Change logs for freetype source package in Precise

  • freetype (2.4.8-1ubuntu2.6) precise-security; urgency=medium
    
      [ Marc Deslauriers ]
      * SECURITY UPDATE: out-of-bounds write in t1_decoder_parse_charstrings
        - debian/patches-freetype/CVE-2017-8105.patch: add a check to
          src/psaux/t1decode.c.
        - CVE-2017-8105
      * SECURITY UPDATE: out-of-bounds write in t1_builder_close_contour
        - debian/patches-freetype/CVE-2017-8287.patch: add a check to
          src/psaux/psobjs.c.
        - CVE-2017-8287
    
     -- Emily Ratliff <email address hidden>  Mon, 15 May 2017 20:31:15 -0500
  • freetype (2.4.8-1ubuntu2.5) precise-security; urgency=medium
    
      * SECURITY UPDATE: heap based buffer overflow in cff_parser_run()
        - debian/patches-freetype/CVE-2016-10328.patch: add additional check
          to parser stack size in src/cff/cffparse.c
        - CVE-2016-10328
    
     -- Steve Beattie <email address hidden>  Tue, 18 Apr 2017 14:35:42 -0700
  • freetype (2.4.8-1ubuntu2.4) precise-security; urgency=medium
    
      * SECURITY UPDATE: DoS and possible code execution via missing glyph name
        - debian/patches/CVE-2016-10244.patch: add check to src/type1/t1load.c.
        - CVE-2016-10244
    
     -- Marc Deslauriers <email address hidden>  Thu, 16 Mar 2017 13:42:14 -0400
  • freetype (2.4.8-1ubuntu2.3) precise-security; urgency=medium
    
      * SECURITY UPDATE: uninitialized memory reads (LP: #1449225)
        - debian/patches-freetype/savannah-bug-41309.patch: fix use of
          uninitialized data in src/cid/cidload.c, src/psaux/psobjs.c,
          src/type1/t1load.c, src/type42/t42parse.c.
        - No CVE number
      * SECURITY UPDATE: denial of service via infinite loop in parse_encode
        (LP: #1492124)
        - debian/patches-freetype/savannah-bug-41590.patch: protect against
          invalid charcode in src/type1/t1load.c.
        - No CVE number
    
     -- Marc Deslauriers <email address hidden>  Thu, 10 Sep 2015 07:10:41 -0400
  • freetype (2.4.8-1ubuntu2.2) precise-security; urgency=medium
    
      * SECURITY UPDATE: denial of service and possible code execution via
        multiple security issues
        - debian/patches-freetype/CVE-2014-96xx/*.patch: backport a large
          quantity of upstream commits to fix multiple security issues.
        - CVE-2014-9656
        - CVE-2014-9657
        - CVE-2014-9658
        - CVE-2014-9660
        - CVE-2014-9661
        - CVE-2014-9663
        - CVE-2014-9664
        - CVE-2014-9666
        - CVE-2014-9667
        - CVE-2014-9669
        - CVE-2014-9670
        - CVE-2014-9671
        - CVE-2014-9672
        - CVE-2014-9673
        - CVE-2014-9674
        - CVE-2014-9675
     -- Marc Deslauriers <email address hidden>   Tue, 24 Feb 2015 10:35:56 -0500
  • freetype (2.4.8-1ubuntu2.1) precise-security; urgency=low
    
      * SECURITY UPDATE: denial of service and possible code execution via NULL
        pointer dereference
        - debian/patches-freetype/CVE-2012-5668.patch: reset props_size in case
          of allocation error in src/bdf/bdflib.c.
        - CVE-2012-5668
      * SECURITY UPDATE: denial of service and possible code execution via heap
        buffer over-read in BDF parsing
        - debian/patches-freetype/CVE-2012-5669.patch: use correct array size
          in src/bdf/bdflib.c.
        - CVE-2012-5669
     -- Marc Deslauriers <email address hidden>   Fri, 11 Jan 2013 13:45:45 -0500
  • freetype (2.4.8-1ubuntu2) precise; urgency=low
    
