Change logs for freetype source package in Natty

  • freetype (2.4.4-1ubuntu2.3) natty-security; urgency=low
    
      * SECURITY UPDATE: Denial of service via crafted BDF font
        - debian/patches-freetype/CVE-2012-1126.patch: Perform better input
          sanitization when parsing properties. Based on upstream patch.
        - CVE-2012-1126
      * SECURITY UPDATE: Denial of service via crafted BDF font
        - debian/patches-freetype/CVE-2012-1127.patch: Perform better input
          sanitization when parsing glyphs. Based on upstream patch.
        - CVE-2012-1127
      * SECURITY UPDATE: Denial of service via crafted TrueType font
        - debian/patches-freetype/CVE-2012-1128.patch: Improve loop logic to avoid
          NULL pointer dereference. Based on upstream patch.
        - CVE-2012-1128
      * SECURITY UPDATE: Denial of service via crafted Type42 font
        - debian/patches-freetype/CVE-2012-1129.patch: Perform better input
          sanitization when parsing SFNT strings. Based on upstream patch.
        - CVE-2012-1129
      * SECURITY UPDATE: Denial of service via crafted PCF font
        - debian/patches-freetype/CVE-2012-1130.patch: Allocate enough memory to
          properly NULL-terminate parsed properties strings. Based on upstream
          patch.
        - CVE-2012-1130
      * SECURITY UPDATE: Denial of service via crafted TrueType font
        - debian/patches-freetype/CVE-2012-1131.patch: Use appropriate data type to
          prevent integer truncation on 64 bit systems when rendering fonts. Based
          on upstream patch.
        - CVE-2012-1131
      * SECURITY UPDATE: Denial of service via crafted Type1 font
        - debian/patches-freetype/CVE-2012-1132.patch: Ensure strings are of
          appropriate length when loading Type1 fonts. Based on upstream patch.
        - CVE-2012-1132
      * SECURITY UPDATE: Denial of service and arbitrary code execution via
        crafted BDF font
        - debian/patches-freetype/CVE-2012-1133.patch: Limit range of negative
          glyph encoding values to prevent invalid array indexes. Based on
          upstream patch.
        - CVE-2012-1133
      * SECURITY UPDATE: Denial of service and arbitrary code execution via
        crafted Type1 font
        - debian/patches-freetype/CVE-2012-1134.patch: Enforce a minimum Type1
          private dictionary size to prevent writing past array bounds. Based on
          upstream patch.
        - CVE-2012-1134
      * SECURITY UPDATE: Denial of service via crafted TrueType font
        - debian/patches-freetype/CVE-2012-1135.patch: Perform proper bounds
          checks when interpreting TrueType bytecode. Based on upstream patch.
        - CVE-2012-1135
      * SECURITY UPDATE: Denial of service and arbitrary code execution via
        crafted BDF font
        - debian/patches-freetype/CVE-2012-1136.patch: Ensure encoding field is
          defined when parsing glyphs. Based on upstream patch.
        - CVE-2012-1136
      * SECURITY UPDATE: Denial of service via crafted BDF font
        - debian/patches-freetype/CVE-2012-1137.patch: Allocate sufficient number
          of array elements to prevent reading past array bounds. Based on
          upstream patch.
        - CVE-2012-1137
      * SECURITY UPDATE: Denial of service via crafted TrueType font
        - debian/patches-freetype/CVE-2012-1138.patch: Correct typo resulting in
          invalid read from wrong memory location. Based on upstream patch.
        - CVE-2012-1138
      * SECURITY UPDATE: Denial of service via crafted BDF font
        - debian/patches-freetype/CVE-2012-1139.patch: Check array index values to
          prevent reading invalid memory. Based on upstream patch.
        - CVE-2012-1139
      * SECURITY UPDATE: Denial of service via crafted PostScript font
        - debian/patches-freetype/CVE-2012-1140.patch: Fix off-by-one error in
          boundary checks. Based on upstream patch.
        - CVE-2012-1140
      * SECURITY UPDATE: Denial of service via crafted BDF font
        - debian/patches-freetype/CVE-2012-1141.patch: Initialize field elements
          to prevent invalid read. Based on upstream patch.
        - CVE-2012-1141
      * SECURITY UPDATE: Denial of service via crafted Windows FNT/FON font
        - debian/patches-freetype/CVE-2012-1142.patch: Perform input sanitization
          on first and last character code fields. Based on upstream patch.
        - CVE-2012-1142
      * SECURITY UPDATE: Denial of service via crafted font
        - debian/patches-freetype/CVE-2012-1143.patch: Protect against divide by
          zero when dealing with 32 bit types. Based on upstream patch.
        - CVE-2012-1143
      * SECURITY UPDATE: Denial of service and arbitrary code execution via
        crafted TrueType font
        - debian/patches-freetype/CVE-2012-1144.patch: Perform input sanitization
          on the first glyph outline point value. Based on upstream patch.
        - CVE-2012-1144
     -- Tyler Hicks <email address hidden>   Wed, 21 Mar 2012 19:57:51 -0500
  • freetype (2.4.4-1ubuntu2.2) natty-security; urgency=low
    
