From 7b433c6c0841a05c6db675a25a9f57b2f042a01a Mon Sep 17 00:00:00 2001 From: Parag Nemade Date: Sat, 16 Jul 2022 07:57:05 +0530 Subject: [PATCH] Resolves:rh#2103849 CVE-2022-33068 harfbuzz: integer overflow in the component hb-ot-shape-fallback.c --- CVE-2022-33068-sbix-Limit-glyph-extents.patch | 30 +++++++++++++++++++ harfbuzz.spec | 9 +++++- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-33068-sbix-Limit-glyph-extents.patch diff --git a/CVE-2022-33068-sbix-Limit-glyph-extents.patch b/CVE-2022-33068-sbix-Limit-glyph-extents.patch new file mode 100644 index 0000000..b52a8c0 --- /dev/null +++ b/CVE-2022-33068-sbix-Limit-glyph-extents.patch @@ -0,0 +1,30 @@ +From 62e803b36173fd096d7ad460dd1d1db9be542593 Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod +Date: Wed, 1 Jun 2022 07:38:21 -0600 +Subject: [PATCH 001/363] [sbix] Limit glyph extents + +Fixes https://github.com/harfbuzz/harfbuzz/issues/3557 +--- + src/hb-ot-color-sbix-table.hh | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh +index 9741ebd45..6efae43cd 100644 +--- a/src/hb-ot-color-sbix-table.hh ++++ b/src/hb-ot-color-sbix-table.hh +@@ -298,6 +298,12 @@ struct sbix + + const PNGHeader &png = *blob->as(); + ++ if (png.IHDR.height >= 65536 | png.IHDR.width >= 65536) ++ { ++ hb_blob_destroy (blob); ++ return false; ++ } ++ + extents->x_bearing = x_offset; + extents->y_bearing = png.IHDR.height + y_offset; + extents->width = png.IHDR.width; +-- +2.36.1 + diff --git a/harfbuzz.spec b/harfbuzz.spec index 8bc4b63..30946dc 100644 --- a/harfbuzz.spec +++ b/harfbuzz.spec @@ -1,12 +1,15 @@ Name: harfbuzz Version: 2.7.4 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Text shaping library License: MIT URL: https://harfbuzz.github.io/ Source0: https://github.com/harfbuzz/harfbuzz/releases/download/%{version}/harfbuzz-%{version}.tar.xz +# Upstream patch https://github.com/harfbuzz/harfbuzz/issues/3557 +Patch0: CVE-2022-33068-sbix-Limit-glyph-extents.patch + BuildRequires: cairo-devel BuildRequires: freetype-devel BuildRequires: glib2-devel @@ -88,6 +91,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la %{_libdir}/libharfbuzz-icu.so.* %changelog +* Fri Jul 15 2022 Parag Nemade - 2.7.4-6 +- Resolves:rh#2103849 CVE-2022-33068 + harfbuzz: integer overflow in the component hb-ot-shape-fallback.c + * Mon Aug 09 2021 Mohan Boddu - 2.7.4-5 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688