freetype: CVE-2018-6942: NULL pointer dereference in the Ins_GETVARIATION() function

Debian Bug report logs - #890450
freetype: CVE-2018-6942: NULL pointer dereference in the Ins_GETVARIATION() function

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: freetype: CVE-2018-6942: NULL pointer dereference in the Ins_GETVARIATION() function

Date: Wed, 14 Feb 2018 22:13:32 +0100

Source: freetype
Version: 2.8.1-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for freetype.

CVE-2018-6942[0]:
| An issue was discovered in FreeType 2 through 2.9. A NULL pointer
| dereference in the Ins_GETVARIATION() function within ttinterp.c could
| lead to DoS via a crafted font file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-6942
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6942
[1] https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=29c759284e305ec428703c9a5831d0b1fc3497ef

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #14 received at 890450@bugs.debian.org (full text, mbox, reply):

From: Hugh McMaster <hugh.mcmaster@outlook.com>

To: "698192@bugs.debian.org" <698192@bugs.debian.org>, "871470@bugs.debian.org" <871470@bugs.debian.org>, "873432@bugs.debian.org" <873432@bugs.debian.org>, "886461@bugs.debian.org" <886461@bugs.debian.org>, "890450@bugs.debian.org" <890450@bugs.debian.org>, "898983@bugs.debian.org" <898983@bugs.debian.org>, "901052@bugs.debian.org" <901052@bugs.debian.org>

Subject: freetype: diff for NMU version 2.9.1-0.1

Date: Tue, 24 Jul 2018 13:21:03 +0000

[Message part 1 (text/plain, inline)]

Control: tags 698192 + pending
Control: tags 871470 + pending
Control: tags 873432 + pending
Control: tags 886461 + pending
Control: tags 890450 + pending
Control: tags 898983 + pending
Control: tags 901052 + pending

Hi Steve,

I've prepared an NMU for freetype (versioned as 2.9.1-0.1) and
uploaded it to DELAYED/6. Please feel free to tell me if I
should delay it further.

A compressed diff is attached, as is a diff of the Debian-specific
changes.

Kind regards,

Hugh

[freetype-2.9.1-nmu.diff.tar.xz (application/octet-stream, attachment)]

[freetype-2.9.1-0.1-debian.diff (application/octet-stream, attachment)]

Message #19 received at 890450@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Hugh McMaster <hugh.mcmaster@outlook.com>, 898983@bugs.debian.org

Cc: "698192@bugs.debian.org" <698192@bugs.debian.org>, "871470@bugs.debian.org" <871470@bugs.debian.org>, "873432@bugs.debian.org" <873432@bugs.debian.org>, "886461@bugs.debian.org" <886461@bugs.debian.org>, "890450@bugs.debian.org" <890450@bugs.debian.org>, "901052@bugs.debian.org" <901052@bugs.debian.org>

Subject: Re: Bug#898983: freetype: diff for NMU version 2.9.1-0.1

Date: Tue, 24 Jul 2018 10:04:35 -0700

[Message part 1 (text/plain, inline)]

On Tue, Jul 24, 2018 at 01:21:03PM +0000, Hugh McMaster wrote:
> Control: tags 698192 + pending
> Control: tags 871470 + pending
> Control: tags 873432 + pending
> Control: tags 886461 + pending
> Control: tags 890450 + pending
> Control: tags 898983 + pending
> Control: tags 901052 + pending

> I've prepared an NMU for freetype (versioned as 2.9.1-0.1) and
> uploaded it to DELAYED/6. Please feel free to tell me if I
> should delay it further.

> A compressed diff is attached, as is a diff of the Debian-specific
> changes.

As commented in another thread, I believe this proposed NMU includes
packaging changes that are inappropriate to include in an NMU, as they do
not correspond to any filed bugs, have not been discussed in the BTS, and
are making decisions about the structure of the package that are properly
the remit of the maintainer.