      * SECURITY UPDATE: Arbitrary code execution via crafted Type 1 font
        - debian/patches-freetype/CVE-2011-3256.patch: Sanitize Type 1 font inputs
          in src/base/ftbitmap.c, src/psaux/t1decode.c, src/raster/ftrend1.c, and
          src/truetype/ttgxvar.c. Based on upstream patch.
        - CVE-2011-3256
      * SECURITY UPDATE: Arbitrary code execution via crafted CID-keyed PS font
        - debian/patches-freetype/CVE-2011-3439.patch: Sanitize CID-keyed
          PostScript font inputs in src/cid/cidload.c. Based on upstream patch.
        - CVE-2011-3439
     -- Tyler Hicks <email address hidden>   Thu, 17 Nov 2011 13:58:59 -0600
  • freetype (2.4.4-1ubuntu2.1) natty-security; urgency=low
    
      * SECURITY UPDATE: arbitrary code execution via crafted Type 1 font
        - debian/patches-freetype/CVE-2011-0226.patch: check for proper
          signedness in src/psaux/t1decode.c.
        - CVE-2011-0226
     -- Marc Deslauriers <email address hidden>   Thu, 21 Jul 2011 13:59:37 -0400
  • freetype (2.4.4-1ubuntu2) natty; urgency=low
    
      * No-change rebuild against fixed pkgbinarymangler, to get correct
        multiarch-safe changelogs
     -- Steve Langasek <email address hidden>   Tue, 22 Mar 2011 05:50:45 +0000
  • freetype (2.4.4-1ubuntu1) natty; urgency=low
    
      * FFe LP: #733501.
      * Build for multiarch, using debhelper compat 9.
      * Add Pre-Depends: ${misc:Pre-Depends} to pick up multiarch-support
        dependency.
     -- Steve Langasek <email address hidden>   Thu, 17 Mar 2011 18:19:59 -0700
  • freetype (2.4.4-1) unstable; urgency=low
    
      * Acknowledge security NMU - thanks, Moritz!
      * New upstream release, closes: #606286, #600321
        - fixes PDF rendering issues.  Closes: #612484, LP: #709229.
        - fixes a rendering issue with 'S' glyphs in certain fonts.
          LP: #654010.
        - drop patches for CVE-2010-3855 and CVE-2010-3814, applied upstream.
        - drop patch ft2demos-2.1.7-ftbench.patch; doesn't apply cleanly, the
          code has changed significantly, patch never forwarded upstream.  If
          this is still an issue, someone will provide a fixed patch.
        - drop patch ft2demos-grkey.patch, fixed upstream.
      * debian/patches-freetype/enable-gxvalid-otvalid.patch: enable the
        otvalid and gxvalid table validation modules.  Thanks to Paul Wise
        <email address hidden>.  Closes: #520879, LP: #239626.
      * debian/libfreetype6.symbols: update the symbols file for the same.
      * debian/rules et al.: convert to dh 7
      * drop INSTALL.* from the libfreetype6-dev docs.  Closes: #550971.
      * move homepage out of debian/copyright and into debian/control.
      * fix GPL link to point to GPL-2 explicitly.
      * clean up long-obsolete conflicts/replaces.
      * drop debian/README.quilt, redundant with debian/README.source.
      * drop debian/README.Debian, which talks about the long-finished transition
        from freetype1.
      * strip dependency_libs out of /usr/lib/libfreetype.la.
      * bump standards-version to 3.9.1.
     -- Steve Langasek <email address hidden>   Mon, 21 Feb 2011 14:10:46 -0800
  • freetype (2.4.2-2.1) unstable; urgency=medium
    
      * Non-maintainer upload by the Security Team.
      * Fix CVE-2010-3855 and CVE-2010-3814 (Closes: #602221)
     -- Artur Rona <email address hidden>   Wed,  24 Nov 2010 11:43:49 +0000
  • freetype (2.4.2-2ubuntu0.1) maverick-security; urgency=low
    
      * SECURITY UPDATE: denial of service and possible code execution via
        improper error handling of SHZ bytecode instruction
        - debian/patches/CVE-2010-3814.patch: add bounds check to
          src/truetype/ttinterp.c.
        - CVE-2010-3814
      * SECURITY UPDATE: denial of service and possible code execution via
        TrueType GX font
        - debian/patches/CVE-2010-3855.patch: add bounds checks to
          src/truetype/ttgxvar.c.
        - CVE-2010-3855
     -- Marc Deslauriers <email address hidden>   Tue, 02 Nov 2010 14:20:42 -0400
  • freetype (2.4.2-2) unstable; urgency=low
    
      * debian/patches-ft2demos/f2tdemos-grkey.patch: update to fix another
        problem when building under gcc-4.5 that was overlooked in the previous
        version of the patch.  LP: #624740.
     -- Steve Langasek <email address hidden>   Wed,  08 Sep 2010 07:45:46 +0100