Format: 1.8 Date: Tue, 03 Apr 2018 00:11:08 +0200 Source: freetype Binary: libfreetype6 libfreetype6-dev freetype2-demos libfreetype6-udeb Architecture: source Version: 2.5.2-1ubuntu2.8~ppa1204+1 Distribution: precise Urgency: high Maintainer: Ubuntu Developers Changed-By: Thorsten Glaser Description: freetype2-demos - FreeType 2 demonstration programs libfreetype6 - FreeType 2 font engine, shared library files libfreetype6-dev - FreeType 2 font engine, development files libfreetype6-udeb - FreeType 2 font engine for the debian-installer (udeb) Closes: 617217 642059 662864 663613 696691 717952 729231 732062 733052 Changes: freetype (2.5.2-1ubuntu2.8~ppa1204+1) precise; urgency=medium . * Upload to precise PPA . freetype (2.5.2-1ubuntu2.8) trusty-security; urgency=medium . * SECURITY UPDATE: out-of-bounds write in t1_decoder_parse_charstrings - debian/patches-freetype/CVE-2017-8105.patch: add a check to src/psaux/t1decode.c. - CVE-2017-8105 * SECURITY UPDATE: out-of-bounds write in t1_builder_close_contour - debian/patches-freetype/CVE-2017-8287.patch: add a check to src/psaux/psobjs.c. - CVE-2017-8287 . freetype (2.5.2-1ubuntu2.7) trusty-security; urgency=medium . * SECURITY UPDATE: heap based buffer overflow in cff_parser_run() - debian/patches-freetype/CVE-2016-10328.patch: add additional check to parser stack size in src/cff/cffparse.c - CVE-2016-10328 . freetype (2.5.2-1ubuntu2.6) trusty-security; urgency=medium . * SECURITY UPDATE: DoS and possible code execution via missing glyph name - debian/patches/CVE-2016-10244.patch: add check to src/type1/t1load.c. - CVE-2016-10244 . freetype (2.5.2-1ubuntu2.5) trusty-security; urgency=medium . * SECURITY UPDATE: uninitialized memory reads (LP: #1449225) - debian/patches-freetype/savannah-bug-41309.patch: fix use of uninitialized data in src/cid/cidload.c, src/psaux/psobjs.c, src/type1/t1load.c, src/type42/t42parse.c. - No CVE number * SECURITY UPDATE: denial of service via infinite loop in parse_encode (LP: #1492124) - debian/patches-freetype/savannah-bug-41590.patch: protect against invalid charcode in src/type1/t1load.c. - No CVE number . freetype (2.5.2-1ubuntu2.4) trusty-security; urgency=medium . * SECURITY UPDATE: denial of service and possible code execution via multiple security issues - debian/patches-freetype/CVE-2014-96xx/*.patch: backport a large quantity of upstream commits to fix multiple security issues. - CVE-2014-9656 - CVE-2014-9657 - CVE-2014-9658 - CVE-2014-9659 - CVE-2014-9660 - CVE-2014-9661 - CVE-2014-9662 - CVE-2014-9663 - CVE-2014-9664 - CVE-2014-9665 - CVE-2014-9666 - CVE-2014-9667 - CVE-2014-9668 - CVE-2014-9669 - CVE-2014-9670 - CVE-2014-9671 - CVE-2014-9672 - CVE-2014-9673 - CVE-2014-9674 - CVE-2014-9675 . freetype (2.5.2-1ubuntu2.3) trusty; urgency=medium . * Added patchset to fix multithread violations, LP: #1199571 - debian/patches-freetype/multi-thread-violations.patch . freetype (2.5.2-1ubuntu2.2) trusty; urgency=medium . * Fix incorrect Korean Fonts rendering. (LP: #1310017) - debian/patches-freetype/fix-incorrect-korean-fonts-rendering.patch . freetype (2.5.2-1ubuntu2.1) trusty; urgency=medium . * debian/patches-freetype/0001-Fix-Savannah-bug-40997.patch: Cherry-pick upstream patch to fix a double free. (LP: #1310728) . freetype (2.5.2-1ubuntu2) trusty; urgency=medium . * SECURITY UPDATE: denial of service and possible code execution in CFF rasterizer - debian/patches/CVE-2014-2240.patch: validate hintMask in src/cff/cf2hints.c. - CVE-2014-2240 * SECURITY UPDATE: denial of service in CFF rasterizer - debian/patches/CVE-2014-2241.patch: don't trigger asserts in src/cff/cf2ft.c. - CVE-2014-2241 . freetype (2.5.2-1ubuntu1) trusty; urgency=medium . * Merge from Debian unstable, remaining changes: - debian/patches-freetype/revert_scalable_fonts_metric.patch: revert commit "Fix metrics on size request for