X-Original-To: alpine-aports@lists.alpinelinux.org
Received: from mail-qt0-f169.google.com (mail-qt0-f169.google.com [209.85.216.169])
	by lists.alpinelinux.org (Postfix) with ESMTP id 536685C49AB
	for <alpine-aports@lists.alpinelinux.org>; Mon,  1 May 2017 04:07:57 +0000 (GMT)
Received: by mail-qt0-f169.google.com with SMTP id m36so84174488qtb.0
        for <alpine-aports@lists.alpinelinux.org>; Sun, 30 Apr 2017 21:07:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:subject:date:message-id;
        bh=EhSK6oML51avGKNHXsUFTCmR2juJVzi3MWO+Xagbi8w=;
        b=WzKk4ZruzTMuPI4NjMsox3kRme8zyzEpkSO5dDc96/zDYl5YMkIN0QbNYIMmkhuqpz
         1OHQSflZBT6SZYWdZrYvI6L67hs5ahGUsUyZA5tG/U8/JrNvv/NqTJDpDcfXJazwPGHI
         I8+b3bNYir4++uAEp+7GTwFfPteps2A3QOIR4HmUGlOYRr9en8WB5oUYyjHtTt1g8iVF
         e/UtqnbhYJMTx/2WWxtzlQ15WILuawJxrSDMQ4Sm3VwvBh4XQAgpTQE0ubMRH2bupmba
         V1DfCIn2xY9NgIrKwBXyGgdyVOmIldSkAQl/LjtiIrbdq6IYUqxadBKOdDX3m6xmR72X
         oKuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:subject:date:message-id;
        bh=EhSK6oML51avGKNHXsUFTCmR2juJVzi3MWO+Xagbi8w=;
        b=OVfG46Z841HrNilFObA6xhH1aYRm3E+1n2uKjmZJ5XBuy9ra2HVm1/RpU+pJXm2baY
         3g3FCe95jCjrmCKLv/is9NTP9zjyF6aB1lLQnwjaBjCn1sb9bwqyeKheIujzjRILHlwk
         7tSRiWXqSvqFckKMo1qFaYcoWnDUvXU7uoSqU+9jVcZ7BZ+XfiWVWYK3fD1UTWIY4DQp
         yEq7F6eqd6PJ7WCOMih0Zhh559juPQLKT+WjSW9DCXD+mrt4gAhCE4fZr5csHC6weRgg
         m5vz3EtUQHapEvffpRFQAVNmTqPCtvhrnWdaYNb237ZzSv26kCYtLCdflr3/eDYIcrl7
         gWrQ==
X-Gm-Message-State: AN3rC/4ew7RWOFAP2YEaMCzSgYODJJa4IZPf1vCedVdOGn+qO2mBtToL
	cOE1ex1AqyoklP14
X-Received: by 10.237.62.125 with SMTP id m58mr19257657qtf.36.1493611676552;
        Sun, 30 Apr 2017 21:07:56 -0700 (PDT)
Received: from alp.lan (c-71-60-35-21.hsd1.pa.comcast.net. [71.60.35.21])
        by smtp.googlemail.com with ESMTPSA id j1sm10006369qkf.57.2017.04.30.21.07.55
        for <alpine-aports@lists.alpinelinux.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 30 Apr 2017 21:07:55 -0700 (PDT)
From: Daniel Sabogal <dsabogalcc@gmail.com>
To: alpine-aports@lists.alpinelinux.org
Subject: [alpine-aports] [PATCH] main/freetype: security fixes (CVE-2017-8105, CVE-2017-8287)
Date: Mon,  1 May 2017 00:07:23 -0400
Message-Id: <20170501040725.15347-1-dsabogalcc@gmail.com>
X-Mailer: git-send-email 2.12.2
X-Mailinglist: alpine-aports
Precedence: list
List-Id: Alpine Development <alpine-aports.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-aports+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-aports@lists.alpinelinux.org>
List-Help: <mailto:alpine-aports+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-aports+subscribe@lists.alpinelinux.org?subject=subscribe>

