Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2224491/?format=api
{ "id": 2224491, "url": "http://patchwork.ozlabs.org/api/patches/2224491/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/patch/20260417131129.220250-1-thomas.perale@mind.be/", "project": { "id": 27, "url": "http://patchwork.ozlabs.org/api/projects/27/?format=api", "name": "Buildroot development", "link_name": "buildroot", "list_id": "buildroot.buildroot.org", "list_email": "buildroot@buildroot.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260417131129.220250-1-thomas.perale@mind.be>", "list_archive_url": null, "date": "2026-04-17T13:11:29", "name": "[2025.02.x] package/freetype: patch CVE-2026-23865", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "ba5b4141b457fd1e39d1898c4da397afb9fd4435", "submitter": { "id": 87308, "url": "http://patchwork.ozlabs.org/api/people/87308/?format=api", "name": "Thomas Perale", "email": "thomas.perale@mind.be" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/buildroot/patch/20260417131129.220250-1-thomas.perale@mind.be/mbox/", "series": [ { "id": 500334, "url": "http://patchwork.ozlabs.org/api/series/500334/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/list/?series=500334", "date": "2026-04-17T13:11:29", "name": "[2025.02.x] package/freetype: patch CVE-2026-23865", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/500334/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2224491/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2224491/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<buildroot-bounces@buildroot.org>", "X-Original-To": [ "incoming-buildroot@patchwork.ozlabs.org", "buildroot@buildroot.org" ], "Delivered-To": [ "patchwork-incoming-buildroot@legolas.ozlabs.org", "buildroot@buildroot.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=nUbDnIle;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)" ], "Received": [ "from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxwJC2x8Mz1yD3\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Fri, 17 Apr 2026 23:11:39 +1000 (AEST)", "from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 985B960DDB;\n\tFri, 17 Apr 2026 13:11:37 +0000 (UTC)", "from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id oCi8yvKJQ7lh; Fri, 17 Apr 2026 13:11:36 +0000 (UTC)", "from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 7CD0260DD6;\n\tFri, 17 Apr 2026 13:11:36 +0000 (UTC)", "from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n by lists1.osuosl.org (Postfix) with ESMTP id 29BD8270\n for <buildroot@buildroot.org>; Fri, 17 Apr 2026 13:11:35 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id 1B67760DD6\n for <buildroot@buildroot.org>; Fri, 17 Apr 2026 13:11:35 +0000 (UTC)", "from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id aGumBlkzdObm for <buildroot@buildroot.org>;\n Fri, 17 Apr 2026 13:11:34 +0000 (UTC)", "from mail-wm1-x336.google.com (mail-wm1-x336.google.com\n [IPv6:2a00:1450:4864:20::336])\n by smtp3.osuosl.org (Postfix) with ESMTPS id 0BB4060DD5\n for <buildroot@buildroot.org>; Fri, 17 Apr 2026 13:11:33 +0000 (UTC)", "by mail-wm1-x336.google.com with SMTP id\n 5b1f17b1804b1-488af96f6b2so9109795e9.0\n for <buildroot@buildroot.org>; Fri, 17 Apr 2026 06:11:33 -0700 (PDT)", "from arch ([79.132.232.220]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-488fc189f2esm72157675e9.7.2026.04.17.06.11.30\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 17 Apr 2026 06:11:30 -0700 (PDT)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp3.osuosl.org 7CD0260DD6", "OpenDKIM Filter v2.11.0 smtp3.osuosl.org 0BB4060DD5" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1776431496;\n\tbh=K69LuQOixCuGscSt+DwcIdBc7LDfvjZ67oOLbLO2Sl0=;\n\th=To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From:Reply-To:From;\n\tb=nUbDnIlefQyqHryKJaXTNFTWl27R6dXQqOlnfEs9tmrn8PO90Wdh8MLYGRsFMT3pi\n\t +hKu/sFoxRbht31uDotYjj/y8gKpfz81LzXAj326QEW/MBcvBLo3r816xUGqOIQ89O\n\t PSEULtuKmlH5QFoXtMpiW2LLcqkrzHjr1Jd9pWgD+MkSd+34QazfV8MsmFf03P/HkY\n\t lHPrDl5FDF1IgZnfSX6F6LHlB0EO2eBE+pl+kM9cE7eIN3khvDfbXin6F09t6Tuy7h\n\t NWZMOV0UpShfzfJzWvWfuxb6PLo5LbwksT602QKQTi3wiK8g9CjUCdm9N920dKbC50\n\t WE2kqUrTVYxbA==", "Received-SPF": "Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::336; helo=mail-wm1-x336.google.com;\n envelope-from=thomas.perale@essensium.com; receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp3.osuosl.org 0BB4060DD5", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776431491; x=1777036291;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=dFTmFHhAHorjSlx3iB6tBf6HF3NnHSl8uxx/DxAKDDo=;\n b=Uxk4G+cFKriX/mvN09UrV0Lj0EVHGZCmKAZMzNLIp6BjjvL/YhK/7dJ3j/YwhWb3Yp\n R0dZSKZyJUh+jZ8hhAtmNCn53tmEPDSeeDV8cUpeTmWUep0j0swABEJRTP0MyL/6EjPy\n b3M6LMLxMia4IVpjX57CSJaCKpTSdEksi8OVy9eUGhYLCd2En/z018Dlfjd8xuahiHwp\n PyRqw4sMhtA/ZFfy88KMZqKZD0DFfSz4oLsM3gBstQk3jdyq5nFvcLx7Zkndw7LqkWGC\n IoTWqh6ooUuQ8u7XOC/fe95uMnpufWMYfFB5giNxn/QVFmFs32dtac2CRrOxobQsucEm\n R0NA==", "X-Gm-Message-State": "AOJu0YzphPJe9ssMy/QIMfnYn+M/J90i33J+gw223YvNmePEaJupnpkm\n IiOH6AHXGUerUVE5VEGmgi7Mu896Fy0lGg9cYcLeFGZeWfEjm+2Bya7nEIQtts2awQFVWNZkODM\n R5aD5", "X-Gm-Gg": "AeBDietwhrxJVEYqR61+QdVQLGimr0wmDdVrpqYQ7S6ZMZxCCS1wQkN3b85Ps0rrUyJ\n lFO01dwBWulGkmCrkPGOLqvo07ZgdnpsvD4B4MUpySUY50hJuRulat3gyKJfWG/Uo09RwrxTD3t\n sNN/G/1QlrezktNLaN/d5bMSfKbIvMTzSQ/CZLw+b8pP5wHuBsETUs9cDlY/VZzMaIAmkbJenPZ\n R1iiVI5Cz9lVZrfJreHGYiMycrR5ZJb9Wj97nv04sWx8awDlH3fm753sN8qNnMsW4+aoMB3OZyF\n XnquhnUSuO5BX3gU2GFdhHKu2n964VVqHRCe2yLHZpqPZfPK+vL/QRtHJly6isIkCgZst86cc8n\n ou6GUsVnkhABmQXm0LbSTCY3EL7r/bdVHJBRahJm+0F1Id+dcHaFIy5hyfoXx8Nnr8d+hNXvXpw\n mBhTt2H8dCiEI2dy39POgyR1NrxqM=", "X-Received": "by 2002:a05:600d:8408:b0:486:ff92:63e5 with SMTP id\n 5b1f17b1804b1-488fb73dc6fmr33174965e9.6.1776431491153;\n Fri, 17 Apr 2026 06:11:31 -0700 (PDT)", "To": "buildroot@buildroot.org", "Cc": "Bernd Kuhls <bernd@kuhls.net>", "Date": "Fri, 17 Apr 2026 15:11:29 +0200", "Message-ID": "<20260417131129.220250-1-thomas.perale@mind.be>", "X-Mailer": "git-send-email 2.53.0", "MIME-Version": "1.0", "X-Mailman-Original-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1776431491; x=1777036291; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=dFTmFHhAHorjSlx3iB6tBf6HF3NnHSl8uxx/DxAKDDo=;\n b=UpW89zH74zSnlQ/MK9FUWJPTdvCPs6SddZjDDf6o3fOpu6L2MQyy6BHZ02hw/U6U7K\n mZIX5LVYoyTbBXyh3+v2bsiUQ8udAuKvKpQFNaOGM4f+BZfTnAykgVegACd1yhxI8K6u\n sZbz2OK4SJWqhrZ1T1XTaXBObrvoV3D7719tS58KEHYY9xpaVuDruMP72P4WaMdySe+7\n XyPHDn6h7Y24x5HhOAmMs1J6zameqxPIFgx2cTZv3MESpTkNOENr1saMC1sfKjRn5P76\n zTd1/T1CcyJqz9k8hJ6dgOKob6yeZ7Hhf1eGON+k5nK2G/Ux8sRkaiY3nqN7V7Di/WCf\n 024w==", "X-Mailman-Original-Authentication-Results": [ "smtp3.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be", "smtp3.osuosl.org;\n dkim=pass (2048-bit key) header.d=mind.be header.i=@mind.be\n header.a=rsa-sha256 header.s=google header.b=UpW89zH7" ], "Subject": "[Buildroot] [PATCH 2025.02.x] package/freetype: patch CVE-2026-23865", "X-BeenThere": "buildroot@buildroot.