lp:ubuntu/natty-security/freetype

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

42. By Tyler Hicks on 2012-03-21

* SECURITY UPDATE: Denial of service via crafted BDF font
  - debian/patches-freetype/CVE-2012-1126.patch: Perform better input
    sanitization when parsing properties. Based on upstream patch.
  - CVE-2012-1126
* SECURITY UPDATE: Denial of service via crafted BDF font
  - debian/patches-freetype/CVE-2012-1127.patch: Perform better input
    sanitization when parsing glyphs. Based on upstream patch.
  - CVE-2012-1127
* SECURITY UPDATE: Denial of service via crafted TrueType font
  - debian/patches-freetype/CVE-2012-1128.patch: Improve loop logic to avoid
    NULL pointer dereference. Based on upstream patch.
  - CVE-2012-1128
* SECURITY UPDATE: Denial of service via crafted Type42 font
  - debian/patches-freetype/CVE-2012-1129.patch: Perform better input
    sanitization when parsing SFNT strings. Based on upstream patch.
  - CVE-2012-1129
* SECURITY UPDATE: Denial of service via crafted PCF font
  - debian/patches-freetype/CVE-2012-1130.patch: Allocate enough memory to
    properly NULL-terminate parsed properties strings. Based on upstream
    patch.
  - CVE-2012-1130
* SECURITY UPDATE: Denial of service via crafted TrueType font
  - debian/patches-freetype/CVE-2012-1131.patch: Use appropriate data type to
    prevent integer truncation on 64 bit systems when rendering fonts. Based
    on upstream patch.
  - CVE-2012-1131
* SECURITY UPDATE: Denial of service via crafted Type1 font
  - debian/patches-freetype/CVE-2012-1132.patch: Ensure strings are of
    appropriate length when loading Type1 fonts. Based on upstream patch.
  - CVE-2012-1132
* SECURITY UPDATE: Denial of service and arbitrary code execution via
  crafted BDF font
  - debian/patches-freetype/CVE-2012-1133.patch: Limit range of negative
    glyph encoding values to prevent invalid array indexes. Based on
    upstream patch.
  - CVE-2012-1133
* SECURITY UPDATE: Denial of service and arbitrary code execution via
  crafted Type1 font
  - debian/patches-freetype/CVE-2012-1134.patch: Enforce a minimum Type1
    private dictionary size to prevent writing past array bounds. Based on
    upstream patch.
  - CVE-2012-1134
* SECURITY UPDATE: Denial of service via crafted TrueType font
  - debian/patches-freetype/CVE-2012-1135.patch: Perform proper bounds
    checks when interpreting TrueType bytecode. Based on upstream patch.
  - CVE-2012-1135
* SECURITY UPDATE: Denial of service and arbitrary code execution via
  crafted BDF font
  - debian/patches-freetype/CVE-2012-1136.patch: Ensure encoding field is
    defined when parsing glyphs. Based on upstream patch.
  - CVE-2012-1136
* SECURITY UPDATE: Denial of service via crafted BDF font
  - debian/patches-freetype/CVE-2012-1137.patch: Allocate sufficient number
    of array elements to prevent reading past array bounds. Based on
    upstream patch.
  - CVE-2012-1137
* SECURITY UPDATE: Denial of service via crafted TrueType font
  - debian/patches-freetype/CVE-2012-1138.patch: Correct typo resulting in
    invalid read from wrong memory location. Based on upstream patch.
  - CVE-2012-1138
* SECURITY UPDATE: Denial of service via crafted BDF font
  - debian/patches-freetype/CVE-2012-1139.patch: Check array index values to
    prevent reading invalid memory. Based on upstream patch.
  - CVE-2012-1139
* SECURITY UPDATE: Denial of service via crafted PostScript font
  - debian/patches-freetype/CVE-2012-1140.patch: Fix off-by-one error in
    boundary checks. Based on upstream patch.
  - CVE-2012-1140
* SECURITY UPDATE: Denial of service via crafted BDF font
  - debian/patches-freetype/CVE-2012-1141.patch: Initialize field elements
    to prevent invalid read. Based on upstream patch.
  - CVE-2012-1141
* SECURITY UPDATE: Denial of service via crafted Windows FNT/FON font
  - debian/patches-freetype/CVE-2012-1142.patch: Perform input sanitization
    on first and last character code fields. Based on upstream patch.
  - CVE-2012-1142
* SECURITY UPDATE: Denial of service via crafted font
  - debian/patches-freetype/CVE-2012-1143.patch: Protect against divide by
    zero when dealing with 32 bit types. Based on upstream patch.
  - CVE-2012-1143
* SECURITY UPDATE: Denial of service and arbitrary code execution via
  crafted TrueType font
  - debian/patches-freetype/CVE-2012-1144.patch: Perform input sanitization
    on the first glyph outline point value. Based on upstream patch.
  - CVE-2012-1144

