlib-devel bzip2-devel meson @@ -74,7 +73,6 @@ popd %patch6005 -p1 %patch6006 -p1 %patch6007 -p1 -%patch6008 -p1 %build %configure --disable-static --with-zlib=yes --with-bzip2=yes --with-png=yes --enable-freetype-config --with-harfbuzz=no @@ -155,6 +153,9 @@ meson test -C out %{_mandir}/man1/* %changelog +* Mon Apr 14 2025 zhangpan - 2.12.1-5 +- update CVE-2025-27363 patch + * Mon Mar 17 2025 zhangpan - 2.12.1-4 - fix CVE-2025-27363 -- Gitee