I am open to having you, or someone, fully take over maintainership of
freetype.  But I do not believe that the changes proposed here are proper
for an NMU.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 890450-close@bugs.debian.org (full text, mbox, reply):

From: Hugh McMaster <hugh.mcmaster@outlook.com>

To: 890450-close@bugs.debian.org

Subject: Bug#890450: fixed in freetype 2.9.1-1

Date: Tue, 11 Sep 2018 12:00:11 +0000

Source: freetype
Source-Version: 2.9.1-1

We believe that the bug you reported is fixed in the latest version of
freetype, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 890450@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hugh McMaster <hugh.mcmaster@outlook.com> (supplier of updated freetype package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 14 Jul 2018 18:57:54 +1000
Source: freetype
Binary: libfreetype6 libfreetype6-dev freetype2-demos freetype2-doc libfreetype6-udeb
Architecture: source amd64 all
Version: 2.9.1-1
Distribution: experimental
Urgency: medium
Maintainer: Hugh McMaster <hugh.mcmaster@outlook.com>
Changed-By: Hugh McMaster <hugh.mcmaster@outlook.com>
Description:
 freetype2-demos - FreeType 2 demonstration programs
 freetype2-doc - FreeType 2 font engine, development documentation
 libfreetype6 - FreeType 2 font engine, shared library files
 libfreetype6-dev - FreeType 2 font engine, development files
 libfreetype6-udeb - FreeType 2 font engine for the debian-installer (udeb)
Closes: 698192 871470 873432 886461 890450 898983 901052
Changes:
 freetype (2.9.1-1) experimental; urgency=medium
 .
   * New maintainer: Hugh McMaster
     - A big thank you to Steve Langasek for maintaining freetype over
       the past 12 years.
   * New upstream release (Closes: #901052):
     - Avoid dereferencing a NULL pointer (CVE-2018-6942) (Closes: #890450).
     - The `freetype-config' script is no longer installed by default
       (Closes: #871470, #886461). All packages depending on libfreetype6-dev
       should use pkg-config to find the relevant CFLAGS and libraries.
     - Fix unaligned access failures caused by 'mmvar' array pointers in the
       TrueType font driver (Closes: #898983).
     - Infinality patches previously integrated upstream (Closes: #698192).
   * Switch to dpkg-source 3.0 (quilt) format.
   * Update debhelper package compatibility to level 11.
   * Introduce freetype2-doc:
     - Move the development documentation from libfreetype6-dev.
     - Declare Replaces+Breaks against libfreetype6-dev.
     - Update the package's doc-base registration.
     - Comment out references to fonts.googleapis.com (Closes: #873432).
     - Add a Dependency on libjs-jquery.
     - Do not install the source jQuery library. Instead, add a symlink
       to the equivalent library provided by Debian.
   * debian/changelog:
     - Remove trailing whitespace.
   * debian/control:
     - Build-Depend on debhelper version 11.
     - Remove the version requirement from the gettext Build-Dependency.
     - Remove automake and quilt from the Build-Depends list.
     - Add libjs-jquery to the Build-Depends list.
     - Raise Standards-Version from 4.0.0 to 4.2.1.
     - Use secure HTTP for the Homepage URI.
     - Update package descriptions.
     - Mark freetype2-demos Multi-Arch: foreign.
     - Rename the XC-Package-Type field to Package-Type.
   * debian/copyright:
     - Use secure HTTP in the Format and Source fields.
