-
freetype (2.13.2+dfsg-1) unstable; urgency=medium
* New upstream version 2.13.2:
+ Better support for CFF2 variation fonts.
+ TrueType interpreter version 38 has been removed.
* debian/patches: Drop ftlint.patch and ftmulti.patch (applied upstream).
-- Hugh McMaster <email address hidden> Mon, 28 Aug 2023 21:12:08 +1000
-
freetype (2.13.1+dfsg-1) unstable; urgency=medium
* New upstream version 2.13.1:
+ TrueType interpreter version 38 has been deactivated.
+ Updates to the 'ftbench', 'ftview' and 'ftmulti' demo programs.
* debian/control: Drop transitional package libfreetype6-dev
(Closes: #1038235).
* debian/copyright: Update for FreeType 2.13.1.
* debian/patches:
+ Refresh ftoption.patch.
+ ftlint.patch: Instruct man(1) to run the `tbl` preprocessor.
+ ftmulti.patch: Fix spelling and comments in src/ftmulti.c.
* libfreetype6: Update symbols file.
* debian/rules: Exclude sitemap.xml.gz during dh_installdocs-indep.
-- Hugh McMaster <email address hidden> Thu, 17 Aug 2023 21:53:14 +1000
-
freetype (2.13.0+dfsg-1) unstable; urgency=medium
* New upstream version 2.13.0:
+ The 'COLR' v1 API is now considered stable.
+ TrueType interpreter version 38 (also known as 'Infinality') has been
deprecated and will be removed in the next upstream version.
+ TrueType interpreter version 40 remains the default.
+ Various updates to the demo programs.
* debian/control:
+ Update Maintainer email address.
+ {Build-}Depend on libbz2-dev.
* debian/copyright: Update for FreeType 2.13.0 and 2023.
* debian/patches:
+ Drop CVE-*, fix-wild-free-svg and hardening patches.
+ Refresh hide-donations-information.patch.
+ Rename enable-subpixel-rendering.patch to ftoption.patch.
+ Enable long PCF font family names in ftoption.h.
* debian/rules: Update configure flags for main and udeb builds.
* freetype2-doc: Update Lintian overrides.
* libfreetype6: Update symbols file.
-- Hugh McMaster <email address hidden> Thu, 13 Jul 2023 21:39:06 +1000
-
freetype (2.12.1+dfsg-5+deb12u2) bookworm; urgency=high
* debian/patches: Temporarily revert disable_COLRv1.patch to allow
Chromium to start (Closes: #1053142).
-- Hugh McMaster <email address hidden> Fri, 29 Sep 2023 22:27:32 +1000
-
freetype (2.12.1+dfsg-5) unstable; urgency=medium
* debian/patches: Add a patch to fix CVE-2023-2004 (Closes: #1034612).
- Integer overflow in tt_hvadvance_adjust().
-- Hugh McMaster <email address hidden> Thu, 20 Apr 2023 21:08:03 +1000
-
freetype (2.12.1+dfsg-4) unstable; urgency=medium
[ Debian Janitor ]
* Update Lintian override info format in freetype2-demos.lintian-overrides.
* Re-export upstream signing key without extra signatures.
* Raise Standards-Version to 4.6.2 (no changes needed).
[ Hugh McMaster ]
* debian/control: Update Homepage URL.
* debian/control, debian/rules:
+ Add the 'pkg.freetype.nodemos' build profile (Closes: #1011049).
+ Support the 'noudeb' build profile (Closes: #1024949).
+ Drop support for the deprecated 'stage1' build profile.
* debian/copyright:
+ Update Source URL.
+ Update 'debian' copyright block for 2023.
* debian/rules: Remove un-needed dh_install exclusion from the override.
* debian/upstream/metadata: Add upstream repositories and update values.
* freetype2-demos: Update typo-in-manual-page Lintian override.
* lintian-overrides: Drop source-contains-prebuilt-javascript-object.
* freetype2-demos: Install binaries and man pages via upstream Makefile.
-- Hugh McMaster <email address hidden> Thu, 12 Jan 2023 23:05:22 +1100
-
freetype (2.12.1+dfsg-3) unstable; urgency=medium
* debian/control: Raise Standards-Version to 4.6.1 (no changes needed).
* debian/patches:
- ftbench: Exit if the number of glyphs is zero (CVE-2022-31782).
- Fix a wild free in certain OT-SVG fonts (Closes: #1013094).
Thanks to Ben Wagner for providing a patch.
- Harden the demos by appending CPPFLAGS to CFLAGS.
-- Hugh McMaster <email address hidden> Sun, 19 Jun 2022 21:55:46 +1000
-
freetype (2.12.1+dfsg-2) unstable; urgency=medium
* Revert "debian/control: Build-Depend on librsvg2-dev".
- Avoid breaking cross-architecture bootstrap.
-- Hugh McMaster <email address hidden> Mon, 16 May 2022 21:58:31 +1000
-
freetype (2.12.1+dfsg-1) unstable; urgency=medium
* New upstream version: Support for OpenType SVG fonts in the demo programs.
* debian/copyright: Update for FreeType 2.12.1.
* debian/patches: Drop cff-segfault, integer-overflow, reset-iup-flags,
sdf-invisible-glyphs and set-ft-face-flag-color patches.
* debian/control: Build-Depend on librsvg2-dev.
* debian/rules: Build the udeb package without librsvg.
* Update upstream's GPG public signing key.
