ubuntu/+source/freetype:ubuntu/precise-security

Last commit made on 2017-05-16
Get this branch:
git clone -b ubuntu/precise-security https://git.launchpad.net/ubuntu/+source/freetype
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/precise-security
Repository:
lp:ubuntu/+source/freetype

Recent commits

fdcc2da... by Emily Ratliff on 2017-05-16

Import patches-unapplied version 2.4.8-1ubuntu2.6 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: eec5959ac51ae5fb052df9cd20c2a67530cf88e8

New changelog entries:
  [ Marc Deslauriers ]
  * SECURITY UPDATE: out-of-bounds write in t1_decoder_parse_charstrings
    - debian/patches-freetype/CVE-2017-8105.patch: add a check to
      src/psaux/t1decode.c.
    - CVE-2017-8105
  * SECURITY UPDATE: out-of-bounds write in t1_builder_close_contour
    - debian/patches-freetype/CVE-2017-8287.patch: add a check to
      src/psaux/psobjs.c.
    - CVE-2017-8287

eec5959... by Steve Beattie on 2017-04-18

Import patches-unapplied version 2.4.8-1ubuntu2.5 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: e52e744ab7b362d9ea9c1f5afdd2d39c850515df

New changelog entries:
  * SECURITY UPDATE: heap based buffer overflow in cff_parser_run()
    - debian/patches-freetype/CVE-2016-10328.patch: add additional check
      to parser stack size in src/cff/cffparse.c
    - CVE-2016-10328

e52e744... by Marc Deslauriers on 2017-03-16

Import patches-unapplied version 2.4.8-1ubuntu2.4 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: df63c2a776668f375f29cda3185fbf4cfd3779c7

New changelog entries:
  * SECURITY UPDATE: DoS and possible code execution via missing glyph name
    - debian/patches/CVE-2016-10244.patch: add check to src/type1/t1load.c.
    - CVE-2016-10244

df63c2a... by Marc Deslauriers on 2015-09-10

Import patches-unapplied version 2.4.8-1ubuntu2.3 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 5992b6700bfc8f41f05221116c742e330c43b9d3

New changelog entries:
  * SECURITY UPDATE: uninitialized memory reads (LP: #1449225)
    - debian/patches-freetype/savannah-bug-41309.patch: fix use of
      uninitialized data in src/cid/cidload.c, src/psaux/psobjs.c,
      src/type1/t1load.c, src/type42/t42parse.c.
    - No CVE number
  * SECURITY UPDATE: denial of service via infinite loop in parse_encode
    (LP: #1492124)
    - debian/patches-freetype/savannah-bug-41590.patch: protect against
      invalid charcode in src/type1/t1load.c.
    - No CVE number

5992b67... by Marc Deslauriers on 2015-02-24

Import patches-unapplied version 2.4.8-1ubuntu2.2 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: fbecc9f25c9394d01145bcae749df774440e7d96

New changelog entries:
  * SECURITY UPDATE: denial of service and possible code execution via
    multiple security issues
    - debian/patches-freetype/CVE-2014-96xx/*.patch: backport a large
      quantity of upstream commits to fix multiple security issues.
    - CVE-2014-9656
    - CVE-2014-9657
    - CVE-2014-9658
    - CVE-2014-9660
    - CVE-2014-9661
    - CVE-2014-9663
    - CVE-2014-9664
    - CVE-2014-9666
    - CVE-2014-9667
    - CVE-2014-9669
    - CVE-2014-9670
    - CVE-2014-9671
    - CVE-2014-9672
    - CVE-2014-9673
    - CVE-2014-9674
    - CVE-2014-9675

fbecc9f... by Marc Deslauriers on 2013-01-11

Import patches-unapplied version 2.4.8-1ubuntu2.1 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 2aaf939c680c29166a7d35e28184a2f3b8a113f8

New changelog entries:
  * SECURITY UPDATE: denial of service and possible code execution via NULL
    pointer dereference
    - debian/patches-freetype/CVE-2012-5668.patch: reset props_size in case
      of allocation error in src/bdf/bdflib.c.
    - CVE-2012-5668
  * SECURITY UPDATE: denial of service and possible code execution via heap
    buffer over-read in BDF parsing
    - debian/patches-freetype/CVE-2012-5669.patch: use correct array size
      in src/bdf/bdflib.c.
    - CVE-2012-5669

2aaf939... by Sebastien Bacher on 2012-04-03

Import patches-unapplied version 2.4.8-1ubuntu2 to ubuntu/precise

Imported using git-ubuntu import.

Changelog parent: 59ba6365cb81c2a6a2a6fda3397637f5dea783d7

New changelog entries:
  * debian/patches-freetype/revert_scalable_fonts_metric.patch:
    - revert commit "Fix metrics on size request for scalable fonts.",
      it's breaking gtk underlining markups and creating some other
      issues as well (lp: #972223)

59ba636... by Tyler Hicks on 2012-03-23

Import patches-unapplied version 2.4.8-1ubuntu1 to ubuntu/precise

Imported using git-ubuntu import.