     - Update for FreeType 2.9.1.
   * debian/missing-sources:
     - Add source files for jquery.ba-resize.min.js and jquery-1.11.0.min.js.
   * debian/patches:
     - Convert freetype_2.8.1-2.diff into patches.
     - Remove an unused patch: enable-old-cff.patch
     - Remove freetype-config-multi-arch.patch (no longer needed).
     - Refresh other patches.
     - no-web-fonts.patch: Comment out references to fonts.googleapis.com.
     - hide-donations-information.patch: Hide donations information in the
       documentation to prevent several lintian errors.
   * debian/rules:
     - Include the /usr/share/dpkg/pkg-info.mk Makefile library instead of
       calling 'dpkg-parsechangelog'.
     - Add 'hardening=+all' to DEB_BUILD_MAINT_OPTIONS.
     - Remove special handling for libpng12.
     - Remove a legacy workaround for gcc-4.4.
     - Remove legacy 'unpack', 'patch' and 'get-orig-source' recipes.
     - Remove un-needed debhelper overrides and legacy code.
     - Copy docs/CHANGES as docs/NEWS to comply with Debian policy 12.7.
   * Update the libfreetype6 symbols file for FreeType 2.9.1.
   * Add a debian/watch file.
   * Add an upstream cryptographic signature.
   * Remove debian/freetype2-demos.dirs, debian/libfreetype6-udeb.dirs and
     debian/README.source (no longer needed).
   * Update lintian overrides for the freetype source package.
   * Add lintian overrides for freetype2-demos and freetype2-doc.
   * Convert /usr/share/doc/freetype2-demos and /usr/share/doc/libfreetype6-dev
     symlinks to directories.
Checksums-Sha1:
 7483091ff6a98006050162e6729bdfaa004c57f5 3550 freetype_2.9.1-1.dsc
 b8601da0293422a7389582cba93031969f72fb80 294850 freetype_2.9.1.orig-ft2demos.tar.gz
 be7145344a3dc7d052aeaa9d2b88993c1b68189f 359 freetype_2.9.1.orig-ft2demos.tar.gz.asc
 a2942b8626ec49bfee481625d4aa9f369f62b632 2123920 freetype_2.9.1.orig-ft2docs.tar.gz
 9515a52600279270c431ccf55cd0117ab54092e6 359 freetype_2.9.1.orig-ft2docs.tar.gz.asc
 7498739e34e5dca4c61d05efdde6191ba69a2df0 2533956 freetype_2.9.1.orig.tar.gz
 72a6d90c3755d710c8c598d6f50d8fc39f433b8b 359 freetype_2.9.1.orig.tar.gz.asc
 8633840f75fb2b496e141a90063c771aa14aae6e 111444 freetype_2.9.1-1.debian.tar.xz
 9ff72c65b2ec2731e388e5c2dc67670b964f5d90 875596 freetype2-demos-dbgsym_2.9.1-1_amd64.deb
 642cf3f9b85aca82e677df64ea657694b50e67f9 180148 freetype2-demos_2.9.1-1_amd64.deb
 10006e73f09fe6bbba32881d5863262a884573ff 2308168 freetype2-doc_2.9.1-1_all.deb
 0eee268adec272da34ff6136fa145de4a4969a33 7650 freetype_2.9.1-1_amd64.buildinfo
 a7c0c6f6f1239e4d22bf0b1e973cd2307c62aa3f 1265868 libfreetype6-dbgsym_2.9.1-1_amd64.deb
 dfe9356f5c1726925083eac75c9e069cab20201e 544556 libfreetype6-dev_2.9.1-1_amd64.deb
 4217740c0559b5f5b32f364eb2792a33891a088d 322116 libfreetype6-udeb_2.9.1-1_amd64.udeb
 16379d78af1f7ea6a0c853ff1dc8b13f96816f28 378828 libfreetype6_2.9.1-1_amd64.deb
Checksums-Sha256:
 7f0a9c23ed2a4b4e3f5cc2361841c158f389c51d19616114ac98f52b1dfe6d22 3550 freetype_2.9.1-1.dsc
 3d440aad3481285c7455f1593577e375c9d5792c800bbaba68d46fd75130fab9 294850 freetype_2.9.1.orig-ft2demos.tar.gz
 665b8357378dc715fbac964d05cdcc2a2f7fd1e9d7918a27bf50f4d0a17f0d30 359 freetype_2.9.1.orig-ft2demos.tar.gz.asc
 f57c1297f5ad2ad4764f491317fa0f548bd307c4513185d4a0602412e83b1dc9 2123920 freetype_2.9.1.orig-ft2docs.tar.gz
 c4c674db43603f719018716970569d1722d0de46fa94757eb7f39266d72cdbd1 359 freetype_2.9.1.orig-ft2docs.tar.gz.asc