41. By Tyler Hicks on 2011-11-17

* SECURITY UPDATE: Arbitrary code execution via crafted Type 1 font
  - debian/patches-freetype/CVE-2011-3256.patch: Sanitize Type 1 font inputs
    in src/base/ftbitmap.c, src/psaux/t1decode.c, src/raster/ftrend1.c, and
    src/truetype/ttgxvar.c. Based on upstream patch.
  - CVE-2011-3256
* SECURITY UPDATE: Arbitrary code execution via crafted CID-keyed PS font
  - debian/patches-freetype/CVE-2011-3439.patch: Sanitize CID-keyed
    PostScript font inputs in src/cid/cidload.c. Based on upstream patch.
  - CVE-2011-3439

40. By Marc Deslauriers on 2011-07-21

* SECURITY UPDATE: arbitrary code execution via crafted Type 1 font
  - debian/patches-freetype/CVE-2011-0226.patch: check for proper
    signedness in src/psaux/t1decode.c.
  - CVE-2011-0226

39. By Steve Langasek on 2011-03-22

No-change rebuild against fixed pkgbinarymangler, to get correct
multiarch-safe changelogs

38. By Steve Langasek on 2011-03-18

releasing version 2.4.4-1ubuntu1

37. By Steve Langasek on 2011-03-18

run update-maintainer

36. By Steve Langasek on 2011-03-18

install udeb libs to /usr/lib, not the multiarch path

35. By Steve Langasek on 2011-03-18

* FFe LP: #733501.
* Build for multiarch, using debhelper compat 9.
* Add Pre-Depends: ${misc:Pre-Depends} to pick up multiarch-support
  dependency.

34. By Steve Langasek on 2011-02-21

* Acknowledge security NMU - thanks, Moritz!
* New upstream release, closes: #606286, #600321
  - fixes PDF rendering issues. Closes: #612484, LP: #709229.
  - fixes a rendering issue with 'S' glyphs in certain fonts.
    LP: #654010.
  - drop patches for CVE-2010-3855 and CVE-2010-3814, applied upstream.
  - drop patch ft2demos-2.1.7-ftbench.patch; doesn't apply cleanly, the
    code has changed significantly, patch never forwarded upstream. If
    this is still an issue, someone will provide a fixed patch.
  - drop patch ft2demos-grkey.patch, fixed upstream.
* debian/patches-freetype/enable-gxvalid-otvalid.patch: enable the
  otvalid and gxvalid table validation modules. Thanks to Paul Wise
  <email address hidden>. Closes: #520879, LP: #239626.
* debian/libfreetype6.symbols: update the symbols file for the same.
* debian/rules et al.: convert to dh 7
* drop INSTALL.* from the libfreetype6-dev docs. Closes: #550971.
* move homepage out of debian/copyright and into debian/control.
* fix GPL link to point to GPL-2 explicitly.
* clean up long-obsolete conflicts/replaces.
* drop debian/README.quilt, redundant with debian/README.source.
* drop debian/README.Debian, which talks about the long-finished transition
  from freetype1.
* strip dependency_libs out of /usr/lib/libfreetype.la.
* bump standards-version to 3.9.1.

33. By Moritz Muehlenhoff <email address hidden> on 2010-11-18

* Non-maintainer upload by the Security Team.
* Fix CVE-2010-3855 and CVE-2010-3814 (Closes: #602221)