!14 [sync] PR-11: Fix CVE-2019-19308

From: @openeuler-sync-bot 
Reviewed-by: @orange-snn 
Signed-off-by: @orange-snn

CVE-2019-19308-pre.patch

@@ -0,0 +1,110 @@
+From cbe443a8db3b7f09b2653d588c2ddd76d47fa496 Mon Sep 17 00:00:00 2001
+From: Cosimo Cecchi <cosimoc@gnome.org>
+Date: Sun, 1 Dec 2019 14:07:30 -0800
+Subject: [PATCH] Move utility to get font name to sushi-font-loader
+
+We'll use this from sushi-font-widget as well.
+---
+ src/font-model.c        |  3 ++-
+ src/font-utils.c        | 11 +----------
+ src/font-utils.h        |  1 -
+ src/sushi-font-loader.c | 14 ++++++++++++++
+ src/sushi-font-loader.h |  3 +++
+ 5 files changed, 20 insertions(+), 12 deletions(-)
+
+diff --git a/src/font-model.c b/src/font-model.c
+index 658cba8..e66c401 100644
+--- a/src/font-model.c
++++ b/src/font-model.c
+@@ -33,6 +33,7 @@
+ 
+ #include "font-model.h"
+ #include "font-utils.h"
++#include "sushi-font-loader.h"
+ 
+ struct _FontViewModel
+ {
+@@ -137,7 +138,7 @@ font_view_model_has_face (FontViewModel *self,
+     g_autofree gchar *match_name = NULL;
+ 
+     n_items = g_list_model_get_n_items (G_LIST_MODEL (self->model));
+-    match_name = font_utils_get_font_name (face);
++    match_name = sushi_get_font_name (face, TRUE);
+ 
+     for (idx = 0; idx < n_items; idx++) {
+         FontViewModelItem *item = g_list_model_get_item (G_LIST_MODEL (self->model), idx);
+diff --git a/src/font-utils.c b/src/font-utils.c
+index 5a75fb3..6a41d26 100644
+--- a/src/font-utils.c
++++ b/src/font-utils.c
+@@ -22,15 +22,6 @@
+ 
+ #include "sushi-font-loader.h"
+ 
+-gchar *
+-font_utils_get_font_name (FT_Face face)
+-{
+-    if (g_strcmp0 (face->style_name, "Regular") == 0)
+-        return g_strdup (face->family_name);
+-
+-    return g_strconcat (face->family_name, ", ", face->style_name, NULL);
+-}
+-
+ gchar *
+ font_utils_get_font_name_for_file (FT_Library library,
+                                    GFile *file,
+@@ -49,7 +40,7 @@ font_utils_get_font_name_for_file (FT_Library library,
+         return NULL;
+     }
+ 
+-    name = font_utils_get_font_name (face);
++    name = sushi_get_font_name (face, TRUE);
+     FT_Done_Face (face);
+ 
+     return name;
+diff --git a/src/font-utils.h b/src/font-utils.h
+index 6f73bb4..1787bbb 100644
+--- a/src/font-utils.h
++++ b/src/font-utils.h
+@@ -25,7 +25,6 @@
+ #include FT_FREETYPE_H
+ #include <gio/gio.h>
+ 
+-gchar * font_utils_get_font_name (FT_Face face);
+ gchar * font_utils_get_font_name_for_file (FT_Library library,
+                                            GFile *file,
+                                            gint face_index);
+diff --git a/src/sushi-font-loader.c b/src/sushi-font-loader.c
+index f7cf1de..e7da560 100644
+--- a/src/sushi-font-loader.c
++++ b/src/sushi-font-loader.c
+@@ -172,3 +172,17 @@ sushi_new_ft_face_from_uri_finish (GAsyncResult *result,
+ 
+   return create_face_from_contents (job, contents, error);
+ }
++
++/**
++ * sushi_get_font_name: (skip)
++ *
++ */
++gchar *
++sushi_get_font_name (FT_Face face,
++                     gboolean short_form)
++{
++  if (short_form && g_strcmp0 (face->style_name, "Regular") == 0)
++    return g_strdup (face->family_name);
++
++  return g_strconcat (face->family_name, ", ", face->style_name, NULL);
++}
+diff --git a/src/sushi-font-loader.h b/src/sushi-font-loader.h
+index 82aab03..b078e4a 100644
+--- a/src/sushi-font-loader.h
++++ b/src/sushi-font-loader.h
+@@ -46,4 +46,7 @@ FT_Face sushi_new_ft_face_from_uri_finish (GAsyncResult *result,
+                                            gchar **contents,
+                                            GError **error);
+ 
++gchar * sushi_get_font_name (FT_Face face,
++                             gboolean short_form);
++
+ #endif /* __SUSHI_FONT_LOADER_H__ */