Changelog parent: cf2752aeaa90e51c3cfc5e78116fed80b7cecd15

New changelog entries:
  * SECURITY UPDATE: Denial of service via crafted BDF font (LP: #963283)
    - debian/patches-freetype/CVE-2012-1126.patch: Perform better input
      sanitization when parsing properties. Based on upstream patch.
    - CVE-2012-1126
  * SECURITY UPDATE: Denial of service via crafted BDF font
    - debian/patches-freetype/CVE-2012-1127.patch: Perform better input
      sanitization when parsing glyphs. Based on upstream patch.
    - CVE-2012-1127
  * SECURITY UPDATE: Denial of service via crafted TrueType font
    - debian/patches-freetype/CVE-2012-1128.patch: Improve loop logic to avoid
      NULL pointer dereference. Based on upstream patch.
    - CVE-2012-1128
  * SECURITY UPDATE: Denial of service via crafted Type42 font
    - debian/patches-freetype/CVE-2012-1129.patch: Perform better input
      sanitization when parsing SFNT strings. Based on upstream patch.
    - CVE-2012-1129
  * SECURITY UPDATE: Denial of service via crafted PCF font
    - debian/patches-freetype/CVE-2012-1130.patch: Allocate enough memory to
      properly NULL-terminate parsed properties strings. Based on upstream
      patch.
    - CVE-2012-1130
  * SECURITY UPDATE: Denial of service via crafted TrueType font
    - debian/patches-freetype/CVE-2012-1131.patch: Use appropriate data type to
      prevent integer truncation on 64 bit systems when rendering fonts. Based
      on upstream patch.
    - CVE-2012-1131
  * SECURITY UPDATE: Denial of service via crafted Type1 font
    - debian/patches-freetype/CVE-2012-1132.patch: Ensure strings are of
      appropriate length when loading Type1 fonts. Based on upstream patch.
    - CVE-2012-1132
  * SECURITY UPDATE: Denial of service and arbitrary code execution via
    crafted BDF font
    - debian/patches-freetype/CVE-2012-1133.patch: Limit range of negative
      glyph encoding values to prevent invalid array indexes. Based on
      upstream patch.
    - CVE-2012-1133
  * SECURITY UPDATE: Denial of service and arbitrary code execution via
    crafted Type1 font
    - debian/patches-freetype/CVE-2012-1134.patch: Enforce a minimum Type1
      private dictionary size to prevent writing past array bounds. Based on
      upstream patch.
    - CVE-2012-1134
  * SECURITY UPDATE: Denial of service via crafted TrueType font
    - debian/patches-freetype/CVE-2012-1135.patch: Perform proper bounds
      checks when interpreting TrueType bytecode. Based on upstream patch.
    - CVE-2012-1135
  * SECURITY UPDATE: Denial of service and arbitrary code execution via
    crafted BDF font
    - debian/patches-freetype/CVE-2012-1136.patch: Ensure encoding field is
      defined when parsing glyphs. Based on upstream patch.
    - CVE-2012-1136
  * SECURITY UPDATE: Denial of service via crafted BDF font
    - debian/patches-freetype/CVE-2012-1137.patch: Allocate sufficient number
      of array elements to prevent reading past array bounds. Based on
      upstream patch.
    - CVE-2012-1137
  * SECURITY UPDATE: Denial of service via crafted TrueType font
    - debian/patches-freetype/CVE-2012-1138.patch: Correct typo resulting in
      invalid read from wrong memory location. Based on upstream patch.
    - CVE-2012-1138
  * SECURITY UPDATE: Denial of service via crafted BDF font
    - debian/patches-freetype/CVE-2012-1139.patch: Check array index values to
      prevent reading invalid memory. Based on upstream patch.
    - CVE-2012-1139
  * SECURITY UPDATE: Denial of service via crafted PostScript font
    - debian/patches-freetype/CVE-2012-1140.patch: Fix off-by-one error in
      boundary checks. Based on upstream patch.
    - CVE-2012-1140
  * SECURITY UPDATE: Denial of service via crafted BDF font
    - debian/patches-freetype/CVE-2012-1141.patch: Initialize field elements
      to prevent invalid read. Based on upstream patch.
    - CVE-2012-1141
  * SECURITY UPDATE: Denial of service via crafted Windows FNT/FON font
    - debian/patches-freetype/CVE-2012-1142.patch: Perform input sanitization
      on first and last character code fields. Based on upstream patch.
    - CVE-2012-1142
  * SECURITY UPDATE: Denial of service via crafted font
    - debian/patches-freetype/CVE-2012-1143.patch: Protect against divide by
      zero when dealing with 32 bit types. Based on upstream patch.
    - CVE-2012-1143
  * SECURITY UPDATE: Denial of service and arbitrary code execution via
    crafted TrueType font
    - debian/patches-freetype/CVE-2012-1144.patch: Perform input sanitization
      on the first glyph outline point value. Based on upstream patch.
    - CVE-2012-1144

cf2752a... by Steve Langasek on 2011-11-17

Import patches-unapplied version 2.4.8-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 16af3756ccc952f561e5ba84db7e385fc0b029e5

New changelog entries:
  * New upstream release
    - upstream fix for CVE-2011-3439. Closes: #649122.
    - adjust libfreetype6.symbols for a newly-exported function.

16af375... by Steve Langasek on 2011-10-24

Import patches-unapplied version 2.4.7-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 7341640ead6373904b2d60431d763fc2ba08afd6

New changelog entries:
  * Use dpkg-buildflags through debhelper.
  * Don't set -Werror in CFLAGS on alpha or m68k, to work around a compiler
    bug. Closes: #646334.