scalable fonts.", which breaks gtk underlining markups * Dropped changes, included in Debian: - Fix png configuration for cross builds. - Run aclocal and autoconf. . freetype (2.5.2-1) unstable; urgency=low . * New upstream release - fixes a crasher bug with certain fonts. Closes: #733052. - drop of additional symbols which were previously exported but are only meant for debugging and upstream recommends not enabling them when building in "release mode". If this impacts users of freetype, we can re-enable these symbols later. * Call autogen.sh on build to refresh autotools; not using dh-autoreconf because the upstream directory structure is non-standard and it's a throw-away dir, so there's no advantage to dh-autoreconf's rollback support. * Fix symbols file with respect to more complete version info found in Ubuntu. * Drop debian/patches-ft2demos/compiler-warning-fixes.patch, which is actually a bug in the compiler_hardening_fixes.patch; fix it there instead. * Fix libpng detection when cross-building. . freetype (2.5.1-2ubuntu1) trusty; urgency=medium . * Merge from Debian unstable, remaining changes: - debian/patches-freetype/revert_scalable_fonts_metric.patch: revert commit "Fix metrics on size request for scalable fonts.", which breaks gtk underlining markups - Fix png configuration for cross builds. - Run aclocal and autoconf. . freetype (2.5.1-2) unstable; urgency=low . * Drop unnecessary GPLv2.txt from libfreetype6-dev. * Add missing dependency on libpng-dev to libfreetype6-dev. Closes: #732062. . freetype (2.5.1-1ubuntu2) trusty; urgency=medium . * Fix png configuration for cross builds. * Run aclocal and autoconf. . freetype (2.5.1-1ubuntu1) trusty; urgency=low . * Merge from Debian unstable (LP: #1256114), remaining changes: - debian/patches-freetype/revert_scalable_fonts_metric.patch: revert commit "Fix metrics on size request for scalable fonts.", which breaks gtk underlining markups * Dropped changes, included in Debian: - debian/control: build-depends on libpng-dev - debian/libfreetype6.symbols: new version update * Drop debian/patches-ft2demos/compiler-warning-fixes.patch, which is actually a bug in the compiler_hardening_fixes.patch and has been fixed there in the Ubuntu version. . freetype (2.5.1-1) unstable; urgency=low . * New upstream release. Closes: #717952, #729231. - Add build-dependency on libpng-dev. - Dropped patches, included upstream: savannah-bug-35847.patch, savannah-bug-35833.patch, savannah-bug-37905.patch, savannah-bug-37906.patch, savannah-bug-37907.patch - Internal symbols have been dropped in this version. No soname change because the symbols are not supposed to be used, but past experience suggests that this may break some third-party software anyway. * compiler_hardening_fixes.patch: fix wrong snprintf() calls in ttdebug.c that cause an overflow 100% of the time. * debian/patches-ft2demos/compiler-warning-fixes.patch: Fix a wrong cast that triggers a compiler warning. * debian/patches-ft2demos/revert-wrong-extern.patch: revert wrong upstream commit that causes a build failure. . freetype (2.5.0.1-0ubuntu2) trusty; urgency=low . * debian/control: build-depends on libpng12-dev . freetype (2.5.0.1-0ubuntu1) trusty; urgency=low . * New upstream version (lp: #1203012) * debian/patches-freetype/git_unitialized_variable.patch, debian/patches-ft2demos/init_variables.patch: - dropped, the fixes are in the new version * debian/libfreetype6.symbols: new version update . freetype (2.4.12-0ubuntu1) saucy; urgency=low . * New upstream version (lp: #1179523) * debian/patches-freetype/git_unitialized_variable.patch, debian/patches-ft2demos/init_variables.patch: - fix an unitialized variable warnings which were breaking the build * debian/libfreetype6.symbols: updated . freetype (2.4.11-0ubuntu1) raring; urgency=low . * New upstream version * debian/patches-freetype/CVE-2012-5668.patch, debian/patches-freetype/CVE-2012-5669.patch, debian/patches-freetype/CVE-2012-5670.patch: - dropped, those fixes are in the new version * debian/patches-ft2demos/compiler_hardening_fixes.patch: - changed unsigned char* to char* to fix "pointer targets in assignment differ in signedness" build error * debian/libfreetype6.symbols: updated for the new version . freetype (2.4.10-0ubuntu2) raring; urgency=low . * SECURITY UPDATE: denial of service and possible code execution via NULL pointer dereference - debian/patches-freetype/CVE-2012-5668.patch: reset props_size in case of allocation error in src/bdf/bdflib.c. - CVE-2012-5668 * SECURITY UPDATE: denial of service and possible code execution via heap buffer over-read in BDF parsing - debian/patches-freetype/CVE-2012-5669.patch: use correct array size in src/bdf/bdflib.c. - CVE-2012-5669 * SECURITY UPDATE: denial of service and possible code execution via out- of-bounds write - debian/patches-freetype/CVE-2012-5670.patch: normalize negative parameter in src/bdf/bdflib.c. - CVE-2012-5670 . freetype (2.4.10-0ubuntu1) quantal; urgency=low . * New upstream version * debian/libfreetype6.symbols: - new version update * debian/patches-freetype/savannah-bug-35847.patch, debian/patches-freetype/savannah-bug-35833.patch: - dropped, the fixes are in the new version * Resynchronize on Debian, remaining diff: * debian/patches-freetype/revert_scalable_fonts_metric.patch: - revert commit "Fix metrics on size request for scalable fonts.", it's breaking gtk underlining markups and creating some other issues as well (lp: #972223) . freetype (2.4.9-1.1) unstable; urgency=high . * Non-maintainer upload. Upload ACKed by Steve Langasek on #debian-devel. * Add savannah-bug-37905.patch patch [SECURITY] CVE-2012-5668: NULL Pointer Dereference in bdf_free_font. (Closes: #696691) * Add savannah-bug-37906.patch patch [SECURITY] CVE-2012-5669: Out-of-bounds read in _bdf_parse_glyphs. (Closes: #696691) * Add savannah-bug-37907.patch patch [SECURITY] CVE-2012-5670: Out-of-bounds write in _bdf_parse_glyphs. (Closes: #696691) . freetype (2.4.9-1) unstable; urgency=low . * New upstream release - upstream fix for multiple vulnerabilities: CVE-2012-1126, CVE-2012-1133, CVE-2012-1134, CVE-2012-1136, CVE-2012-1142, CVE-2012-1144. and others. Closes: #662864. - update symbols file for a new symbol, ft_raccess_guess_table * debian/patches-freetype/savannah-bug-35847.patch, debian/patches-freetype/savannah-bug-35833.patch: pull two bugfixes from upstream git on top of 2.4.9, to address regressions affecting ghostscript. Thanks to Till Kamppeter for pointing this out. * push CPPFLAGS into CFLAGS for ft2demos, so our demos will be secure. Closes: #663613. * don't let a quiltrc override our QUILT_PATCHES settings in debian/rules. Closes: #617217. * Migrate debian/copyright to copyright-format 1.0, and fix up the upstream URL. Closes: #642059. Checksums-Sha1: 5526700f551231ec0a979f838e6a25553105e499 2267 freetype_2.5.2-1ubuntu2.8~ppa1204+1.dsc cd585a224b742e769f4b14a8028b5d0889474a82 1971155 freetype_2.5.2.orig.tar.gz efafbfae6b11d03c5c064fdcbd2990afa579457b 86594 freetype_2.5.2-1ubuntu2.8~ppa1204+1.diff.gz Checksums-Sha256: 51ce883e5e89a18e549936fd7573c8e4c882ca29f1463eea566d3c685ec274cc 2267 freetype_2.5.2-1ubuntu2.8~ppa1204+1.dsc 5fda4996e43cfdf9b602a0eb5abde014f1a3c3b2d82bbb9b86942011c63f5c3a 1971155 freetype_2.5.2.orig.tar.gz 3ce1af517ba0af4880a1e7e3c0dee2fbff985b1d08413aa0cb14dff9d826b310 86594 freetype_2.5.2-1ubuntu2.8~ppa1204+1.diff.gz Files: 2e52ae4c3f2c6eaf955ab86a0b73c851 2267 libs optional freetype_2.5.2-1ubuntu2.8~ppa1204+1.dsc cd5d3efcc73e221e68992b7b062d77ac 1971155 libs optional freetype_2.5.2.orig.tar.gz f4b388045a59b08ed40ddc8d52d294de 86594 libs optional freetype_2.5.2-1ubuntu2.8~ppa1204+1.diff.gz Original-Maintainer: Steve Langasek