CVE-2019-19308.patch

@@ -0,0 +1,71 @@
+From 9661683379806e2bad6a52ce6dde776a33f4f981 Mon Sep 17 00:00:00 2001
+From: Cosimo Cecchi <cosimoc@gnome.org>
+Date: Sun, 1 Dec 2019 15:22:25 -0800
+Subject: [PATCH] Fallback to basename when no family name (CVE-2019-19308)
+
+Instead of possibly returning an empty string, which will cause
+issues later on.
+
+We store the GFile that was loaded to create the FT_Face into its
+generic client data structure, and load the basename from it when
+we don't have a family name.
+
+https://gitlab.gnome.org/GNOME/gnome-font-viewer/issues/17
+---
+ src/sushi-font-loader.c | 30 +++++++++++++++++++++++++++---
+ 1 file changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/src/sushi-font-loader.c b/src/sushi-font-loader.c
+index e7da560..df28c1a 100644
+--- a/src/sushi-font-loader.c
++++ b/src/sushi-font-loader.c
+@@ -67,6 +67,13 @@ font_load_job_free (FontLoadJob *job)
+ 
+ G_DEFINE_AUTOPTR_CLEANUP_FUNC (FontLoadJob, font_load_job_free)
+ 
++static void
++face_data_finalizer (void *object)
++{
++  FT_Face face = object;
++  g_clear_object (&face->generic.data);
++}
++
+ static FT_Face
+ create_face_from_contents (FontLoadJob *job,
+                            gchar **contents,
+@@ -88,6 +95,9 @@ create_face_from_contents (FontLoadJob *job,
+     return NULL;
+   }
+ 
++  retval->generic.data = g_object_ref (job->file);
++  retval->generic.finalizer = face_data_finalizer;
++
+   *contents = g_steal_pointer (&job->face_contents);
+   return retval;
+ }
+@@ -181,8 +191,22 @@ gchar *
+ sushi_get_font_name (FT_Face face,
+                      gboolean short_form)
+ {
+-  if (short_form && g_strcmp0 (face->style_name, "Regular") == 0)
+-    return g_strdup (face->family_name);
++  const char *style_name = face->style_name;
++  const char *family_name = face->family_name;
++
++  if (family_name == NULL) {
++    /* Try to get the basename of the file this was loaded from */
++    GFile *file = face->generic.data;
++    if (G_IS_FILE (file))
++      return g_file_get_basename (file);
++
++    /* Use an empty string as the last fallback */
++    return g_strdup ("");
++  }
++
++  if (style_name == NULL ||
++      (short_form && g_strcmp0 (style_name, "Regular") == 0))
++    return g_strdup (family_name);
+ 
+-  return g_strconcat (face->family_name, ", ", face->style_name, NULL);
++  return g_strconcat (family_name, ", ", style_name, NULL);
+ }

gnome-font-viewer.spec

@@ -0,0 +1,56 @@
+Name:             gnome-font-viewer
+Version:          3.34.0
+Release:          2
+Summary:          Utility for previewing fonts for GNOME
+License:          GPLv2+
+URL:              http://www.gnome.org/gnome-3/
+Source0:          http://ftp.gnome.org/pub/GNOME/sources/gnome-font-viewer/3.34/gnome-font-viewer-%{version}.tar.xz
+Patch0:           CVE-2019-19308-pre.patch
+Patch1:           CVE-2019-19308.patch
+BuildRequires:    meson >= 0.40.1 pkgconfig(glib-2.0) >= 2.35.1 pkgconfig(gtk+-3.0) >= 3.20.0 pkgconfig(harfbuzz) >= 0.9.9
+BuildRequires:    pkgconfig(fontconfig) pkgconfig(freetype2) pkgconfig(gnome-desktop-3.0) gettext desktop-file-utils
+BuildRequires:    libappstream-glib
+BuildRequires:    gcc gcc-c++
+
+%description
+The Font Viewer application has been rewritten to match the new design used for
+GNOME 3 applications.It can now show an overview of all installed fonts and
+optimizes screen space usage when the application is maximized.
+
+%prep
+%autosetup -p1
+
+%build
+%meson
+%meson_build
+
+%install
+%meson_install
+%find_lang gnome-font-viewer --with-gnome
+
+%check
+desktop-file-validate %{buildroot}%{_datadir}/applications/org.gnome.font-viewer.desktop
+appstream-util validate-relax --nonet %{buildroot}%{_datadir}/metainfo/org.gnome.font-viewer.appdata.xml
+
+
+%files -f gnome-font-viewer.lang
+%doc NEWS COPYING
+%{_bindir}/gnome-*
+%{_datadir}/applications/org.gnome.font-viewer.desktop
+%{_datadir}/dbus-1/services/org.gnome.font-viewer.service
+%{_datadir}/icons/hicolor/*/apps/org.gnome.font-viewer*.svg
+%{_datadir}/metainfo/org.gnome.font-viewer.appdata.xml
+%{_datadir}/thumbnailers/gnome-font-viewer.thumbnailer
+
+%changelog
+* Fri Feb 25 2022 yaoxin <yaoxin30@huawei.com> - 3.34.0-2
+- Fix CVE-2019-19308
+
+* Thu Jun 17 2021 weijin deng <weijin.deng@turbolinux.com.cn> - 3.34.0-1
+- Upgrade to 3.34.0
+
+* Tue May 18 2021 lin.zhang <lin.zhang@turbolinux.com.cn> - 3.30.0-3
+- add BuildRequires gcc gcc-c++
+
+* Wed Dec 11 2019 likexin <likexin4@huawei.com@huawei.com> - 3.30.0-2
+- package init

gnome-font-viewer.yaml

@@ -0,0 +1,4 @@
+version_control: gitlab.gnome
+src_repo: gnome-font-viewer
+tag_perfix: ^
+seperator: .