1. 31 May, 2017 5 commits
  2. 24 Mar, 2017 1 commit
  3. 21 Mar, 2017 1 commit
  4. 01 Mar, 2017 1 commit
  5. 23 Feb, 2017 1 commit
    • Akira TAGOH's avatar
      Fix the build issue with gperf 3.1 · 9878b306
      Akira TAGOH authored
      To support the one of changes in gperf 3.1:
      * The 'len' parameter of the hash function and of the lookup function is now
        of type 'size_t' instead of 'unsigned int'. This makes it safe to call these
        functions with strings of length > 4 GB, on 64-bit machines.
      9878b306
  6. 20 Dec, 2016 1 commit
  7. 14 Nov, 2016 1 commit
    • Akira TAGOH's avatar
      Fix FcCacheOffsetsValid() · 0e9b2a15
      Akira TAGOH authored
      Validation fails when the FcValueList contains more than font->num.
      this logic was wrong because font->num contains a number of the elements
      in FcPatternElt but FcValue in FcValueList.
      
      This corrects 7a4a5bd7.
      
      Patch from Tobias Stoeckmann
      0e9b2a15
  8. 23 Sep, 2016 1 commit
  9. 16 Sep, 2016 1 commit
  10. 07 Sep, 2016 1 commit
  11. 15 Aug, 2016 1 commit
  12. 05 Aug, 2016 3 commits
    • Akira TAGOH's avatar
      Bump version to 2.12.1 · 6b222c52
      Akira TAGOH authored
      6b222c52
    • Akira TAGOH's avatar
      Update libtool revision · 68869149
      Akira TAGOH authored
      68869149
    • Tobias Stoeckmann's avatar
      Properly validate offsets in cache files. · 7a4a5bd7
      Tobias Stoeckmann authored
      
      
      The cache files are insufficiently validated. Even though the magic
      number at the beginning of the file as well as time stamps are checked,
      it is not verified if contained offsets are in legal ranges or are
      even pointers.
      
      The lack of validation allows an attacker to trigger arbitrary free()
      calls, which in turn allows double free attacks and therefore arbitrary
      code execution. Due to the conversion from offsets into pointers through
      macros, this even allows to circumvent ASLR protections.
      
      This attack vector allows privilege escalation when used with setuid
      binaries like fbterm. A user can create ~/.fonts or any other
      system-defined user-private font directory, run fc-cache and adjust
      cache files in ~/.cache/fontconfig. The execution of setuid binaries will
      scan these files and therefore are prone to attacks.
      
      If it's not about code execution, an endless loop can be created by
      letting linked lists become circular linked lists.
      
      This patch verifies that:
      
      - The file is not larger than the maximum addressable space, which
        basically only affects 32 bit systems. This allows out of boundary
        access into unallocated memory.
      - Offsets are always positive or zero
      - Offsets do not point outside file boundaries
      - No pointers are allowed in cache files, every "pointer or offset"
        field must be an offset or NULL
      - Iterating linked lists must not take longer than the amount of elements
        specified. A violation of this rule can break a possible endless loop.
      
      If one or more of these points are violated, the cache is recreated.
      This is current behaviour.
      
      Even though this patch fixes many issues, the use of mmap() shall be
      forbidden in setuid binaries. It is impossible to guarantee with these
      checks that a malicious user does not change cache files after
      verification. This should be handled in a different patch.
      Signed-off-by: Tobias Stoeckmann's avatarTobias Stoeckmann <tobias@stoeckmann.org>
      7a4a5bd7
  13. 08 Jul, 2016 3 commits
  14. 23 Jun, 2016 2 commits
  15. 15 Jun, 2016 2 commits
  16. 09 Jun, 2016 1 commit
  17. 30 May, 2016 1 commit
  18. 27 May, 2016 1 commit
  19. 26 May, 2016 1 commit
  20. 25 May, 2016 1 commit
  21. 23 May, 2016 1 commit
  22. 19 May, 2016 1 commit
  23. 07 Apr, 2016 2 commits
  24. 06 Apr, 2016 3 commits
  25. 09 Mar, 2016 2 commits
  26. 08 Mar, 2016 1 commit