{"id":2224491,"url":"http://patchwork.ozlabs.org/api/patches/2224491/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/patch/20260417131129.220250-1-thomas.perale@mind.be/","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260417131129.220250-1-thomas.perale@mind.be>","list_archive_url":null,"date":"2026-04-17T13:11:29","name":"[2025.02.x] package/freetype: patch CVE-2026-23865","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"ba5b4141b457fd1e39d1898c4da397afb9fd4435","submitter":{"id":87308,"url":"http://patchwork.ozlabs.org/api/people/87308/?format=json","name":"Thomas Perale","email":"thomas.perale@mind.be"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/buildroot/patch/20260417131129.220250-1-thomas.perale@mind.be/mbox/","series":[{"id":500334,"url":"http://patchwork.ozlabs.org/api/series/500334/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/list/?series=500334","date":"2026-04-17T13:11:29","name":"[2025.02.x] package/freetype: patch CVE-2026-23865","version":1,"mbox":"http://patchwork.ozlabs.org/series/500334/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2224491/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2224491/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=nUbDnIle;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxwJC2x8Mz1yD3\n\tfor ;\n Fri, 17 Apr 2026 23:11:39 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 985B960DDB;\n\tFri, 17 Apr 2026 13:11:37 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id oCi8yvKJQ7lh; Fri, 17 Apr 2026 13:11:36 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 7CD0260DD6;\n\tFri, 17 Apr 2026 13:11:36 +0000 (UTC)","from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n by lists1.osuosl.org (Postfix) with ESMTP id 29BD8270\n for ; Fri, 17 Apr 2026 13:11:35 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id 1B67760DD6\n for ; Fri, 17 Apr 2026 13:11:35 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id aGumBlkzdObm for ;\n Fri, 17 Apr 2026 13:11:34 +0000 (UTC)","from mail-wm1-x336.google.com (mail-wm1-x336.google.com\n [IPv6:2a00:1450:4864:20::336])\n by smtp3.osuosl.org (Postfix) with ESMTPS id 0BB4060DD5\n for ; Fri, 17 Apr 2026 13:11:33 +0000 (UTC)","by mail-wm1-x336.google.com with SMTP id\n 5b1f17b1804b1-488af96f6b2so9109795e9.0\n for ; Fri, 17 Apr 2026 06:11:33 -0700 (PDT)","from arch ([79.132.232.220]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-488fc189f2esm72157675e9.7.2026.04.17.06.11.30\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 17 Apr 2026 06:11:30 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp3.osuosl.org 7CD0260DD6","OpenDKIM Filter v2.11.0 smtp3.osuosl.org 0BB4060DD5"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1776431496;\n\tbh=K69LuQOixCuGscSt+DwcIdBc7LDfvjZ67oOLbLO2Sl0=;\n\th=To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From:Reply-To:From;\n\tb=nUbDnIlefQyqHryKJaXTNFTWl27R6dXQqOlnfEs9tmrn8PO90Wdh8MLYGRsFMT3pi\n\t +hKu/sFoxRbht31uDotYjj/y8gKpfz81LzXAj326QEW/MBcvBLo3r816xUGqOIQ89O\n\t PSEULtuKmlH5QFoXtMpiW2LLcqkrzHjr1Jd9pWgD+MkSd+34QazfV8MsmFf03P/HkY\n\t lHPrDl5FDF1IgZnfSX6F6LHlB0EO2eBE+pl+kM9cE7eIN3khvDfbXin6F09t6Tuy7h\n\t