-- Hugh McMaster <email address hidden> Fri, 13 May 2022 19:46:58 +1000
-
freetype (2.12.0+dfsg-1) unstable; urgency=medium
* New upstream version:
- Support for OpenType SVG fonts. By default, FreeType will only load
the 'SVG' table of an OpenType font. Please note: OT-SVG support will
be enabled in Debian when FreeType 2.12.1 is released.
- Improved handling of fonts with an 'sbix' table.
* Update upstream's GPG signing key.
* debian/control: freetype-doc no longer Depends on libjs-jquery.
* debian/copyright: Update for FreeType 2.12.0.
* debian/patches:
- Drop CVE-2022-27404, CVE-2022-27405, CVE-2022-27406 and jquery patches.
- Refresh enable-gxvalid-otvalid and hide-donations-information patches.
- Cherry-pick upstream patches:
+ Set FT_FACE_FLAG_COLOR
+ Properly handle invisible glyphs
+ Fix rendering of certain glyphs
+ Prevent an integer overflow
+ Fix a segfault when size is NULL.
* Update a comment in the Lintian source-overrides file.
-- Hugh McMaster <email address hidden> Sun, 08 May 2022 19:03:37 +1000
-
freetype (2.11.1+dfsg-2) unstable; urgency=high
* Add upstream patches to fix multiple vulnerabilities. Closes: #1010183.
- CVE-2022-27404: heap buffer overflow via invalid integer decrement in
sfnt_init_face() and woff2_open_font().
- CVE-2022-27405: segmentation violation via ft_open_face_internal() when
attempting to read the value of FT_LONG face_index.
- CVE-2022-27406: segmentation violation via FT_Request_Size() when
attempting to read the value of an unguarded face size handle.
* debian/copyright: Update debian/* section for 2022.
-- Hugh McMaster <email address hidden> Tue, 26 Apr 2022 23:16:58 +1000
-
freetype (2.11.1+dfsg-1) unstable; urgency=medium
* New upstream version:
- Experimental COLR v1 API updated to OpenType standard 1.9.
- Some fields in the 'CID_FaceDictRec', 'CID_FaceInfoRec' and 'FT_Data'
structures have been changed from signed to unsigned types.
- Removal of legacy blitter from graph-based demos.
* freetype2-doc:
- Remove links file. The tutorial documentation no longer uses jQuery.
- Don't install the CMAKE file.
* libfreetype6: Update symbols file for FreeType 2.11.1.
* Remove all files in debian/missing-sources (no longer needed).
* debian/control:
- libfreetype-dev now Provides libfreetype6-dev (Closes: #1002049).
Thanks to Jochen Sprickerhof for supplying a patch.
- No longer Build-Depend on libjs-jquery.
* debian/copyright: Update for FreeType 2.11.1.
* debian/patches:
- Drop autogen-no-git.patch (applied upstream).
- Drop ft2demos-no-rpath.patch and fix-js-doc-paths.patch.
Neither patch is needed due to upstream changes.
- Add a patch to remove remaining jQuery script tags.
- use-donation-button.patch: Use a button instead of an image for
donations. Thanks to Paul Wise for the patch. (Closes: #998065).
* debian/rules:
- Update files excluded during the dh_installdocs-indep override.
- Trim relative folder paths in the tutorial documentation.
- Drop string substitution of the #defined value of SIZEOF_LONG.
This is no longer needed due to upstream changes.
* debian/upstream/metadata: Update for FreeType 2.11.1.
-- Hugh McMaster <email address hidden> Wed, 29 Dec 2021 10:22:50 +1100
-
freetype (2.11.0+dfsg-1) unstable; urgency=medium
* New upstream version:
- Support for creating 8-bit Signed Distance Field (SDF) bitmaps for both
outline and bitmap glyphs via a new rendering module.
- Access to surfacing properties of 'COLR' v1 color fonts via a new
experimental API.
- Further demotion of the legacy Type 1 and CFF engines due to a lack of
support for CFF2 charstrings.
- Correct handling of PCF bitmap fonts compressed with LZW.
- Enhancements to various demo programs.
* Subpixel rendering re-enabled for release builds.
* debian/control:
- Raise Standards-Version to 4.6.0 from 4.5.1 (no changes needed).
- Replace fonts-material-design-icons-iconfont with fonts-dejavu-core.
* debian/copyright: Update for FreeType 2.11.0.
* debian/gbp.conf: Use DEP-14 branch naming.
* debian/libfreetype6.symbols: Update for FreeType 2.11.0.
* debian/patches:
- autogen-no-git.patch: Only use git commands if building from a branch.
- Drop remove-gstatic-code.patch (replaced by sed commands in d/rules).
- Update and refresh other patches.
* debian/rules:
- Include /usr/share/dpkg/architecture.mk.
- Update file exclusions in dh_installdocs-indep.
- Remove specific lines from the HTML reference documentation to prevent
Lintian privacy-* warnings.
* debian/source/lintian-overrides: Silence errors about long lines in the
HTML documentation.
* freetyp2-demos: Add wildcard line context to the typo-in-manual-page tag.
* Remove legacy maintscripts (freetype2-demos, libfreetype6-dev).
-- Hugh McMaster <email address hidden> Thu, 14 Oct 2021 22:06:22 +1100
-
freetype (2.10.4+dfsg-1+deb11u1) bullseye; urgency=medium
* Add upstream patches to fix multiple vulnerabilities. Closes: #1010183.
- CVE-2022-27404: heap buffer overflow via invalid integer decrement in
sfnt_init_face() and woff2_open_font().