---
 main/freetype/APKBUILD            | 23 ++++++++++----------
 main/freetype/CVE-2017-8105.patch | 44 +++++++++++++++++++++++++++++++++++++++
 main/freetype/CVE-2017-8287.patch | 32 ++++++++++++++++++++++++++++
 3 files changed, 87 insertions(+), 12 deletions(-)
 create mode 100644 main/freetype/CVE-2017-8105.patch
 create mode 100644 main/freetype/CVE-2017-8287.patch

diff --git a/main/freetype/APKBUILD b/main/freetype/APKBUILD
index d693f82d66..6043cdde0c 100644
--- a/main/freetype/APKBUILD
+++ b/main/freetype/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 pkgname=freetype
 pkgver=2.7.1
-pkgrel=0
+pkgrel=1
 pkgdesc="TrueType font rendering library"
 url="http://freetype.sourceforge.net"
 arch="all"
@@ -16,8 +16,15 @@ source="http://download.savannah.gnu.org/releases/freetype/freetype-$pkgver.tar.
 	0001-Enable-table-validation-modules.patch
 	0002-Enable-subpixel-rendering.patch
 	0003-Enable-infinality-subpixel-hinting.patch
+	CVE-2017-8105.patch
+	CVE-2017-8287.patch
 	"
 
+# secfixes:
+#   2.7.1-r1:
+#     - CVE-2017-8105
+#     - CVE-2017-8287
+
 builddir="$srcdir/$pkgname-$pkgver"
 
 build() {
@@ -43,18 +50,10 @@ package() {
 	ln -s freetype2 "$pkgdir"/usr/include/freetype
 }
 
