[packages/freetype1] Rel 17

Thu Mar 26 18:24:51 CET 2026

commit 7fe9de0eda1610b924dd2cc8a3e57ce71d3f0ae2
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Thu Mar 26 18:23:53 2026 +0100

    Rel 17

 freetype1-CVE-fixes.patch | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 freetype1.spec            | 17 +++++++++++------
 2 files changed, 57 insertions(+), 6 deletions(-)
---

diff --git a/freetype1.spec b/freetype1.spec
index c15bb42..526f1ce 100644
--- a/freetype1.spec
+++ b/freetype1.spec
@@ -8,7 +8,7 @@ Summary:	Truetype font rasterizer
 Summary(pl.UTF-8):	Rasteryzer fontów Truetype
 Name:		freetype1
 Version:	1.3.1
-Release:	16
+Release:	17
 License:	BSD-like
 Group:		Libraries
 Source0:	ftp://ftp.freetype.org/freetype/freetype1/freetype-%{version}.tar.gz
@@ -21,6 +21,9 @@ Patch4:		%{name}-parallel-make.patch
 Patch5:		%{name}-link.patch
 Patch6:		format-security.patch
 Patch7:		gcc10.patch
+# CVE-2008-1808 (off-by-one in Ins_SHC), CVE-2010-3814 (heap overflow in
+# Ins_SHZ), CVE-2010-2520 (heap overflow in Ins_IUP) - bytecode interpreter
+Patch8:		%{name}-CVE-fixes.patch
 URL:		http://freetype.sourceforge.net/freetype1/index.html
 BuildRequires:	autoconf
 BuildRequires:	automake
@@ -127,6 +130,7 @@ Przykładowe aplikacje wykorzystujące freetype:
 %patch -P5 -p1
 %patch -P6 -p1
 %patch -P7 -p1
+%patch -P8 -p1
 
 %build
 install /usr/share/automake/missing .
@@ -135,10 +139,11 @@ install /usr/share/automake/missing .
 sed -e 's@\(AC_OUTPUT.*\) intl/Makefile@\1@' \
 	-e 's at AM_GNU_GETTEXT.*@AM_GNU_GETTEXT([external])@' \
 	-e 's at intl/Makefile@@' \
-        configure.in > configure.in.tmp
+		configure.in > configure.in.tmp
 mv -f configure.in.tmp configure.in
+echo 'cs de es fr nl' > po/LINGUAS
 %{__libtoolize}
-%{__aclocal}
+%{__aclocal} -I %{_datadir}/gettext/m4
 %{__autoconf}
 # Ugly hack to avoid error:
 # configure: error: cannot find required auxiliary files: compile missing
@@ -190,13 +195,13 @@ rm -rf $RPM_BUILD_ROOT
 
 %files -f freetype.lang
 %defattr(644,root,root,755)
-%attr(755,root,root) %{_libdir}/libttf.so.*.*.*
-%attr(755,root,root) %ghost %{_libdir}/libttf.so.2
+%{_libdir}/libttf.so.*.*.*
+%ghost %{_libdir}/libttf.so.2
 
 %files devel
 %defattr(644,root,root,755)
 %doc howto/unix.txt README announce docs/{*.txt,FAQ,TODO,credits}
-%attr(755,root,root) %{_libdir}/libttf.so
+%{_libdir}/libttf.so
 %{_libdir}/libttf.la
 %{_includedir}/*
 
diff --git a/freetype1-CVE-fixes.patch b/freetype1-CVE-fixes.patch
new file mode 100644
index 0000000..f3960bc
--- /dev/null
+++ b/freetype1-CVE-fixes.patch
@@ -0,0 +1,46 @@
+--- freetype-1.3.1.orig/lib/ttinterp.c.orig	2026-03-26 18:00:08.982396963 +0100
++++ freetype-1.3.1/lib/ttinterp.c	2026-03-26 18:00:57.266426563 +0100
+@@ -4144,7 +4144,7 @@
+
+     /* XXX: this is probably wrong... at least it prevents memory */
+     /*      corruption when zp2 is the twilight zone              */
+-    if ( last_point > CUR.zp2.n_points )
++    if ( BOUNDS( last_point, CUR.zp2.n_points ) )
+     {
+       if ( CUR.zp2.n_points > 0 )
+         last_point = CUR.zp2.n_points - 1;
+@@ -4186,10 +4186,21 @@
+     if ( COMPUTE_Point_Displacement( &dx, &dy, &zp, &refp ) )
+       return;
+
+-    if ( CUR.zp2.n_points > 0 )
+-      last_point = CUR.zp2.n_points - 1;
++    if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 )
++      last_point = (UShort)(CUR.zp2.n_points - 1);
++    else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 )
++    {
++      last_point = CUR.zp2.contours[CUR.zp2.n_contours - 1];
++
++      if ( BOUNDS( last_point, CUR.zp2.n_points ) )
++      {
++        if ( CUR.pedantic_hinting )
++          CUR.error = TT_Err_Invalid_Reference;
++        return;
++      }
++    }
+     else
+-      last_point = 0;
++      return;
+
+     /* UNDOCUMENTED! SHZ doesn't touch the points */
+     for ( i = 0; i <= last_point; i++ )
+@@ -5027,6 +5038,9 @@
+     do
+     {
+       end_point   = CUR.pts.contours[contour];
++      if ( BOUNDS( end_point, CUR.pts.n_points ) )
++        end_point = (UShort)(CUR.pts.n_points - 1);
++
+       first_point = point;
+
+       while ( point <= end_point && (CUR.pts.touch[point] & mask) == 0 )
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/freetype1.git/commitdiff/7fe9de0eda1610b924dd2cc8a3e57ce71d3f0ae2