      * debian/patches-freetype/revert_scalable_fonts_metric.patch:
        - revert commit "Fix metrics on size request for scalable fonts.",
          it's breaking gtk underlining markups and creating some other
          issues as well (lp: #972223)
     -- Sebastien Bacher <email address hidden>   Tue, 03 Apr 2012 10:42:05 +0200
  • freetype (2.4.8-1ubuntu1) precise; urgency=low
    
      * SECURITY UPDATE: Denial of service via crafted BDF font (LP: #963283)
        - debian/patches-freetype/CVE-2012-1126.patch: Perform better input
          sanitization when parsing properties. Based on upstream patch.
        - CVE-2012-1126
      * SECURITY UPDATE: Denial of service via crafted BDF font
        - debian/patches-freetype/CVE-2012-1127.patch: Perform better input
          sanitization when parsing glyphs. Based on upstream patch.
        - CVE-2012-1127
      * SECURITY UPDATE: Denial of service via crafted TrueType font
        - debian/patches-freetype/CVE-2012-1128.patch: Improve loop logic to avoid
          NULL pointer dereference. Based on upstream patch.
        - CVE-2012-1128
      * SECURITY UPDATE: Denial of service via crafted Type42 font
        - debian/patches-freetype/CVE-2012-1129.patch: Perform better input
          sanitization when parsing SFNT strings. Based on upstream patch.
        - CVE-2012-1129
      * SECURITY UPDATE: Denial of service via crafted PCF font
        - debian/patches-freetype/CVE-2012-1130.patch: Allocate enough memory to
          properly NULL-terminate parsed properties strings. Based on upstream
          patch.
        - CVE-2012-1130
      * SECURITY UPDATE: Denial of service via crafted TrueType font
        - debian/patches-freetype/CVE-2012-1131.patch: Use appropriate data type to
          prevent integer truncation on 64 bit systems when rendering fonts. Based
          on upstream patch.
        - CVE-2012-1131
      * SECURITY UPDATE: Denial of service via crafted Type1 font
        - debian/patches-freetype/CVE-2012-1132.patch: Ensure strings are of
          appropriate length when loading Type1 fonts. Based on upstream patch.
        - CVE-2012-1132
      * SECURITY UPDATE: Denial of service and arbitrary code execution via
        crafted BDF font
        - debian/patches-freetype/CVE-2012-1133.patch: Limit range of negative
          glyph encoding values to prevent invalid array indexes. Based on
          upstream patch.
        - CVE-2012-1133
      * SECURITY UPDATE: Denial of service and arbitrary code execution via
        crafted Type1 font
        - debian/patches-freetype/CVE-2012-1134.patch: Enforce a minimum Type1
          private dictionary size to prevent writing past array bounds. Based on
          upstream patch.
        - CVE-2012-1134
      * SECURITY UPDATE: Denial of service via crafted TrueType font
        - debian/patches-freetype/CVE-2012-1135.patch: Perform proper bounds
          checks when interpreting TrueType bytecode. Based on upstream patch.
        - CVE-2012-1135
      * SECURITY UPDATE: Denial of service and arbitrary code execution via
        crafted BDF font
        - debian/patches-freetype/CVE-2012-1136.patch: Ensure encoding field is
          defined when parsing glyphs. Based on upstream patch.
        - CVE-2012-1136
      * SECURITY UPDATE: Denial of service via crafted BDF font
        - debian/patches-freetype/CVE-2012-1137.patch: Allocate sufficient number
          of array elements to prevent reading past array bounds. Based on
          upstream patch.
        - CVE-2012-1137
      * SECURITY UPDATE: Denial of service via crafted TrueType font
        - debian/patches-freetype/CVE-2012-1138.patch: Correct typo resulting in
          invalid read from wrong memory location. Based on upstream patch.
        - CVE-2012-1138
      * SECURITY UPDATE: Denial of service via crafted BDF font
        - debian/patches-freetype/CVE-2012-1139.patch: Check array index values to
          prevent reading invalid memory. Based on upstream patch.
        - CVE-2012-1139
      * SECURITY UPDATE: Denial of service via crafted PostScript font
        - debian/patches-freetype/CVE-2012-1140.patch: Fix off-by-one error in
          boundary checks. Based on upstream patch.
        - CVE-2012-1140
      * SECURITY UPDATE: Denial of service via crafted BDF font
        - debian/patches-freetype/CVE-2012-1141.patch: Initialize field elements
          to prevent invalid read. Based on upstream patch.
        - CVE-2012-1141
      * SECURITY UPDATE: Denial of service via crafted Windows FNT/FON font
        - debian/patches-freetype/CVE-2012-1142.patch: Perform input sanitization
          on first and last character code fields. Based on upstream patch.
        - CVE-2012-1142
      * SECURITY UPDATE: Denial of service via crafted font
        - debian/patches-freetype/CVE-2012-1143.patch: Protect against divide by
          zero when dealing with 32 bit types. Based on upstream patch.
        - CVE-2012-1143
      * SECURITY UPDATE: Denial of service and arbitrary code execution via
        crafted TrueType font
        - debian/patches-freetype/CVE-2012-1144.patch: Perform input sanitization
          on the first glyph outline point value. Based on upstream patch.
        - CVE-2012-1144
     -- Tyler Hicks <email address hidden>   Fri, 23 Mar 2012 12:13:46 -0500
  • freetype (2.4.8-1) unstable; urgency=high
    