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Discussion and development of buildroot <buildroot.buildroot.org>", "List-Unsubscribe": "<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>", "List-Archive": "<http://lists.buildroot.org/pipermail/buildroot/>", "List-Post": "<mailto:buildroot@buildroot.org>", "List-Help": "<mailto:buildroot-request@buildroot.org?subject=help>", "List-Subscribe": "<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>", "From": "Thomas Perale via buildroot <buildroot@buildroot.org>", "Reply-To": "Thomas Perale <thomas.perale@mind.be>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "buildroot-bounces@buildroot.org", "Sender": "\"buildroot\" <buildroot-bounces@buildroot.org>" }, "content": "Fixes the following security vulnerability:\n\n- CVE-2026-23865:\n An integer overflow in the tt_var_load_item_variation_store function\n of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an\n out of bounds read operation when parsing HVAR/VVAR/MVAR tables in\n OpenType variable fonts. This issue is fixed in version 2.14.2.\n\nFor more information, see\n - https://www.cve.org/CVERecord?id=CVE-2026-23865\n - https://gitlab.freedesktop.org/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c.patch\n\nSigned-off-by: Thomas Perale <thomas.perale@mind.be>\n---\n ...r-overflow-in-array-size-computation.patch | 54 +++++++++++++++++++\n package/freetype/freetype.mk | 3 ++\n 2 files changed, 57 insertions(+)\n create mode 100644 package/freetype/0001-Check-for-overflow-in-array-size-computation.patch", "diff": "diff --git a/package/freetype/0001-Check-for-overflow-in-array-size-computation.patch b/package/freetype/0001-Check-for-overflow-in-array-size-computation.patch\nnew file mode 100644\nindex 0000000000..6951880854\n--- /dev/null\n+++ b/package/freetype/0001-Check-for-overflow-in-array-size-computation.patch\n@@ -0,0 +1,54 @@\n+From fc85a255849229c024c8e65f536fe1875d84841c Mon Sep 17 00:00:00 2001\n+From: Werner Lemberg <wl@gnu.org>\n+Date: Sat, 3 Jan 2026 08:07:57 +0100\n+Subject: [PATCH] [ttgxvar] Check for overflow in array size computation.\n+\n+Problem reported and analyzed by povcfe <povcfe2sec@gmail.com>.\n+\n+Fixes issue #1382.\n+\n+* src/truetype/ttgxvar.c (tt_var_load_item_variation_store): Do it.\n+\n+CVE: CVE-2026-23865\n+Upstream: https://gitlab.freedesktop.org/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c.patch\n+Signed-off-by: Thomas Perale <thomas.perale@mind.be>\n+---\n+ src/truetype/ttgxvar.c | 15 ++++++++++++++-\n+ 1 file changed, 14 insertions(+), 1 deletion(-)\n+\n+diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c\n+index 2ff40c9e8..96ddc04c8 100644\n+--- a/src/truetype/ttgxvar.c\n++++ b/src/truetype/ttgxvar.c\n+@@ -609,6 +609,7 @@\n+ FT_UShort word_delta_count;\n+ FT_UInt region_idx_count;\n+ FT_UInt per_region_size;\n++ FT_UInt delta_set_size;\n+ \n+ \n+ if ( FT_STREAM_SEEK( offset + dataOffsetArray[i] ) )\n+@@ -666,7 +667,19 @@\n+ if ( long_words )\n+ per_region_size *= 2;\n+ \n+- if ( FT_NEW_ARRAY( varData->deltaSet, per_region_size * item_count ) )\n++ /* Check for overflow (we actually test whether the */\n++ /* multiplication of two unsigned values wraps around). */\n++ delta_set_size = per_region_size * item_count;\n++ if ( per_region_size &&\n++ delta_set_size / per_region_size != item_count )\n++ {\n++ FT_TRACE2(( \"tt_var_load_item_variation_store:\"\n++ \" bad delta set array size\\n\" ));\n++ error = FT_THROW( Array_Too_Large );\n++ goto Exit;\n++ }\n++\n++ if ( FT_NEW_ARRAY( varData->deltaSet, delta_set_size ) )\n+ goto Exit;\n+ if ( FT_Stream_Read( stream,\n+ varData->deltaSet,\n+-- \n+GitLab\n+\ndiff --git a/package/freetype/freetype.mk b/package/freetype/freetype.mk\nindex ad8cd00ec8..51b0471d4f 100644\n--- a/package/freetype/freetype.mk\n+++ b/package/freetype/freetype.mk\n@@ -15,6 +15,9 @@ FREETYPE_CPE_ID_VENDOR = freetype\n FREETYPE_DEPENDENCIES = host-pkgconf\n FREETYPE_CONFIG_SCRIPTS = freetype-config\n \n+# 0001-Check-for-overflow-in-array-size-computation.patch\n+FREETYPE_IGNORE_CVES += CVE-2026-23865\n+\n # harfbuzz already depends on freetype so disable harfbuzz in freetype to avoid\n # a circular dependency\n FREETYPE_CONF_OPTS = --without-harfbuzz\n", "prefixes": [ "2025.02.x" ] }