 ec391504e55498adceb30baceebd147a6e963f636eb617424bcfc47a169898ce 2533956 freetype_2.9.1.orig.tar.gz
 2c2c5ae3b3838053b94366639e802b18bc4761003ea15ce73402d276baec424d 359 freetype_2.9.1.orig.tar.gz.asc
 3f79535a8c536fd207a323dd5e81d6f243e5407644733db4f489600eca24db77 111444 freetype_2.9.1-1.debian.tar.xz
 8a92602affaa6c91e1fedb96c12494fa81c39d7eb4582258b3c5acb2cdc52900 875596 freetype2-demos-dbgsym_2.9.1-1_amd64.deb
 291c51fbdaea4385a400fec8b6f7df74b690b538fc5cd1af50c56cbb5164c064 180148 freetype2-demos_2.9.1-1_amd64.deb
 93aef970e00184f09a64577c9db0f838c0e5491ae6d9bdb7b2ff6fcc691fe70e 2308168 freetype2-doc_2.9.1-1_all.deb
 999dc562de680a999d07450050c4cf186e06e48a242aac3e805955e8f42fd14c 7650 freetype_2.9.1-1_amd64.buildinfo
 844175983a1c20fb92925c48a10697196e5ffec887eb3164c440b0ce3f471562 1265868 libfreetype6-dbgsym_2.9.1-1_amd64.deb
 c454ea9bf2e5efeaa5e9c4b519bf1767aacf121130c9433fde9e0648bcc92152 544556 libfreetype6-dev_2.9.1-1_amd64.deb
 ced8118d76a44c21c8f43c9c1fd1c8bdd09b004b4a041a78b053b4c99b8c3a5a 322116 libfreetype6-udeb_2.9.1-1_amd64.udeb
 6b54eeb6c56aa7e311f46d06ec8900e12c915583c8dbf73131c7795b2e82bbb6 378828 libfreetype6_2.9.1-1_amd64.deb
Files:
 d78209480fc0df92e7dc959ce8631158 3550 libs optional freetype_2.9.1-1.dsc
 231ba937e032507793a711837ccd2aaf 294850 libs optional freetype_2.9.1.orig-ft2demos.tar.gz
 1de2dd441232fd3e5c606a6162dc03c9 359 libs optional freetype_2.9.1.orig-ft2demos.tar.gz.asc
 9c29bae3524496ace5f617a8321dc10e 2123920 libs optional freetype_2.9.1.orig-ft2docs.tar.gz
 f0f571928110532ce2d2fac7d95495fc 359 libs optional freetype_2.9.1.orig-ft2docs.tar.gz.asc
 3adb0e35d3c100c456357345ccfa8056 2533956 libs optional freetype_2.9.1.orig.tar.gz
 f1135f0a946138fb068838c1eb142a45 359 libs optional freetype_2.9.1.orig.tar.gz.asc
 a8fed3e5092a94cdb4f9a9b18bb7724b 111444 libs optional freetype_2.9.1-1.debian.tar.xz
 1cd3188f25528a4c4258e03956b79413 875596 debug optional freetype2-demos-dbgsym_2.9.1-1_amd64.deb
 cb8dac8fa8f730838286ae7b7c812171 180148 utils optional freetype2-demos_2.9.1-1_amd64.deb
 bdb9a8530b62bef6e683bfeeaae4b076 2308168 doc optional freetype2-doc_2.9.1-1_all.deb
 cda757da099a785098c6257128b05691 7650 libs optional freetype_2.9.1-1_amd64.buildinfo
 50c71f01bfd9b97be5781bf94d076633 1265868 debug optional libfreetype6-dbgsym_2.9.1-1_amd64.deb
 ccefa1f511232b8dd178c025e0260558 544556 libdevel optional libfreetype6-dev_2.9.1-1_amd64.deb
 550d339c2dcfbf8a35549664f1d554f3 322116 debian-installer optional libfreetype6-udeb_2.9.1-1_amd64.udeb
 35eb47735168250d5717a455d9f838dd 378828 libs optional libfreetype6_2.9.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAluUO0MACgkQCBa54Yx2
K61Pwg//fe4WV6SMBdtVAjLbb75e1END2/vsv8grjq7AD8vdEjLWj94a2juZkGcT
ZYNmtH2WQxdQjcw3zQqbZXNFDe+jT3/eLZOAyd9Gm3LDaLf9qDhn8q/TMC3jrP34
aPHjvYDFCHWOtdp+WGSO8PQfervRp/4SJgtqabxmuH/L7FKlBux5jrWmX901wn7+
Kw6/s+tIkxeq4BaBEPaE5SV/U6+7tvwMaiyc2NJZN63enrrgrDRN5tnpm3R3jHP6
+vxB5tA1++SvrpM7KCFjKViN3uMjpoUpdKJ86F0/YwHpn/6dL0m4dC4PH8yjoe5W
vpBcQxZ6q50jqNkzSkLtDpoAcyxaaepAtYrsncN+rvy2lihB1zrxzb45hAFuc2Gs
0Q5x8fUndwloXdFkOrQaXIxwCu+E7TP8g2fxfM0AERDDL1iEavNjleUPpmu3c0Z3
3di8GHTQTXiyYQ97VhTuKGqAoEo6nkg+6XTIua/14IxEHC0WF3tvsy1bexsEK2Rr
GQYFc6XWeBTHAOr/X0YSOYzyOdkQ21ut+hpFfQmWD0didNfSOYLK0nwKIwg79L4K
bCpEsRtNd4UKFFyt0OAmTEqqN92zcnjk4mV3pV/q3KOjgiG5cV6unNHlLneHFQ+t
AMggbF3mcBqUlYr02c9Z/OaQdNDHFTST3nms1Vc3J8rYs2fnjLw=
=V3bV
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.