Skip to content
Snippets Groups Projects
Commit 9ec0eb5c authored by Michel Lind's avatar Michel Lind
Browse files

Merge branch 'c9s-cve-2025-27363' into 'c9s'

TrueType clean up and unsigned fixes for CVE-2025-27363

See merge request !8
parents 6d3cc91c 61fdf05f
No related branches found
No related tags found
No related merge requests found
Pipeline #1717646084 failed
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -1944,7 +1944,7 @@
short i, limit;
FT_SubGlyph subglyph;
- FT_Outline outline;
+ FT_Outline outline = { 0, 0, NULL, NULL, NULL, 0 };
FT_Vector* points = NULL;
char* tags = NULL;
short* contours = NULL;
@@ -1953,6 +1953,13 @@
limit = (short)gloader->current.num_subglyphs;
+ /* make sure this isn't negative as we're going to add 4 later */
+ if ( limit < 0 )
+ {
+ error = FT_THROW( Invalid_Argument );
+ goto Exit;
+ }
+
/* construct an outline structure for */
/* communication with `TT_Vary_Apply_Glyph_Deltas' */
outline.n_points = (short)( gloader->current.num_subglyphs + 4 );
......@@ -4,7 +4,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.10.4
Release: 9%{?dist}
Release: 10%{?dist}
License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
URL: http://www.freetype.org
Source: http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.tar.xz
......@@ -41,6 +41,17 @@ Patch10: freetype-2.10.4-properly-guard-face_index.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2077985
Patch11: freetype-2.10.4-guard-face-size.patch
# CVE-2025-27363
# https://access.redhat.com/security/cve/cve-2025-27363
# https://bugzilla.redhat.com/show_bug.cgi?id=2351357
# https://issues.redhat.com/browse/RHEL-83104
# https://issues.redhat.com/browse/RHEL-83109
# Patch initially by Marc Deslauriers of Canonical
# https://www.openwall.com/lists/oss-security/2025/03/14/3
# Adjusted for EL9 by Jonathan Wright of AlmaLinux
# and a member of the Meta security team
Patch12: freetype-2.10.4-cve-2025-27363.patch
BuildRequires: gcc
BuildRequires: libX11-devel
BuildRequires: libpng-devel
......@@ -108,6 +119,7 @@ popd
%patch9 -p1 -b .avoid-invalid-face-index
%patch10 -p1 -b .properly-guard-face_index
%patch11 -p1 -b .guard-face-size
%patch12 -p1 -b .cve-2025-27363
%build
......@@ -249,6 +261,11 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.{a,la}
%{_mandir}/man1/*
%changelog
* Fri Mar 14 2025 Michel Lind <salimma@centosproject.org> - 2.10.4-10
- Fix for CVE-2025-27363 out-of-bound write vulnerability
- Resolves: RHEL-83104
- Resolves: RHEL-83109
* Tue May 31 2022 Marek Kasik <mkasik@redhat.com> - 2.10.4-9
- Guard face->size
- Resolves: #2079280
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment