packages/gnome-font-viewer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!14 [sync] PR-11: Fix CVE-2019-19308

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @orange-snn 
Signed-off-by: @orange-snn
This commit is contained in:
openeuler-ci-bot 2022-02-25 09:04:26 +00:00 committed by Gitee
commit 98e2544314
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 187 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
CVE-2019-19308-pre.patch Normal file
View File

@ -0,0 +1,110 @@
From cbe443a8db3b7f09b2653d588c2ddd76d47fa496 Mon Sep 17 00:00:00 2001
From: Cosimo Cecchi <cosimoc@gnome.org>
Date: Sun, 1 Dec 2019 14:07:30 -0800
Subject: [PATCH] Move utility to get font name to sushi-font-loader
We'll use this from sushi-font-widget as well.
---
src/font-model.c | 3 ++-
src/font-utils.c | 11 +----------
src/font-utils.h | 1 -
src/sushi-font-loader.c | 14 ++++++++++++++
src/sushi-font-loader.h | 3 +++
5 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/src/font-model.c b/src/font-model.c
index 658cba8..e66c401 100644
--- a/src/font-model.c
+++ b/src/font-model.c
@@ -33,6 +33,7 @@
#include "font-model.h"
#include "font-utils.h"
+#include "sushi-font-loader.h"
struct _FontViewModel
{
@@ -137,7 +138,7 @@ font_view_model_has_face (FontViewModel *self,
g_autofree gchar *match_name = NULL;
n_items = g_list_model_get_n_items (G_LIST_MODEL (self->model));
- match_name = font_utils_get_font_name (face);
+ match_name = sushi_get_font_name (face, TRUE);
for (idx = 0; idx < n_items; idx++) {
FontViewModelItem *item = g_list_model_get_item (G_LIST_MODEL (self->model), idx);
diff --git a/src/font-utils.c b/src/font-utils.c
index 5a75fb3..6a41d26 100644
--- a/src/font-utils.c
+++ b/src/font-utils.c
@@ -22,15 +22,6 @@
#include "sushi-font-loader.h"
-gchar *
-font_utils_get_font_name (FT_Face face)
-{
- if (g_strcmp0 (face->style_name, "Regular") == 0)
- return g_strdup (face->family_name);
-
- return g_strconcat (face->family_name, ", ", face->style_name, NULL);
-}
-
gchar *
font_utils_get_font_name_for_file (FT_Library library,
GFile *file,
@@ -49,7 +40,7 @@ font_utils_get_font_name_for_file (FT_Library library,
return NULL;
}
- name = font_utils_get_font_name (face);
+ name = sushi_get_font_name (face, TRUE);
FT_Done_Face (face);
return name;
diff --git a/src/font-utils.h b/src/font-utils.h
index 6f73bb4..1787bbb 100644
--- a/src/font-utils.h
+++ b/src/font-utils.h
@@ -25,7 +25,6 @@
#include FT_FREETYPE_H
#include <gio/gio.h>
-gchar * font_utils_get_font_name (FT_Face face);
gchar * font_utils_get_font_name_for_file (FT_Library library,
GFile *file,
gint face_index);
diff --git a/src/sushi-font-loader.c b/src/sushi-font-loader.c
index f7cf1de..e7da560 100644
--- a/src/sushi-font-loader.c
+++ b/src/sushi-font-loader.c
@@ -172,3 +172,17 @@ sushi_new_ft_face_from_uri_finish (GAsyncResult *result,
return create_face_from_contents (job, contents, error);
}
+
+/**
+ * sushi_get_font_name: (skip)
+ *
+ */
+gchar *
+sushi_get_font_name (FT_Face face,
+ gboolean short_form)
+{
+ if (short_form && g_strcmp0 (face->style_name, "Regular") == 0)
+ return g_strdup (face->family_name);
+
+ return g_strconcat (face->family_name, ", ", face->style_name, NULL);
+}
diff --git a/src/sushi-font-loader.h b/src/sushi-font-loader.h
index 82aab03..b078e4a 100644
--- a/src/sushi-font-loader.h
+++ b/src/sushi-font-loader.h
@@ -46,4 +46,7 @@ FT_Face sushi_new_ft_face_from_uri_finish (GAsyncResult *result,
gchar **contents,
GError **error);
+gchar * sushi_get_font_name (FT_Face face,
+ gboolean short_form);
+
#endif /* __SUSHI_FONT_LOADER_H__ */

71
CVE-2019-19308.patch Normal file
View File

@ -0,0 +1,71 @@
From 9661683379806e2bad6a52ce6dde776a33f4f981 Mon Sep 17 00:00:00 2001
From: Cosimo Cecchi <cosimoc@gnome.org>
Date: Sun, 1 Dec 2019 15:22:25 -0800
Subject: [PATCH] Fallback to basename when no family name (CVE-2019-19308)
Instead of possibly returning an empty string, which will cause
issues later on.
We store the GFile that was loaded to create the FT_Face into its
generic client data structure, and load the basename from it when
we don't have a family name.
https://gitlab.gnome.org/GNOME/gnome-font-viewer/issues/17
---
src/sushi-font-loader.c | 30 +++++++++++++++++++++++++++---
1 file changed, 27 insertions(+), 3 deletions(-)
diff --git a/src/sushi-font-loader.c b/src/sushi-font-loader.c
index e7da560..df28c1a 100644
--- a/src/sushi-font-loader.c
+++ b/src/sushi-font-loader.c
@@ -67,6 +67,13 @@ font_load_job_free (FontLoadJob *job)
G_DEFINE_AUTOPTR_CLEANUP_FUNC (FontLoadJob, font_load_job_free)
+static void
+face_data_finalizer (void *object)
+{
+ FT_Face face = object;
+ g_clear_object (&face->generic.data);
+}
+
static FT_Face
create_face_from_contents (FontLoadJob *job,
gchar **contents,
@@ -88,6 +95,9 @@ create_face_from_contents (FontLoadJob *job,
return NULL;
}
+ retval->generic.data = g_object_ref (job->file);
+ retval->generic.finalizer = face_data_finalizer;
+
*contents = g_steal_pointer (&job->face_contents);
return retval;
}
@@ -181,8 +191,22 @@ gchar *
sushi_get_font_name (FT_Face face,
gboolean short_form)
{
- if (short_form && g_strcmp0 (face->style_name, "Regular") == 0)
- return g_strdup (face->family_name);
+ const char *style_name = face->style_name;
+ const char *family_name = face->family_name;
+
+ if (family_name == NULL) {
+ /* Try to get the basename of the file this was loaded from */
+ GFile *file = face->generic.data;
+ if (G_IS_FILE (file))
+ return g_file_get_basename (file);
+
+ /* Use an empty string as the last fallback */
+ return g_strdup ("");
+ }
+
+ if (style_name == NULL ||
+ (short_form && g_strcmp0 (style_name, "Regular") == 0))
+ return g_strdup (family_name);
- return g_strconcat (face->family_name, ", ", face->style_name, NULL);
+ return g_strconcat (family_name, ", ", style_name, NULL);
}

7
gnome-font-viewer.spec
View File

@ -1,10 +1,12 @@
Name: gnome-font-viewer Name: gnome-font-viewer
Version: 3.34.0 Version: 3.34.0
Release: 1 Release: 2
Summary: Utility for previewing fonts for GNOME Summary: Utility for previewing fonts for GNOME
License: GPLv2+ License: GPLv2+
URL: http://www.gnome.org/gnome-3/ URL: http://www.gnome.org/gnome-3/
Source0: http://ftp.gnome.org/pub/GNOME/sources/gnome-font-viewer/3.34/gnome-font-viewer-%{version}.tar.xz Source0: http://ftp.gnome.org/pub/GNOME/sources/gnome-font-viewer/3.34/gnome-font-viewer-%{version}.tar.xz
Patch0: CVE-2019-19308-pre.patch
Patch1: CVE-2019-19308.patch
BuildRequires: meson >= 0.40.1 pkgconfig(glib-2.0) >= 2.35.1 pkgconfig(gtk+-3.0) >= 3.20.0 pkgconfig(harfbuzz) >= 0.9.9 BuildRequires: meson >= 0.40.1 pkgconfig(glib-2.0) >= 2.35.1 pkgconfig(gtk+-3.0) >= 3.20.0 pkgconfig(harfbuzz) >= 0.9.9
BuildRequires: pkgconfig(fontconfig) pkgconfig(freetype2) pkgconfig(gnome-desktop-3.0) gettext desktop-file-utils BuildRequires: pkgconfig(fontconfig) pkgconfig(freetype2) pkgconfig(gnome-desktop-3.0) gettext desktop-file-utils
BuildRequires: libappstream-glib BuildRequires: libappstream-glib
@ -41,6 +43,9 @@ appstream-util validate-relax --nonet %{buildroot}%{_datadir}/metainfo/org.gnome
%{_datadir}/thumbnailers/gnome-font-viewer.thumbnailer %{_datadir}/thumbnailers/gnome-font-viewer.thumbnailer
%changelog %changelog
* Fri Feb 25 2022 yaoxin <yaoxin30@huawei.com> - 3.34.0-2
- Fix CVE-2019-19308
* Thu Jun 17 2021 weijin deng <weijin.deng@turbolinux.com.cn> - 3.34.0-1 * Thu Jun 17 2021 weijin deng <weijin.deng@turbolinux.com.cn> - 3.34.0-1
- Upgrade to 3.34.0 - Upgrade to 3.34.0