      * New upstream release
        - upstream fix for CVE-2011-3439.  Closes: #649122.
        - adjust libfreetype6.symbols for a newly-exported function.
     -- Tyler Hicks <email address hidden>   Fri,  18 Nov 2011 19:24:03 +0000
  • freetype (2.4.7-2) unstable; urgency=low
    
    
      * Use dpkg-buildflags through debhelper.
      * Don't set -Werror in CFLAGS on alpha or m68k, to work around a compiler
        bug.  Closes: #646334.
    
     -- Steve Langasek <email address hidden>  Mon, 24 Oct 2011 22:02:32 +0000
  • freetype (2.4.7-1) unstable; urgency=low
    
    
      * New upstream release
        - upstream fix for CVE-2011-3256.  Closes: #646120.
        - drop debian/patches-freetype/0001-Fix-Savannah-bug-33992.patch,
          included upstream.
      * Pass --without-bzip2 to configure, to avoid unwanted dependency on
        libbz2.  Closes: #639638.
      * Standards-Version 3.9.2.
    
     -- Steve Langasek <email address hidden>  Sat, 22 Oct 2011 20:18:59 +0000
  • freetype (2.4.6-2) unstable; urgency=low
    
    
      * debian/patches-freetype/0001-Fix-Savannah-bug-33992.patch: [PATCH]
        Fix Savannah bug #33992.  Thanks to David Bevan
        <email address hidden>.  Closes: #638348.
    
     -- Steve Langasek <email address hidden>  Sat, 20 Aug 2011 06:30:18 +0000
  • freetype (2.4.4-2ubuntu1) oneiric; urgency=low
    
      * SECURITY UPDATE: arbitrary code execution via crafted Type 1 font
        - debian/patches-freetype/CVE-2011-0226.patch: check for proper
          signedness in src/psaux/t1decode.c.
        - CVE-2011-0226
      * debian/rules: fix FTBFS with gcc 4.6 by adding
        -Wno-unused-but-set-variable to CFLAGS to downgrade it to a warning.
     -- Marc Deslauriers <email address hidden>   Mon, 08 Aug 2011 08:13:07 -0400