- CVE-2022-27405: segmentation violation via ft_open_face_internal() when
attempting to read the value of FT_LONG face_index.
- CVE-2022-27406: segmentation violation via FT_Request_Size() when
attempting to read the value of an unguarded face size handle.
-- Hugh McMaster <email address hidden> Thu, 28 Apr 2022 19:54:23 +1000
-
freetype (2.10.4+dfsg-1) unstable; urgency=medium
* New upstream version:
- Fix for CVE-2020-15999 (heap buffer overflow) now included.
- New flag `FT_OUTLINE_OVERLAP' available to make the smooth rasterizer do
4x4 oversampling to mitigate artifacts in pixels partially covered by
overlapping contours. This at least quadruples the rendering time.
FreeType automatically uses this rendering mode if a glyph in a TrueType
font has the `OVERLAP_SIMPLE' or `OVERLAP_COMPOUND' bit set.
- Including FreeType header files via FT_*_H macros is no longer required.
Downstream packages are encouraged to include the FreeType headers via
standard paths, e.g. #include <freetype/freetype.h>.
- Support for building with Meson.
- Fixes for various memory leaks, primarily in the CFF driver module.
- Jam support has been removed.
- Many improvements to demo programs.
- The obsolete `HAVE_STDINT_H' probing macro has been removed.
- Public macro definitions required by the FreeType API have been moved to
include/freetype/config/public-macros.h.
- Private macro definitions used by the FreeType API have been moved to
include/freetype/config/compiler-macros.h.
- New common header for integer data types added.
* debian/control:
- Build-Depend on zlib1g-dev | libz-dev.
- Raise Standards-Version from 4.5.0 to 4.5.1 (no changes needed).
* debian/copyright:
- Update for FreeType 2.10.4.
- Remove redundant globbing patterns.
* debian/patches:
- Drop cve-2020-15999.patch (fix included in FreeType 2.10.4).
- Refresh enable-subpixel-rendering.patch.
- Refresh hide-donations-information.patch.
* debian/rules: Remove debian/udeb directory before building.
* debian/tests/libfreetype-dev: Replace the FT_FREETYPE_H macro with a
standard header inclusion.
-- Hugh McMaster <email address hidden> Sat, 05 Dec 2020 19:20:58 +1100
-
freetype (2.10.2+dfsg-4) unstable; urgency=high
* debian/patches: Add upstream patch for CVE-2020-15999 (Closes: #972586).
- Prevent heap buffer overflow when handling embedded PNG bitmaps
in malformed TrueType font files.
-- Hugh McMaster <email address hidden> Wed, 21 Oct 2020 09:39:47 +1100
-
freetype (2.10.2+dfsg-3) unstable; urgency=medium
[ Simon McVittie ]
* d/tests: Add a superficial compile/link/run autopkgtest (Closes: #964246).
[ Hugh McMaster ]
* debian/rules:
- Update a comment.
- Fix whitespace formatting.
- Override dh_auto_clean to clean up ft2demos.
- Override dh_auto_clean to remove objs/.libs/libfreetype.ver.
- Run a separate build sequence for libfreetype6-udeb, which should not
depend on libbrotli1 (Closes: #964774).
* Minor stylistic changes to d/tests/libfreetype-dev.
- Thanks to Simon McVittie for writing the autopkgtest.
-- Hugh McMaster <email address hidden> Wed, 15 Jul 2020 22:10:01 +1000
-
freetype (2.10.2+dfsg-2) unstable; urgency=medium
* debian/control: Add libbrotli-dev as a dependency of libfreetype-dev
(Closes: #964185).
-- Hugh McMaster <email address hidden> Fri, 03 Jul 2020 22:40:45 +1000
-
freetype (2.10.2+dfsg-1) unstable; urgency=medium
* New upstream version:
- Support for WOFF2 fonts.
- Type 1 fonts with non-integer metrics are now supported by the new
(CFF) engine introduced in FreeType 2.9.
- Auto-hinter support for Hanifi Rohingya.
* Repack to remove non-DFSG-compatible minified JavaScript files from the
main upstream tarball.
* debian/control:
- Raise Standards-Version to 4.5.0 from 4.4.1.
- Sort Build-Depends list.
- Use debhelper-compat version 13.
- Build-Depend on libbrotli-dev to support WOFF2 fonts.
- Sort the libfreetype-dev Depends field.
- Recommend fonts-material-design-icons-iconfont with freetype2-doc.
* debian/copyright:
- Update for FreeType 2.10.2.
- Add Files-Excluded field.
- Remove copyright information for Excluded files.
* debian/gbp.conf:
- Always use pristine-tar.
- Add component option for import-orig and export-orig.
* Add debian/not-installed.
* debian/patches:
- Drop scale-phantom-points.patch and verbose-libtool.patch.
- remove-gstatic-code.patch: Update file paths and patch content.
- fix-js-doc-paths.patch: Add missing HTML files.
- hide-donations-information.patch: Refresh patch.
- Update patch order in the series file.
* debian/rules:
- Remove the dh_auto_install override.
- Stop moving the HTML documentation (problem fixed upstream).
- Force installation of correct ChangeLog for freetype2-demos.
- Install the HTML documentation in libfreetype-dev but package the files
in freetype2-doc (as preferred by Debian Policy section 12.3).
- Install the CHANGES and PCF README files in libfreetype-dev.
- Do not install docs/reference/assets/images. These files are not used.