NWZMOV0UpShfzfJzWvWfuxb6PLo5LbwksT602QKQTi3wiK8g9CjUCdm9N920dKbC50\n\t WE2kqUrTVYxbA==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::336; helo=mail-wm1-x336.google.com;\n envelope-from=thomas.perale@essensium.com; receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp3.osuosl.org 0BB4060DD5","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776431491; x=1777036291;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=dFTmFHhAHorjSlx3iB6tBf6HF3NnHSl8uxx/DxAKDDo=;\n b=Uxk4G+cFKriX/mvN09UrV0Lj0EVHGZCmKAZMzNLIp6BjjvL/YhK/7dJ3j/YwhWb3Yp\n R0dZSKZyJUh+jZ8hhAtmNCn53tmEPDSeeDV8cUpeTmWUep0j0swABEJRTP0MyL/6EjPy\n b3M6LMLxMia4IVpjX57CSJaCKpTSdEksi8OVy9eUGhYLCd2En/z018Dlfjd8xuahiHwp\n PyRqw4sMhtA/ZFfy88KMZqKZD0DFfSz4oLsM3gBstQk3jdyq5nFvcLx7Zkndw7LqkWGC\n IoTWqh6ooUuQ8u7XOC/fe95uMnpufWMYfFB5giNxn/QVFmFs32dtac2CRrOxobQsucEm\n R0NA==","X-Gm-Message-State":"AOJu0YzphPJe9ssMy/QIMfnYn+M/J90i33J+gw223YvNmePEaJupnpkm\n IiOH6AHXGUerUVE5VEGmgi7Mu896Fy0lGg9cYcLeFGZeWfEjm+2Bya7nEIQtts2awQFVWNZkODM\n R5aD5","X-Gm-Gg":"AeBDietwhrxJVEYqR61+QdVQLGimr0wmDdVrpqYQ7S6ZMZxCCS1wQkN3b85Ps0rrUyJ\n lFO01dwBWulGkmCrkPGOLqvo07ZgdnpsvD4B4MUpySUY50hJuRulat3gyKJfWG/Uo09RwrxTD3t\n sNN/G/1QlrezktNLaN/d5bMSfKbIvMTzSQ/CZLw+b8pP5wHuBsETUs9cDlY/VZzMaIAmkbJenPZ\n R1iiVI5Cz9lVZrfJreHGYiMycrR5ZJb9Wj97nv04sWx8awDlH3fm753sN8qNnMsW4+aoMB3OZyF\n XnquhnUSuO5BX3gU2GFdhHKu2n964VVqHRCe2yLHZpqPZfPK+vL/QRtHJly6isIkCgZst86cc8n\n ou6GUsVnkhABmQXm0LbSTCY3EL7r/bdVHJBRahJm+0F1Id+dcHaFIy5hyfoXx8Nnr8d+hNXvXpw\n mBhTt2H8dCiEI2dy39POgyR1NrxqM=","X-Received":"by 2002:a05:600d:8408:b0:486:ff92:63e5 with SMTP id\n 5b1f17b1804b1-488fb73dc6fmr33174965e9.6.1776431491153;\n Fri, 17 Apr 2026 06:11:31 -0700 (PDT)","To":"buildroot@buildroot.org","Cc":"Bernd Kuhls ","Date":"Fri, 17 Apr 2026 15:11:29 +0200","Message-ID":"<20260417131129.220250-1-thomas.perale@mind.be>","X-Mailer":"git-send-email 2.53.0","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1776431491; x=1777036291; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=dFTmFHhAHorjSlx3iB6tBf6HF3NnHSl8uxx/DxAKDDo=;\n b=UpW89zH74zSnlQ/MK9FUWJPTdvCPs6SddZjDDf6o3fOpu6L2MQyy6BHZ02hw/U6U7K\n mZIX5LVYoyTbBXyh3+v2bsiUQ8udAuKvKpQFNaOGM4f+BZfTnAykgVegACd1yhxI8K6u\n sZbz2OK4SJWqhrZ1T1XTaXBObrvoV3D7719tS58KEHYY9xpaVuDruMP72P4WaMdySe+7\n XyPHDn6h7Y24x5HhOAmMs1J6zameqxPIFgx2cTZv3MESpTkNOENr1saMC1sfKjRn5P76\n zTd1/T1CcyJqz9k8hJ6dgOKob6yeZ7Hhf1eGON+k5nK2G/Ux8sRkaiY3nqN7V7Di/WCf\n 024w==","X-Mailman-Original-Authentication-Results":["smtp3.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be","smtp3.osuosl.org;\n dkim=pass (2048-bit key) header.d=mind.be header.i=@mind.be\n header.a=rsa-sha256 header.s=google header.b=UpW89zH7"],"Subject":"[Buildroot] [PATCH 2025.02.x] package/freetype: patch CVE-2026-23865","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","From":"Thomas Perale via buildroot ","Reply-To":"Thomas Perale ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" "},"content":"Fixes the following security vulnerability:\n\n- CVE-2026-23865:\n An integer overflow in the tt_var_load_item_variation_store function\n of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an\n out of bounds read operation when parsing HVAR/VVAR/MVAR tables in\n OpenType variable fonts. This issue is fixed in version 2.14.2.