Log message:
Pullup ticket #5439 - requested by sevan
graphics/freetype2: security fix
Revisions pulled up:
- graphics/freetype2/Makefile 1.111
- graphics/freetype2/PLIST 1.24
- graphics/freetype2/distinfo 1.62
- graphics/freetype2/patches/patch-ab 1.19
---
Module Name: pkgsrc
Committed By: spz
Date: Sun May 14 11:02:15 UTC 2017
Modified Files:
pkgsrc/graphics/freetype2: Makefile PLIST distinfo
pkgsrc/graphics/freetype2/patches: patch-ab
Log message:
Update from 2.7.1 to 2.8: 3 API additions, no deletions, no changes
fixes CVE-2017-7857 CVE-2017-7858 CVE-2017-7864 CVE-2017-8105 CVE-2017-8287
Upstream change announcement:
I. IMPORTANT CHANGES
- Support for OpenType Variation Fonts is now complete. The last
missing part was handling the `VVAR' and `MVAR' tables, which is
available with this release.
- A new function `FT_Face_Properties' allows the control of some
module and library properties per font. Currently, the
following properties can be handled: stem darkening, LCD filter
weights, and the random seed for the `random' CFF operator.
- The PCF change to show more `colourful' family names (introduced
in version 2.7.1) was too radical; it can now be configured with
PCF_CONFIG_OPTION_LONG_FAMILY_NAMES at compile time. If
activated, it can be switched off at run time with the new pcf
property `no-long-family-names'. If the `FREETYPE_PROPERTIES'
environment variable is available, you can say
FREETYPE_PROPERTIES=pcf:no-long-family-names=1
- Support for the following scripts has been added to the
auto-hinter.
Adlam, Avestan, Bamum, Buhid, Carian, Chakma, Coptic, Cypriot,
Deseret, Glagolitic, Gothic, Kayah, Lisu, N'Ko, Ol Chiki, Old
Turkic, Osage, Osmanya, Saurashtra, Shavian, Sundanese, Tai
Viet, Tifinagh, Unified Canadian Syllabics, Vai
II. IMPORTANT BUG FIXES
- `Light' auto-hinting mode no longer uses TrueType metrics for
TrueType fonts. This bug was introduced in version 2.4.6,
causing horizontal scaling also. Almost all GNU/Linux
distributions (with Fedora as a notable exception) disabled the
corresponding patch for good reasons; chances are thus high that
you won't notice a difference.
If optical backward compatibility for legacy applications is
necessary, you might enable the AF_CONFIG_OPTION_TT_SIZE_METRICS
configuration option. However, it is strongly recommended to
avoid that, adjusting font sizes instead.
- If a TrueType font gets loaded with FT_LOAD_NO_HINTING, FreeType
now scales the font linearly again (bug introduced in version
2.4.6).
- CVE-2017-8105, CVE-2017-8287: Older FreeType versions have
out-of-bounds writes caused by heap-based buffer overflows
related to Type 1 fonts.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8287
III. MISCELLANEOUS
- A new function `FT_Set_Default_Properties' has been added to
parse the `FREETYPE_PROPERTIES' environment variable
(previously, it was internal only). `FT_Init_FreeType' always
call this function, but `FT_New_Library' does not (similar to
`FT_Add_Default_Modules').
- To be in sync with OpenType version 1.7 and newer, macros
FT_PARAM_TAG_IGNORE_PREFERRED_FAMILY,
FT_PARAM_TAG_IGNORE_PREFERRED_SUBFAMILY,
TT_NAME_ID_PREFERRED_FAMILY
TT_NAME_ID_PREFERRED_SUBFAMILY
are renamed to
FT_PARAM_TAG_IGNORE_TYPOGRAPHIC_FAMILY,
FT_PARAM_TAG_IGNORE_TYPOGRAPHIC_SUBFAMILY,
TT_NAME_ID_TYPOGRAPHIC_FAMILY
TT_NAME_ID_TYPOGRAPHIC_SUBFAMILY
The old macro names are deprecated (but still available).
- Support for SFNT `name' tables has been improved.
. Format 1 `name' tables are now supported. Use new function
`FT_Get_Sfnt_LangTag' to access associated language tags.
. Language, encoding, and name IDs have been updated to OpenType
version 1.8.1.
- The new CFF engine now handles the `random' operator. All CFF
opcodes are now supported.
- The CFF module has a new property `random-seed' to control the
pseudo-random number generation for the `random' operator.
- The `freetype-config' script is now a wrapper of `pkg-config' if
this program is available in the path.
- FT_LOAD_TARGET_LCD is now a variant of FT_LOAD_TARGET_LIGHT;
this should provide better rendering results.
- A mode to display light auto-hinting with sub-pixel positioning
has been added to `ftdiff'.
|