- Drop the reference/README installation exclusion in freetype2-docs.
* debian/watch:
- Download xz-compressed tarballs (Closes: #952973).
- Update the filenamemangle used with the ft2docs tarball component.
- Don't call uupdate.
- Repack the main upstream source tarball to comply with the DFSG.
* freetype2-demos:
- Update manpage source path.
- Use renamed lintian tag.
* freetype2-doc:
- Update doc-base registration paths.
- Install jQuery symlink in libfreetype-dev.
- Update paths in lintian overrides.
-- Hugh McMaster <email address hidden> Thu, 02 Jul 2020 22:00:01 +1000
-
freetype (2.10.1-2) unstable; urgency=medium
* Release to unstable.
* debian/control:
- Raise Standards-Version to 4.4.1 from 4.4.0 (no changes needed).
- Add Rules-Requires-Root: no.
* debian/rules:
- Move the FreeType API Reference location to docs/reference to revert an
incorrect upstream change introduced in FreeType 2.10.
- Update dh_installdocs-indep path exclusion to account for the change to
the API Reference path.
* debian/patches:
- Drop fix-api-reference-hyperlink.patch.
- Add a patch to fix broken JavaScript paths in the documentation.
* freetype2-doc:
- Update the API Reference path in the doc-base file.
- Update Lintian overrides.
-- Hugh McMaster <email address hidden> Mon, 07 Oct 2019 23:42:48 +1100
-
freetype (2.9.1-4) unstable; urgency=medium
* debian/compat: Remove legacy file.
* debian/control:
- Build-Depend on debhelper-compat (version 12).
- Raise Standards-Version to 4.4.0 (no changes needed).
- Demote Recommends: freetype2-doc to Suggests (Closes: #919284).
* debian/patches:
- Add an upstream patch to properly handle phantom points for variable
hinted fonts (Closes: #93203).
-- Hugh McMaster <email address hidden> Wed, 24 Jul 2019 19:59:39 +1000
-
freetype (2.9.1-3+deb10u2) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fix heap buffer overflow (CVE-2020-15999) (Closes: #972586)
-- Salvatore Bonaccorso <email address hidden> Tue, 20 Oct 2020 21:15:41 +0200
-
freetype (2.9.1-3+deb10u1) buster; urgency=medium
* debian/control:
- Demote Recommends: freetype2-doc to Suggests (Closes: #919284).
* debian/patches:
- Add an upstream patch to properly handle phantom points for variable
hinted fonts (Closes: #932303).
-- Hugh McMaster <email address hidden> Sat, 27 Jul 2019 23:19:28 +1000
-
freetype (2.9.1-3) unstable; urgency=medium
* Release to unstable.
* libfreetype6-dev: No longer install freetype2.m4, as its functionality has
been superseded by pkg-config.
* libfreetype6.symbols: Specify libfreetype6-dev in the Build-Depends-Package
meta-information field.
-- Hugh McMaster <email address hidden> Thu, 22 Nov 2018 21:15:00 +1100
-
freetype (2.8.1-2) unstable; urgency=high
* debian/rules: fix SIZEOF_LONG mangling to avoid over-broad matching.
Closes: #887087.
-- Steve Langasek <email address hidden> Tue, 13 Feb 2018 07:49:55 +0000
-
freetype (2.8.1-1) unstable; urgency=medium
* Acknowledge NMUs; thanks to Laurent for the uploads.
Closes: #857439, #863623.
* debian/control:
- Add pkg-config to the Build-Depends list (Closes: #885324).
- Mark libfreetype6-dev Multi-Arch: same (Closes: #642354).
- Remove the deprecated Priority: extra field from libfreetype6-udeb.
* debian/patches/patches-*: Refresh existing patches.
* debian/patches/patches-freetype/freetype-config-multi-arch.patch:
- Remove the arch-dependent output of `freetype-config --libs`.
Closes: #871470, #870618.
- Exit with an error if freetype-config is called with --libtool.
* debian/rules:
- Include /usr/share/dpkg/architecture.mk.
- Dynamically generate the shlibs dependency version (Closes: #883698).
- Replace the autoconf definition of SIZEOF_LONG with the compile-time
constant __SIZEOF_LONG__ to make libfreetype6-dev multi-arch compatible.
* Thanks to Hugh McMaster <email address hidden> for preparing these
changes.
-- Steve Langasek <email address hidden> Fri, 05 Jan 2018 00:42:36 +0000
-
freetype (2.8.1-0.1) unstable; urgency=medium
* Non-maintainer upload.
* New upstream release (Closes: #876132)
- Refresh debian/patches-ft2demos/compiler_hardening_fixes.patch,
partially fixed upstream
- debian/libfreetype6.symbols: Add newly export symbol
-- Laurent Bigonville <email address hidden> Mon, 18 Sep 2017 22:42:21 +0200
-
freetype (2.8-0.2) unstable; urgency=medium
* Non-maintainer upload.
* Upload to unstable
* Bump Standards-Version to 4.0.0 (no further changes)
-- Laurent Bigonville <email address hidden> Tue, 27 Jun 2017 19:41:24 +0200
-
freetype (2.6.3-3.2) unstable; urgency=high
* Non-maintainer upload.
* Better protect `flex' handling (CVE-2017-8105) (Closes: #861220)
* t1_builder_close_contour: Add safety guard (CVE-2017-8287)
(Closes: #861308)
-- Salvatore Bonaccorso <email address hidden> Thu, 27 Apr 2017 20:57:40 +0200
-
freetype (2.6.3-3.1) unstable; urgency=medium
* Non-maintainer upload.
