Fix CVE-2025-27363

Pick some more fixes Resolves: RHEL-83101
2025-05-08 17:22:43 +03:00 · 2025-05-08 17:22:43 +03:00 · 93ea26b9ce
commit 93ea26b9ce
parent 85f637e5cd
7 changed files with 235 additions and 1 deletions
--- a/freetype-2.8.3-avoid-invalid-face-index.patch
+++ b/freetype-2.8.3-avoid-invalid-face-index.patch
@ -0,0 +1,29 @@
+From 53dfdcd8198d2b3201a23c4bad9190519ba918db Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Thu, 17 Mar 2022 19:24:16 +0100
+Subject: [PATCH] [sfnt] Avoid invalid face index.
+
+Fixes #1138.
+
+* src/sfnt/sfobjs.c (sfnt_init_face)
+Check `face_index` before decrementing.
+---
+ src/sfnt/sfobjs.c  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
+index f9d4d3858..9771c35df 100644
+--- a/src/sfnt/sfobjs.c
+++ b/src/sfnt/sfobjs.c
+@@ -921,7 +921,7 @@
+     face_index = FT_ABS( face_instance_index ) & 0xFFFF;
+ 
+     /* value -(N+1) requests information on index N */
+-    if ( face_instance_index < 0 )
+    if ( face_instance_index < 0 && face_index > 0 )
+       face_index--;
+ 
+     if ( face_index >= face->ttc_header.count )
+-- 
+2.35.1
+
--- a/freetype-2.8.3-cve-2025-27363.patch
+++ b/freetype-2.8.3-cve-2025-27363.patch
@ -0,0 +1,26 @@
+--- a/src/truetype/ttgload.c	2017-05-04 00:40:41.000000000 +0300
+++ b/src/truetype/ttgload.c	2025-04-29 14:41:33.773082591 +0300
+@@ -1753,7 +1753,7 @@
+         short        i, limit;
+         FT_SubGlyph  subglyph;
+ 
+-        FT_Outline  outline;
+        FT_Outline  outline = { 0, 0, NULL, NULL, NULL, 0 };
+         FT_Vector*  points   = NULL;
+         char*       tags     = NULL;
+         short*      contours = NULL;
+@@ -1761,6 +1761,14 @@
+ 
+         limit = (short)gloader->current.num_subglyphs;
+ 
+        /* make sure this isn't negative as we're going to add 4 later */
+        if ( limit < 0 )
+        {
+          error = FT_THROW( Invalid_Argument );
+          goto Exit;
+        }
+
+
+         /* construct an outline structure for              */
+         /* communication with `TT_Vary_Apply_Glyph_Deltas' */
+         outline.n_points   = (short)( gloader->current.num_subglyphs + 4 );
--- a/freetype-2.8.3-guard-face-size.patch
+++ b/freetype-2.8.3-guard-face-size.patch
@ -0,0 +1,27 @@
+From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 09:37:28 +0100
+Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
+
+Fixes #1140.
+---
+ src/base/ftobjs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 6492a1517..282c9121a 100644
+--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
+@@ -3066,6 +3066,9 @@
+     if ( !face )
+       return FT_THROW( Invalid_Face_Handle );
+ 
+    if ( !face->size )
+      return FT_THROW( Invalid_Size_Handle );
+
+     if ( !req || req->width < 0 || req->height < 0 ||
+          req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+       return FT_THROW( Invalid_Argument );
+-- 
+2.35.1
+
--- a/freetype-2.8.3-png-bitmap-size.patch
+++ b/freetype-2.8.3-png-bitmap-size.patch
@ -0,0 +1,48 @@
+From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 19 Oct 2020 23:45:28 +0200
+Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308).
+
+This is CVE-2020-15999.
+
+* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+---
+ ChangeLog          |  8 ++++++++
+ src/sfnt/pngshim.c | 14 +++++++-------
+ 2 files changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index 2e64e5846..f55016122 100644
+--- a/src/sfnt/pngshim.c
+++ b/src/sfnt/pngshim.c
+@@ -332,6 +332,13 @@
+ 
+     if ( populate_map_and_metrics )
+     {
+      /* reject too large bitmaps similarly to the rasterizer */
+      if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
+      {
+        error = FT_THROW( Array_Too_Large );
+        goto DestroyExit;
+      }
+
+       metrics->width  = (FT_UShort)imgWidth;
+       metrics->height = (FT_UShort)imgHeight;
+ 
+@@ -340,13 +347,6 @@
+       map->pixel_mode = FT_PIXEL_MODE_BGRA;
+       map->pitch      = (int)( map->width * 4 );
+       map->num_grays  = 256;
+-
+-      /* reject too large bitmaps similarly to the rasterizer */
+-      if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+-      {
+-        error = FT_THROW( Array_Too_Large );
+-        goto DestroyExit;
+-      }
+     }
+ 
+     /* convert palette/gray image to rgb */
+-- 
+2.26.2
+
--- a/freetype-2.8.3-png-memory-leak.patch
+++ b/freetype-2.8.3-png-memory-leak.patch
@ -0,0 +1,28 @@
+From 007c109b4594c5e63948bd08b4d5011ad76ffb10 Mon Sep 17 00:00:00 2001
+From: Ben Wagner <bungeman@google.com>
+Date: Fri, 23 Oct 2020 08:29:14 +0200
+Subject: [PATCH] * src/sfnt/pngshim.c (Load_SBit_Png): Fix memory leak
+ (#59322).
+
+The issue is that `rows` is allocated but will not be freed in the
+event that the call to `png_read_image` fails and calls `longjmp`.
+---
+ ChangeLog          | 7 +++++++
+ src/sfnt/pngshim.c | 1 +
+ 2 files changed, 8 insertions(+)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index f55016122..d4e43a9f4 100644
+--- a/src/sfnt/pngshim.c
+++ b/src/sfnt/pngshim.c
+@@ -443,6 +443,7 @@
+     png_read_end( png, info );
+ 
+   DestroyExit:
+    FT_FREE( rows );
+     png_destroy_read_struct( &png, &info, NULL );
+     FT_Stream_Close( &stream );
+ 
+-- 
+2.26.2
+
--- a/freetype-2.8.3-properly-guard-face_index.patch
+++ b/freetype-2.8.3-properly-guard-face_index.patch
@ -0,0 +1,46 @@
+From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 06:40:17 +0100
+Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard
+ `face_index`.
+
+We must ensure that the cast to `FT_Int` doesn't change the sign.
+
+Fixes #1139.
+---
+ src/base/ftobjs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+From d014387ad4a5dd04d8e7f99587c7dacb70261924 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 09:30:45 +0100
+Subject: [PATCH 2/2] * src/base/ftobjs.c (ft_open_face_internal): Thinko.
+
+---
+ src/base/ftobjs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 2c0f0e6c9..10952a6c6 100644
+--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
+@@ -2211,6 +2211,16 @@
+ #endif
+ 
+ 
+    /* only use lower 31 bits together with sign bit */
+    if ( face_index > 0 )
+      face_index &= 0x7FFFFFFFL;
+    else
+    {
+      face_index  = -face_index;
+      face_index &= 0x7FFFFFFFL;
+      face_index  = -face_index;
+    }
+
+ #ifdef FT_DEBUG_LEVEL_TRACE
+     FT_TRACE3(( "FT_Open_Face: " ));
+     if ( face_index < 0 )
+-- 
+2.35.1
+
--- a/mingw-freetype.spec
+++ b/mingw-freetype.spec
@ -6,7 +6,7 @@