-md5sums="b3230110e0cab777e0df7631837ac36e  freetype-2.7.1.tar.bz2
-4e87d814f54a8047c3b8c4f7f01af5ff  40-memcpy-fix.patch
-cf20a9583d164ffbdb2e5daeea679481  0001-Enable-table-validation-modules.patch
-8814c204656c808588d79348ee5e292e  0002-Enable-subpixel-rendering.patch
-febde7721bbb4e3276840bc242930848  0003-Enable-infinality-subpixel-hinting.patch"
-sha256sums="3a3bb2c4e15ffb433f2032f50a5b5a92558206822e22bfe8cbe339af4aa82f88  freetype-2.7.1.tar.bz2
-b613951938c03d2ab35a7320dd60c8fb14951877bc17b7da57d4c93d3cd44298  40-memcpy-fix.patch
-6d273254fd925d284e5f66e3861eaef69a4393f34872398b2c93af0d5e15d34e  0001-Enable-table-validation-modules.patch
-9da762d69d85ca825a8e4578aaaeba28aa17b8d8a3bca29929c4786b3a82c104  0002-Enable-subpixel-rendering.patch
-d043fa4ce22b6e6cfafa0d2e2898b1c5cd000ec66094a97ab57c9126934ba371  0003-Enable-infinality-subpixel-hinting.patch"
 sha512sums="df39e2ef55f9090a66fecb6b5e9a5d296a043ddfd919d0ce3d7ea5132aa388bfbbeeaa6d6df6513956134b987e1c3a5eac6975c0c9631213af77457a623b49da  freetype-2.7.1.tar.bz2
 9981be8a3ea6f2cf856860b87a4e895e4610c9d5ea4beb611815e757e6080e060f6853ace02dd8ea55e5888cdf4bae5ad5eadd2d8a123754bb3c0bfe7ef41dea  40-memcpy-fix.patch
 41a84be2631b53072a76b78c582575aa48b650ee7b00017d018381002bc25df10cf33da4954c95ef50db39f1fa566678e3b4ae9bfee1dfd705423fb53e53e494  0001-Enable-table-validation-modules.patch
 65be5283f5050e9d6ebe1c6808ec28bb46d5290ee84aede570977b66988eeb674524d0a834dbb2999a487e3a85ca292774212dadc5a3e713e1f5b8a80d75ddf3  0002-Enable-subpixel-rendering.patch
-7b52a3d67750d59b2c98e83dab4e0a0ab263142c2ca7bd5f8be5f8fe9cd1dc1f4debad44111c7886665329d8d2a3163756455618a6615df8f85d82bb0372d4dd  0003-Enable-infinality-subpixel-hinting.patch"
+7b52a3d67750d59b2c98e83dab4e0a0ab263142c2ca7bd5f8be5f8fe9cd1dc1f4debad44111c7886665329d8d2a3163756455618a6615df8f85d82bb0372d4dd  0003-Enable-infinality-subpixel-hinting.patch
+b781e831289d0e24ce7901a23f3d8bade164a12ac1ffcc8efdec506507cee73fac127b0fa7c4fd98533400077a38308f2012ba1ba89d020bec00fd04041b2344  CVE-2017-8105.patch
+6dc050e68ced0227e56a61b960e90acec46e984e6c8c70c2604df48eb860ffa946bed7926e0342ef928d3c2b61acb012abc565c0b3bad9324e86f3688180f8a3  CVE-2017-8287.patch"
diff --git a/main/freetype/CVE-2017-8105.patch b/main/freetype/CVE-2017-8105.patch
new file mode 100644
index 0000000000..b42ae37d7c
--- /dev/null
+++ b/main/freetype/CVE-2017-8105.patch
@@ -0,0 +1,44 @@
+From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Fri, 24 Mar 2017 09:15:10 +0100
+Subject: [PATCH] [psaux] Better protect `flex' handling.
+
+Reported as
+
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
+
+* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+<callothersubr>: Since there is not a single flex operator but a
+series of subroutine calls, malformed fonts can call arbitrary other
+operators after the start of a flex, possibly adding points.  For
+this reason we have to check the available number of points before
+inserting a point.
+
+---
+diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
+index af7b465e..7dd45135 100644
+--- a/src/psaux/t1decode.c
++++ b/src/psaux/t1decode.c
+@@ -780,10 +780,19 @@
+             /* point without adding any point to the outline    */
+             idx = decoder->num_flex_vectors++;
+             if ( idx > 0 && idx < 7 )
++            {
++              /* in malformed fonts it is possible to have other */
++              /* opcodes in the middle of a flex (which don't    */
++              /* increase `num_flex_vectors'); we thus have to   */
++              /* check whether we can add a point                */
++              if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
++                goto Syntax_Error;
++
+               t1_builder_add_point( builder,
+                                     x,
+                                     y,
+                                     (FT_Byte)( idx == 3 || idx == 6 ) );
++            }
+           }
+           break;
+ 
+-- 
+2.11.0
+
diff --git a/main/freetype/CVE-2017-8287.patch b/main/freetype/CVE-2017-8287.patch
new file mode 100644
index 0000000000..e33950bf9b
--- /dev/null
+++ b/main/freetype/CVE-2017-8287.patch
@@ -0,0 +1,32 @@
+From 3774fc08b502c3e685afca098b6e8a195aded6a0 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sun, 26 Mar 2017 08:32:09 +0200
+Subject: [PATCH] * src/psaux/psobjs.c (t1_builder_close_contour): Add safety
+ guard.
+
+Reported as
+
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941
+
+diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c
+index d18e821a..0baf8368 100644
+--- a/src/psaux/psobjs.c
++++ b/src/psaux/psobjs.c
+@@ -1718,6 +1718,14 @@
+     first = outline->n_contours <= 1
+             ? 0 : outline->contours[outline->n_contours - 2] + 1;
+ 
++    /* in malformed fonts it can happen that a contour was started */
++    /* but no points were added                                    */
++    if ( outline->n_contours && first == outline->n_points )
++    {
++      outline->n_contours--;
++      return;
++    }
++
+     /* We must not include the last point in the path if it */
+     /* is located on the first point.                       */
+     if ( outline->n_points > 1 )
+-- 
+2.11.0
+
-- 
2.12.2



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---