* CVE-2016-10244: Heap-buffer-overflow
src/type1/t1load.c (parse_charstrings): Reject fonts that don't contain
glyph names. (Closes: #856971)
-- Salvatore Bonaccorso <email address hidden> Thu, 30 Mar 2017 19:16:33 +0200
-
freetype (2.6.3-3) unstable; urgency=medium
* Install the now-available-upstream manpages for freetype-demos.
Closes: #131137.
* Register all of the HTML documentation with doc-base. Closes: #451660.
* Suppress lintian warning about symbols file declaring dependency on
other package, which is entirely by design.
-- Steve Langasek <email address hidden> Tue, 01 Mar 2016 06:43:44 +0000
-
freetype (2.6.1-0.1) unstable; urgency=medium
* Non-maintainer upload.
* New upstream release (Closes: #804050)
-- Matteo F. Vescovi <email address hidden> Tue, 10 Nov 2015 21:32:25 +0100
-
freetype (2.6-2) unstable; urgency=medium
* Adjust symbols references for private symbols to sort to a higher (fake)
version number instead of a lower, so that when linking against
libfreetype without using its symbols, we don't get a wrong dependency on
libfreetype6 (>= 1.PRIVATE.1). Closes: #799445.
* Pass --without-harfbuzz in debian/rules, to avoid opportunistically
picking this up as a dependency if libharfbuzz-dev is installed.
-- Steve Langasek <email address hidden> Sat, 19 Sep 2015 19:17:07 +0000
-
freetype (2.6-1) unstable; urgency=medium
* New upstream release. Closes: #793751.
* Includes a fix for a spurious error in FT_Get_SubGlyph_Info.
Closes: #778493.
* Includes a fix for an infinite loop in T1 font loading.
Closes: #798620.
* Includes a fix for an uninitialized memory bug in font parsers.
Closes: #798619.
* Includes fix for an out-of-bounds rate in the Adobe CFF implementation
(which was not previously enabled in the package build).
Closes: #773084.
* Includes a fix for a crasher in xdvi. Closes: #733894.
* Fixes support for compressed pcf fonts. Closes: #780340.
* Drop various cherrypicked upstream patches from the package.
* Ship upstream freetype-config manpage in place of our own.
Closes LP: #1390767.
* Update symbols file. Includes dropping various private symbols that
don't appear to have ever been part of the API.
* Fix exclusion of redundant license file (txt -> TXT)
* Re-enable the CFF driver, now that most related fonts have been fixed.
Closes: #795653.
* Enable stage1 build without X library dependencies for bootstrapping.
Closes: #752270, #752271.
-- Steve Langasek <email address hidden> Sat, 12 Sep 2015 07:29:07 +0000
-
freetype (2.5.2-4) unstable; urgency=medium
* Fix Savannah bug #43774. Closes #780143.
* Release 2.5.2-4
-- Keith Packard <email address hidden> Sun, 15 Mar 2015 22:46:29 -0700
-
freetype (2.5.2-3+deb8u1) jessie-security; urgency=high
* Non-maintainer upload.
* CVE-2014-9745: Fix Savannah bug #41590. Protect against invalid number in
t1load.c parse_encoding().
* CVE-2014-9746, CVE-2014-9747: Fix Savannah bug #41309. Correct use of
uninitialized data in t1load.c, cidload.c, t42parse.c and psobjs.c.
-- Santiago Ruano Rincón <email address hidden> Mon, 05 Oct 2015 11:35:21 +0200
-
freetype (2.5.2-3) unstable; urgency=medium
* Fix Savannah bug #43535. CVE-2014-9675
* [bdf] Fix Savannah bug #41692. CVE-2014-9675-fixup-1
* src/base/ftobj.c (Mac_Read_POST_Resource): Additional overflow check
in the summation of POST fragment lengths. CVE-2014-0674-part-2
* src/base/ftobjs.c (Mac_Read_POST_Resource): Insert comments and fold
too long tracing messages. CVS-2014-9674-fixup-2
* src/base/ftobjs.c (Mac_Read_POST_Resource): Use unsigned long variables to read the lengths in POST fragments. CVE-2014-9674-fixup-1
* Fix Savannah bug #43538. CVE-2014-9674-part-1
* Fix Savannah bug #43539. CVE-2014-9673
* src/base/ftobjs.c (Mac_Read_POST_Resource): Avoid memory leak by
a broken POST table in resource-fork. CVE-2014-9673-fixup
* Fix Savannah bug #43540. CVE-2014-9672
* Fix Savannah bug #43547. CVE-2014-9671
* Fix Savannah bug #43548. CVE-2014-9670
* [sfnt] Fix Savannah bug #43588. CVE-2014-9669
* [sfnt] Fix Savannah bug #43589. CVE-2014-9668
* [sfnt] Fix Savannah bug #43590. CVE-2014-9667
* [sfnt] Fix Savannah bug #43591. CVE-2014-9666
* Change some fields in `FT_Bitmap' to unsigned type. CVE-2014-9665
* Fix uninitialized variable warning. CVE-2014-9665-fixup-2
* Make `FT_Bitmap_Convert' correctly handle negative `pitch' values.