 Name:           mingw-freetype
 Version:        2.8
-Release:        3%{?dist}
+Release:        3%{?dist}.1
 Summary:        Free and portable font rendering engine

 License:        FTL or GPLv2+
@ -26,6 +26,26 @@ Patch6:         0077-truetype-Fix-loading-of-named-instances.patch
 Patch7:         0079-src-truetype-ttgxvar.c-TT_Get_MM_Var-Fix-thinko.patch
 Patch8:         freetype-2.8-multilib.patch

+
+# patches (9-14) from freetype package, adjusted to freetype 2.8.3
+# https://bugzilla.redhat.com/show_bug.cgi?id=1890210
+Patch9:         freetype-2.8.3-png-bitmap-size.patch
+Patch10:        freetype-2.8.3-png-memory-leak.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=2077989
+Patch11:        freetype-2.8.3-avoid-invalid-face-index.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=2077991
+Patch12:        freetype-2.8.3-properly-guard-face_index.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=2077985
+Patch13:        freetype-2.8.3-guard-face-size.patch
+
+# CVE-2025-27363
+# https://access.redhat.com/security/cve/cve-2025-27363
+# Patch by Marc Deslauriers of Canonical
+Patch14:        freetype-2.8.3-cve-2025-27363.patch
+
 BuildArch:      noarch
 ExclusiveArch:  %{ix86} x86_64

@ -98,6 +118,12 @@ Static version of the MinGW Windows Freetype library.
 %patch6 -p1 -b .named-instances
 %patch7 -p1 -b .named-instances2
 %patch8 -p1 -b .multilib
+%patch9 -p1 -b .png-bitmap-size
+%patch10 -p1 -b .png-memory-leak
+%patch11 -p1 -b .avoid-invalid-face-index
+%patch12 -p1 -b .properly-guard-face_index
+%patch13 -p1 -b .guard-face-size
+%patch14 -p1 -b .cve-2025-27363


 %build
@ -148,6 +174,10 @@ rm -rf $RPM_BUILD_ROOT%{mingw32_mandir} $RPM_BUILD_ROOT%{mingw64_mandir}


 %changelog
+* Tue Apr 29 2025 Uri Lublin <uril@redhat.com> - 2.8-3.1
+- Fix CVE-2025-27363
+  Resolves: RHEL-83101
+
 * Thu Aug 16 2018 Snir Sheriber <ssheribe@redhat.com> - 2.8-3
 - ExclusiveArch: i686, x86_64
  Related: rhbz#1615874