From 1379b610b6f416ebedfb23b8549a926ad99c331c Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 31 Mar 2025 18:33:03 +0000 Subject: [PATCH] import UBI freetype-2.9.1-10.el8_10 --- SOURCES/freetype-2.9.1-cve-2025-27363.patch | 27 +++++++++++++++++++++ SPECS/freetype.spec | 12 ++++++++- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 SOURCES/freetype-2.9.1-cve-2025-27363.patch diff --git a/SOURCES/freetype-2.9.1-cve-2025-27363.patch b/SOURCES/freetype-2.9.1-cve-2025-27363.patch new file mode 100644 index 0000000..295f716 --- /dev/null +++ b/SOURCES/freetype-2.9.1-cve-2025-27363.patch @@ -0,0 +1,27 @@ +diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c +index 39d9c3f..d36cbe9 100644 +--- a/src/truetype/ttgload.c ++++ b/src/truetype/ttgload.c +@@ -1840,7 +1840,7 @@ + short i, limit; + FT_SubGlyph subglyph; + +- FT_Outline outline; ++ FT_Outline outline = { 0, 0, NULL, NULL, NULL, 0 }; + FT_Vector* points = NULL; + char* tags = NULL; + short* contours = NULL; +@@ -1848,6 +1848,13 @@ + + limit = (short)gloader->current.num_subglyphs; + ++ /* make sure this isn't negative as we're going to add 4 later */ ++ if ( limit < 0 ) ++ { ++ error = FT_THROW( Invalid_Argument ); ++ goto Exit; ++ } ++ + /* construct an outline structure for */ + /* communication with `TT_Vary_Apply_Glyph_Deltas' */ + outline.n_points = (short)( gloader->current.num_subglyphs + 4 ); diff --git a/SPECS/freetype.spec b/SPECS/freetype.spec index ba024a6..34f6931 100644 --- a/SPECS/freetype.spec +++ b/SPECS/freetype.spec @@ -3,7 +3,7 @@ Summary: A free and portable font rendering engine Name: freetype Version: 2.9.1 -Release: 9%{?dist} +Release: 10%{?dist} License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement Group: System Environment/Libraries URL: http://www.freetype.org @@ -42,6 +42,11 @@ Patch11: freetype-2.9.1-properly-guard-face-index.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2077985 Patch12: freetype-2.9.1-guard-face-size.patch +# CVE-2025-27363 +# https://access.redhat.com/security/cve/cve-2025-27363 +# Patch by Marc Deslauriers of Canonical +Patch13: freetype-2.9.1-cve-2025-27363.patch + BuildRequires: libX11-devel BuildRequires: libpng-devel BuildRequires: zlib-devel @@ -106,6 +111,7 @@ popd %patch10 -p1 -b .windres %patch11 -p1 -b .properly-guard-face-index %patch12 -p1 -b .guard-face-size +%patch13 -p1 -b .cve-2025-27363 %build @@ -218,6 +224,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.{a,la} %{_mandir}/man1/* %changelog +* Fri Mar 14 2025 Jonathan Wright - 2.9.1-10 +- Fix CVE-2025-27363 Out-of-bounds Write +- Resolves: RHEL-83094 + * Fri May 27 2022 Marek Kasik - 2.9.1-9 - Guard face->size - Resolves: #2079279