CVE-2014-9665-fixup
* [type1, type42] Fix Savannah bug #43655. CVE-2014-9664
* [sfnt] Fix Savannah bug #43656. CVE-2014-9663
* [cff] Fix Savannah bug #43658. CVE-2014-9662
* [type42] Allow only embedded TrueType fonts. CVE-2014-9661
* [bdf] Fix Savannah bug #43660. CVE-2014-9660
* [cff] Fix Savannah bug #43661. CVE-2014-9659
* [sfnt] Fix Savannah bug #43672. CVE-2014-9658
* [truetype] Fix Savannah bug #43679. CVE-2014-9657
* [sfnt] Fix Savannah bug #43680. CVE-2014-9656
* All CVEs patched. Closes: #777656.
-- Keith Packard <email address hidden> Mon, 23 Feb 2015 22:04:36 -0800
-
freetype (2.5.2-2) unstable; urgency=medium
* Acknowledge security NMU; thanks to Michael Gilbert.
* Standards-Version 3.9.6.
* Bump debhelper build-dependency to 9.
* debian/patches/enable-old-cff.patch: disable the new CFF hinter from
Adobe, working around wrong hinting with some toolkits on Linux. Thanks
to Samat K Jain <email address hidden> for preparing the patch.
Closes: #730742.
* debian/patches-freetype/0001-Fix-Savannah-bug-40997.patch: Cherry-pick
upstream patch to fix a double free. Closes: #747002, LP: #1310728.
* debian/patches-freetype/0002-Fix-Savannah-bug-42418.patch: Cherry-pick
upstream patch to fix cjk font rendering issue. LP: #1310017.
* debian/patches-freetype/verbose-libtool.patch: don't let libtool
suppress compiler output.
* debian/patches-freetype/no-uninitialized-bbox.patch: ensure that our
variable is reliably initialized before use, fixing a build failure on
ppc64el when building with -O3.
-- Steve Langasek <email address hidden> Fri, 19 Sep 2014 06:27:10 +0000
-
freetype (2.5.2-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix two security issues in the CFF rasterizer (closes: #741299)
- CVE-2014-2240: out-of-bounds read/write in cf2hints.c.
- CVE-2014-2241: denial-of-service in cf2ft.c.
-- Michael Gilbert <email address hidden> Mon, 28 Jul 2014 02:56:08 +0000
-
freetype (2.5.2-1) unstable; urgency=low
* New upstream release
- fixes a crasher bug with certain fonts. Closes: #733052.
- drop of additional symbols which were previously exported but are only
meant for debugging and upstream recommends not enabling them when
building in "release mode". If this impacts users of freetype, we can
re-enable these symbols later.
* Call autogen.sh on build to refresh autotools; not using dh-autoreconf
because the upstream directory structure is non-standard and it's a
throw-away dir, so there's no advantage to dh-autoreconf's rollback
support.
* Fix symbols file with respect to more complete version info found in
Ubuntu.
* Drop debian/patches-ft2demos/compiler-warning-fixes.patch, which is
actually a bug in the compiler_hardening_fixes.patch; fix it there
instead.
* Fix libpng detection when cross-building.
-- Steve Langasek <email address hidden> Wed, 25 Dec 2013 09:06:22 +0000
-
freetype (2.5.1-2) unstable; urgency=low
* Drop unnecessary GPLv2.txt from libfreetype6-dev.
* Add missing dependency on libpng-dev to libfreetype6-dev.
Closes: #732062.
-- Steve Langasek <email address hidden> Tue, 17 Dec 2013 20:04:17 -0800
-
freetype (2.5.1-1) unstable; urgency=low
* New upstream release. Closes: #717952, #729231.
- Add build-dependency on libpng-dev.
- Dropped patches, included upstream: savannah-bug-35847.patch,
savannah-bug-35833.patch, savannah-bug-37905.patch,
savannah-bug-37906.patch, savannah-bug-37907.patch
- Internal symbols have been dropped in this version. No soname change
because the symbols are not supposed to be used, but past experience
suggests that this may break some third-party software anyway.
* compiler_hardening_fixes.patch: fix wrong snprintf() calls in ttdebug.c
that cause an overflow 100% of the time.
* debian/patches-ft2demos/compiler-warning-fixes.patch: Fix a wrong
cast that triggers a compiler warning.
* debian/patches-ft2demos/revert-wrong-extern.patch: revert wrong
upstream commit that causes a build failure.
-- Steve Langasek <email address hidden> Thu, 28 Nov 2013 07:05:47 +0000
-
freetype (2.4.9-1.1) unstable; urgency=high
* Non-maintainer upload.
Upload ACKed by Steve Langasek <email address hidden> on #debian-devel.
* Add savannah-bug-37905.patch patch
[SECURITY] CVE-2012-5668: NULL Pointer Dereference in bdf_free_font.
(Closes: #696691)
* Add savannah-bug-37906.patch patch
[SECURITY] CVE-2012-5669: Out-of-bounds read in _bdf_parse_glyphs.
(Closes: #696691)
* Add savannah-bug-37907.patch patch
[SECURITY] CVE-2012-5670: Out-of-bounds write in _bdf_parse_glyphs.
(Closes: #696691)
-- Salvatore Bonaccorso <email address hidden> Fri, 28 Dec 2012 21:32:28 +0100
-
freetype (2.4.9-1) unstable; urgency=low
* New upstream release
- upstream fix for multiple vulnerabilities: CVE-2012-1126,
CVE-2012-1133, CVE-2012-1134, CVE-2012-1136, CVE-2012-1142,
CVE-2012-1144. and others. Closes: #662864.