\n\nFor more information, see\n - https://www.cve.org/CVERecord?id=CVE-2026-23865\n - https://gitlab.freedesktop.org/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c.patch\n\nSigned-off-by: Thomas Perale \n---\n ...r-overflow-in-array-size-computation.patch | 54 +++++++++++++++++++\n package/freetype/freetype.mk | 3 ++\n 2 files changed, 57 insertions(+)\n create mode 100644 package/freetype/0001-Check-for-overflow-in-array-size-computation.patch","diff":"diff --git a/package/freetype/0001-Check-for-overflow-in-array-size-computation.patch b/package/freetype/0001-Check-for-overflow-in-array-size-computation.patch\nnew file mode 100644\nindex 0000000000..6951880854\n--- /dev/null\n+++ b/package/freetype/0001-Check-for-overflow-in-array-size-computation.patch\n@@ -0,0 +1,54 @@\n+From fc85a255849229c024c8e65f536fe1875d84841c Mon Sep 17 00:00:00 2001\n+From: Werner Lemberg \n+Date: Sat, 3 Jan 2026 08:07:57 +0100\n+Subject: [PATCH] [ttgxvar] Check for overflow in array size computation.\n+\n+Problem reported and analyzed by povcfe .\n+\n+Fixes issue #1382.\n+\n+* src/truetype/ttgxvar.c (tt_var_load_item_variation_store): Do it.\n+\n+CVE: CVE-2026-23865\n+Upstream: https://gitlab.freedesktop.org/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c.patch\n+Signed-off-by: Thomas Perale \n+---\n+ src/truetype/ttgxvar.c | 15 ++++++++++++++-\n+ 1 file changed, 14 insertions(+), 1 deletion(-)\n+\n+diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c\n+index 2ff40c9e8..96ddc04c8 100644\n+--- a/src/truetype/ttgxvar.c\n++++ b/src/truetype/ttgxvar.c\n+@@ -609,6 +609,7 @@\n+ FT_UShort word_delta_count;\n+ FT_UInt region_idx_count;\n+ FT_UInt per_region_size;\n++ FT_UInt delta_set_size;\n+ \n+ \n+ if ( FT_STREAM_SEEK( offset + dataOffsetArray[i] ) )\n+@@ -666,7 +667,19 @@\n+ if ( long_words )\n+ per_region_size *= 2;\n+ \n+- if ( FT_NEW_ARRAY( varData->deltaSet, per_region_size * item_count ) )\n++ /* Check for overflow (we actually test whether the */\n++ /* multiplication of two unsigned values wraps around). */\n++ delta_set_size = per_region_size * item_count;\n++ if ( per_region_size &&\n++ delta_set_size / per_region_size != item_count )\n++ {\n++ FT_TRACE2(( \"tt_var_load_item_variation_store:\"\n++ \" bad delta set array size\\n\" ));\n++ error = FT_THROW( Array_Too_Large );\n++ goto Exit;\n++ }\n++\n++ if ( FT_NEW_ARRAY( varData->deltaSet, delta_set_size ) )\n+ goto Exit;\n+ if ( FT_Stream_Read( stream,\n+ varData->deltaSet,\n+-- \n+GitLab\n+\ndiff --git a/package/freetype/freetype.mk b/package/freetype/freetype.mk\nindex ad8cd00ec8..51b0471d4f 100644\n--- a/package/freetype/freetype.mk\n+++ b/package/freetype/freetype.mk\n@@ -15,6 +15,9 @@ FREETYPE_CPE_ID_VENDOR = freetype\n FREETYPE_DEPENDENCIES = host-pkgconf\n FREETYPE_CONFIG_SCRIPTS = freetype-config\n \n+# 0001-Check-for-overflow-in-array-size-computation.patch\n+FREETYPE_IGNORE_CVES += CVE-2026-23865\n+\n # harfbuzz already depends on freetype so disable harfbuzz in freetype to avoid\n # a circular dependency\n FREETYPE_CONF_OPTS = --without-harfbuzz\n","prefixes":["2025.02.x"]}