From bec4be4c48239613ed1c704ae71bf08754eef711 Mon Sep 17 00:00:00 2001 From: Mike DePaulo Date: Sat, 9 May 2015 20:15:27 -0400 Subject: Updated to libXfont 1.5.1 In addition to some other changes, the following CVEs have been fixed: bdfReadProperties: property count needs range check [CVE-2015-1802] bdfReadCharacters: bailout if a char's bitmap cannot be read [CVE-2015-1803] bdfReadCharacters: ensure metrics fit into xCharInfo struct [CVE-2015-1804] --- libXfont/ChangeLog | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) (limited to 'libXfont/ChangeLog') diff --git a/libXfont/ChangeLog b/libXfont/ChangeLog index 2d5c38345..7211c5547 100644 --- a/libXfont/ChangeLog +++ b/libXfont/ChangeLog @@ -1,3 +1,85 @@ +commit da4246c98bc51297daeec47c15181e179df94013 +Author: Alan Coopersmith +Date: Tue Mar 17 08:12:19 2015 -0700 + + libXfont 1.5.1 + + Signed-off-by: Alan Coopersmith + +commit 2351c83a77a478b49cba6beb2ad386835e264744 +Author: Alan Coopersmith +Date: Fri Mar 6 22:54:58 2015 -0800 + + bdfReadCharacters: ensure metrics fit into xCharInfo struct [CVE-2015-1804] + + We use 32-bit ints to read from the bdf file, but then try to stick + into a 16-bit int in the xCharInfo struct, so make sure they won't + overflow that range. + + Found by afl-1.24b. + + v2: Verify that additions won't overflow 32-bit int range either. + v3: As Julien correctly observes, the previous check for bh & bw not + being < 0 reduces the number of cases we need to check for overflow. + + Signed-off-by: Alan Coopersmith + Reviewed-by: Julien Cristau + +commit 78c2e3d70d29698244f70164428bd2868c0ab34c +Author: Alan Coopersmith +Date: Fri Feb 6 15:54:00 2015 -0800 + + bdfReadCharacters: bailout if a char's bitmap cannot be read [CVE-2015-1803] + + Previously would charge on ahead with a NULL pointer in ci->bits, and + then crash later in FontCharInkMetrics() trying to access the bits. + + Found with afl-1.23b. + + Signed-off-by: Alan Coopersmith + Reviewed-by: Julien Cristau + +commit 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e +Author: Alan Coopersmith +Date: Fri Feb 6 15:50:45 2015 -0800 + + bdfReadProperties: property count needs range check [CVE-2015-1802] + + Avoid integer overflow or underflow when allocating memory arrays + by multiplying the number of properties reported for a BDF font. + + Reported-by: Ilja Van Sprundel + Signed-off-by: Alan Coopersmith + Reviewed-by: Julien Cristau + +commit d9fda3d247942292a5f24694c22337c547006e11 +Author: Christos Zoulas +Date: Wed Feb 25 21:39:30 2015 +0100 + + Set close-on-exec for font file I/O. + + Reviewed-by: Alan Coopersmith + Signed-off-by: Thomas Klausner + +commit 3b33588117c2ca3099b999939985ffe098d479b3 +Author: Alan Coopersmith +Date: Wed Nov 5 17:41:24 2014 -0800 + + Use 'imdent' to realign cpp indentation levels in fslibos.h + + Parts were indented, others weren't, now is more consistent. + 'git diff -w' shows no non-whitespace changes in this commit + + Signed-off-by: Alan Coopersmith + +commit 03c035b061a0582159467dcadfc8e95074e2a84f +Author: Alan Coopersmith +Date: Wed Nov 5 17:39:05 2014 -0800 + + Remove unneeded checks for #ifndef X_NOT_POSIX + + Signed-off-by: Alan Coopersmith + commit ad4f4d8a2d0730c0ea3c09210bf921638b4682bc Author: Alan Coopersmith Date: Sat Jul 19 09:49:23 2014 -0700 -- cgit v1.2.3