- update symbols file for a new symbol, ft_raccess_guess_table
* debian/patches-freetype/savannah-bug-35847.patch,
debian/patches-freetype/savannah-bug-35833.patch: pull two bugfixes from
upstream git on top of 2.4.9, to address regressions affecting
ghostscript. Thanks to Till Kamppeter for pointing this out.
* push CPPFLAGS into CFLAGS for ft2demos, so our demos will be secure.
Closes: #663613.
* don't let a quiltrc override our QUILT_PATCHES settings in debian/rules.
Closes: #617217.
* Migrate debian/copyright to copyright-format 1.0, and fix up the upstream
URL. Closes: #642059.
-- Steve Langasek <email address hidden> Sat, 24 Mar 2012 23:35:16 +0000
-
freetype (2.4.8-1) unstable; urgency=high
* New upstream release
- upstream fix for CVE-2011-3439. Closes: #649122.
- adjust libfreetype6.symbols for a newly-exported function.
-- Steve Langasek <email address hidden> Thu, 17 Nov 2011 22:28:14 +0000
-
freetype (2.4.7-2) unstable; urgency=low
* Use dpkg-buildflags through debhelper.
* Don't set -Werror in CFLAGS on alpha or m68k, to work around a compiler
bug. Closes: #646334.
-- Steve Langasek <email address hidden> Mon, 24 Oct 2011 22:02:32 +0000
-
freetype (2.4.7-1) unstable; urgency=low
* New upstream release
- upstream fix for CVE-2011-3256. Closes: #646120.
- drop debian/patches-freetype/0001-Fix-Savannah-bug-33992.patch,
included upstream.
* Pass --without-bzip2 to configure, to avoid unwanted dependency on
libbz2. Closes: #639638.
* Standards-Version 3.9.2.
-- Steve Langasek <email address hidden> Sat, 22 Oct 2011 20:18:59 +0000
-
freetype (2.4.6-2) unstable; urgency=low
* debian/patches-freetype/0001-Fix-Savannah-bug-33992.patch: [PATCH]
Fix Savannah bug #33992. Thanks to David Bevan
<email address hidden>. Closes: #638348.
-- Steve Langasek <email address hidden> Sat, 20 Aug 2011 06:30:18 +0000
-
freetype (2.4.6-1) unstable; urgency=low
* New upstream release
- fixes CVE-2011-0226, a vulnerability in parsing of Type 1 fonts.
Closes: #635871.
- upstream now builds cleanly with -Werror and the new gcc-4.6 upstream
warnings. Closes: #625328.
-- Steve Langasek <email address hidden> Thu, 04 Aug 2011 05:49:09 +0000
-
freetype (2.4.4-2) unstable; urgency=low
* Build for multiarch, using debhelper compat 9. * Add Pre-Depends: ${misc:Pre-Depends} to pick up multiarch-support dependency. -- Steve Langasek <email address hidden> Wed, 22 Jun 2011 14:38:12 -0700
-
freetype (2.4.4-1) unstable; urgency=low
* Acknowledge security NMU - thanks, Moritz! * New upstream release, closes: #606286, #600321 - fixes PDF rendering issues. Closes: #612484, LP: #709229. - fixes a rendering issue with 'S' glyphs in certain fonts. LP: #654010. - drop patches for CVE-2010-3855 and CVE-2010-3814, applied upstream. - drop patch ft2demos-2.1.7-ftbench.patch; doesn't apply cleanly, the code has changed significantly, patch never forwarded upstream. If this is still an issue, someone will provide a fixed patch. - drop patch ft2demos-grkey.patch, fixed upstream. * debian/patches-freetype/enable-gxvalid-otvalid.patch: enable the otvalid and gxvalid table validation modules. Thanks to Paul Wise <email address hidden>. Closes: #520879, LP: #239626. * debian/libfreetype6.symbols: update the symbols file for the same. * debian/rules et al.: convert to dh 7 * drop INSTALL.* from the libfreetype6-dev docs. Closes: #550971. * move homepage out of debian/copyright and into debian/control. * fix GPL link to point to GPL-2 explicitly. * clean up long-obsolete conflicts/replaces. * drop debian/README.quilt, redundant with debian/README.source. * drop debian/README.Debian, which talks about the long-finished transition from freetype1. * strip dependency_libs out of /usr/lib/libfreetype.la. * bump standards-version to 3.9.1. -- Steve Langasek <email address hidden> Mon, 21 Feb 2011 14:10:46 -0800
-
freetype (2.4.2-2.1) unstable; urgency=medium
* Non-maintainer upload by the Security Team.
* Fix CVE-2010-3855 and CVE-2010-3814 (Closes: #602221)
-- Moritz Muehlenhoff <email address hidden> Thu, 18 Nov 2010 21:16:12 +0100
-
freetype (2.4.2-2) unstable; urgency=low
* debian/patches-ft2demos/f2tdemos-grkey.patch: update to fix another
problem when building under gcc-4.5 that was overlooked in the previous
version of the patch. LP: #624740.
-- Steve Langasek <email address hidden> Sat, 28 Aug 2010 02:27:15 +0000
-
freetype (2.4.2-1) unstable; urgency=high
* New upstream release
- High urgency upload for RC security bugfix.
- Corrects a stack overflow in the interpreter for CFF fonts
(CVE-2010-1797). Closes: #592399.
- drop debian/patches-freetype/opentype-missing-glyphs, included
upstream.
* Update libfreetype6.symbols for two new functions.
-- Steve Langasek <email address hidden> Tue, 10 Aug 2010 00:19:04 -0700
-
freetype (2.4.0-2) unstable; urgency=medium
* debian/patches-freetype/opentype-missing-glyphs: fix from upstream for
glyphs from OpenType fonts failing to render. Closes: #589256,
LP: #605858.
* Medium-urgency upload to fix important regression.
-- Steve Langasek <email address hidden> Fri, 16 Jul 2010 12:37:03 -0700
-
freetype (2.4.0-1) unstable; urgency=high
* New upstream release (closes: #572576).
- fixes CVE-2010-2497, CVE-2010-2498, CVE-2010-2499, CVE-2010-2500,
CVE-2010-2519, and CVE-2010-2520
- high-urgency upload for security bugfixes.
- drop debian/patches-freetype/freetype-bytecode-interpreter.patch and
debian/patches-freetype/enable-full-bytecode-interpreter - the
bytecode interpreter is now enabled by default upstream at last!
- drop debian/patches-freetype/freetype-bdflib-large-encodings.patch and
debian/patches-freetype/uninitialized-vars.patch, applied upstream.
- drop debian/patches-freetype/331-hmtx-no-shorts.diff, implemented
differently upstream.
- new symbol FT_Library_SetLcdFilterWeights added to the symbols table,
bump the shlibs.
- fixes problem with outlines for some OpenType fonts. Closes; #583868.
* Add a debian/watch file - though we won't use it internally due to the
multiple tarball issues.
* Begin to simplify debian/rules a little by trimming dead code.
* Don't set SHELL = /bin/bash in debian/rules, no bashisms found in
the current package.
* debian/patches/ft2demos-grkey.patch: don't point grKEY() at an enum when
it's being passed values that aren't defined in that enum, fixing a build
failure with gcc 4.5. Thanks to Brian M. Carlson for the preliminary
patch. Closes: #564989.
* docs/PATENTS no longer exists, so we don't install it.
* Add ${misc:Depends} substitutions to all packages, per lintian.
* Standards-Version to 3.8.4, no changes required.
* Clarify in debian/copyright that freetype can be used under GPLv2 or
later.
-- Steve Langasek <email address hidden> Tue, 13 Jul 2010 17:09:32 -0700
-
freetype (2.3.11-1) unstable; urgency=low
* New upstream release
- drop debian/patches-freetype/proper-armel-asm-declaration.patch and
debian/patches-freetype/CVE-2009-0946.patch, applied upstream.
- new symbol tt_cmap13_class_rec added to the symbols table, bump the
shlibs.
-- Steve Langasek <email address hidden> Mon, 12 Oct 2009 14:14:49 -0700
-
freetype (2.3.9-5) unstable; urgency=low
* Pass proper --host/--build args to ./configure, to support
cross-building. Closes: #465292.
* clean up a number of unused variables in debian/rules; maybe someday
we'll get this package to converge on debhelper 7... :)
* Fix the doc-base section for libfreetype6-dev. Closes: #315845.
* Remove one final reference to /usr/X11R6 in debian/rules.
* Drop incorrect Replaces: freetype0, freetype1
* Add debian/README.source, documenting the madness that is this source
package.
* Standards-Version to 3.8.0.
* Fix multiple integer overflows leading to arbitrary code execution
or DoS (CVE-2009-0946; Closes: #524925). Thanks to Nico Golde for the
NMU.
-- Steve Langasek <email address hidden> Mon, 01 Jun 2009 04:37:19 -0700
-
freetype (2.3.9-4.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix multiple integer overflows leading to arbitrary code execution
or DoS (CVE-2009-0946; Closes: #524925).
-- Nico Golde <email address hidden> Thu, 23 Apr 2009 21:13:11 +0200
-
freetype (2.3.9-4) unstable; urgency=low
* debian/patches-ft2demos/compiler-hardening-fixes.patch: always check the
return value of fread(), to appease hardened compilers such as what's
used in Ubuntu by default. Set a good example, even if these demos
shouldn't be security-sensitive! Also, along the way catch and fix a
small memory leak on error. :)
* debian/patches-freetype/proper-armel-asm-declaration.patch: use __asm__
for declaring assembly instead of asm, fixing a build failure on armel.
-- Steve Langasek <email address hidden> Sat, 14 Mar 2009 14:35:23 -0700
-
freetype (2.3.9-3) unstable; urgency=low
* Drop spurious Suggests: on libfreetype6-dev. Closes: #363937.
* debian/patches-freetype/enable-subpixel-rendering.patch: enable subpixel
rendering features, used by libcairo and xft to provide LCD colour
filtering. This is considered no more or less evil than the bytecode
interpreter which we also enable.
* Move debian/libfreetype6.copyright to debian/copyright, and selectively
install it to the single binary package in debian/rules; the same
copyright file is used for all the binaries anyway via symlinks, so
there's no reason it shouldn't ship as debian/copyright.
Closes: #381228.
* Clip redundant LICENSE.TXT and GPL.TXT files from the
libfreetype6-dev package. Closes: #459802.
-- Steve Langasek <email address hidden> Fri, 13 Mar 2009 23:09:50 -0700
-
freetype (2.3.7-2) unstable; urgency=high
* High-urgency upload for RC bugfix.
* Add debian/patches-freetype/no-segfault-on-load_mac_face, patch from
upstream to fix a segfault due to uninitialized memory in certain
failures of FT_Stream_New. Closes: #487101.
-- Steve Langasek <email address hidden> Thu, 21 Aug 2008 12:09:17 -0700
