summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorvlad2015-07-08 15:45:40 +0300
committervlad2015-07-08 15:45:40 +0300
commit619a79ad7ef869b81ee83ce63247db2300594337 (patch)
tree32c7927919f29774199c7958918d329adc41b4f6
downloadaur-619a79ad7ef869b81ee83ce63247db2300594337.tar.gz
Initial import
-rw-r--r--.SRCINFO48
-rw-r--r--PKGBUILD66
-rw-r--r--freetype-2.4.11-CVE-2014-9657.patch40
-rw-r--r--freetype-2.4.11-CVE-2014-9658.patch23
-rw-r--r--freetype-2.4.11-CVE-2014-9660.patch29
-rw-r--r--freetype-2.4.11-CVE-2014-9663.patch34
-rw-r--r--freetype-2.4.11-CVE-2014-9667.patch47
-rw-r--r--freetype-2.4.11-CVE-2014-9669.patch117
-rw-r--r--freetype-2.4.11-CVE-2014-9670.patch30
-rw-r--r--freetype-2.4.11-CVE-2014-9671.patch36
-rw-r--r--freetype-2.4.11-ft-strncmp.patch228
-rw-r--r--freetype-2.5.0-CVE-2014-2240.patch25
-rw-r--r--freetype-2.5.0-CVE-2014-2241.patch52
-rw-r--r--install.sh11
14 files changed, 786 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 00000000000..a75a2940b0f
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,48 @@
+pkgbase = freetype2-infinality
+ pkgdesc = TrueType font rendering library with infinality patch
+ pkgver = 2.4.12
+ pkgrel = 4
+ url = http://www.infinality.net/blog/infinality-freetype-patches/
+ install = install.sh
+ arch = i686
+ arch = x86_64
+ license = GPL
+ depends = zlib
+ depends = bzip2
+ depends = sh
+ optdepends = fontconfig-infinality: Infinality package for fontconfig (required)
+ provides = freetype2=2.4.12
+ conflicts = freetype2
+ options = !libtool
+ backup = etc/profile.d/infinality-settings.sh
+ source = http://downloads.sourceforge.net/sourceforge/freetype/freetype-2.4.12.tar.bz2
+ source = http://www.infinality.net/fedora/linux/zips/freetype-infinality-2.4.12-20130514_01-x86_64.tar.bz2
+ source = freetype-2.2.1-enable-valid.patch::https://projects.archlinux.org/svntogit/packages.git/plain/trunk/freetype-2.2.1-enable-valid.patch?h=packages/freetype2
+ source = freetype-2.5.0-CVE-2014-2240.patch
+ source = freetype-2.5.0-CVE-2014-2241.patch
+ source = freetype-2.4.11-ft-strncmp.patch
+ source = freetype-2.4.11-CVE-2014-9657.patch
+ source = freetype-2.4.11-CVE-2014-9658.patch
+ source = freetype-2.4.11-CVE-2014-9660.patch
+ source = freetype-2.4.11-CVE-2014-9663.patch
+ source = freetype-2.4.11-CVE-2014-9667.patch
+ source = freetype-2.4.11-CVE-2014-9669.patch
+ source = freetype-2.4.11-CVE-2014-9670.patch
+ source = freetype-2.4.11-CVE-2014-9671.patch
+ md5sums = 3463102764315eb86c0d3c2e1f3ffb7d
+ md5sums = 4f5ff3fd3e3e56310953e25eade4a2d3
+ md5sums = 214119610444c9b02766ccee5e220680
+ md5sums = e29654122be7dbfbc828b1f890257f40
+ md5sums = 54d52c143c5e399972f2928d17b0f28e
+ md5sums = 451163e82887b59f0c0fad72a652f316
+ md5sums = d8c69d190a81133d40b92d1d2ab81c98
+ md5sums = 82055b1adb096766cf4269658ce5a68b
+ md5sums = 79e695ff3714fb66dcdadd2a4b82f418
+ md5sums = 817ff425988e4f91dbd08b1f4bfaf5b4
+ md5sums = a1560e1032cd0fb113aee6ce7b0c951e
+ md5sums = c5cbf68b7b2f3beeb766e8d97d9f723e
+ md5sums = 1bf2b83b8623ac4fed57dbe4e4f7714c
+ md5sums = f543132d39f801a230768dc133fd4870
+
+pkgname = freetype2-infinality
+
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 00000000000..a34b3b31abd
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,66 @@
+# Maintainer: hadrons123 <piruthviraj@gmail.com>
+# Maintainer: Shanto <shanto@hotmail.com>
+# Contributor: JIN Xiao-Yong <jinxiaoyong@gmail.com>
+# Contributor: Andre Fettouhi <A.Fettouhi@gmail.com>
+
+pkgname=freetype2-infinality
+pkgver=2.4.12
+pkgrel=4
+_pkgdate=20150206
+_pkgrel=01
+pkgdesc="TrueType font rendering library with infinality patch"
+arch=(i686 x86_64)
+license=('GPL')
+url="http://www.infinality.net/blog/infinality-freetype-patches/"
+depends=('zlib' 'bzip2' 'sh')
+optdepends=(
+ 'fontconfig-infinality: Infinality package for fontconfig (required)'
+)
+conflicts=('freetype2')
+provides=("freetype2=$pkgver")
+options=('!libtool')
+install='install.sh'
+backup=('etc/profile.d/infinality-settings.sh')
+source=(
+ "http://downloads.sourceforge.net/sourceforge/freetype/freetype-${pkgver}.tar.bz2"
+ "http://www.infinality.net/fedora/linux/zips/freetype-infinality-2.4.12-20130514_01-x86_64.tar.bz2"
+ "freetype-2.2.1-enable-valid.patch::https://projects.archlinux.org/svntogit/packages.git/plain/trunk/freetype-2.2.1-enable-valid.patch?h=packages/freetype2"
+ "freetype-2.5.0-CVE-2014-2240.patch"
+ "freetype-2.5.0-CVE-2014-2241.patch"
+"freetype-2.4.11-ft-strncmp.patch"
+"freetype-2.4.11-CVE-2014-9657.patch"
+"freetype-2.4.11-CVE-2014-9658.patch"
+"freetype-2.4.11-CVE-2014-9660.patch"
+"freetype-2.4.11-CVE-2014-9663.patch"
+"freetype-2.4.11-CVE-2014-9667.patch"
+"freetype-2.4.11-CVE-2014-9669.patch"
+"freetype-2.4.11-CVE-2014-9670.patch"
+"freetype-2.4.11-CVE-2014-9671.patch")
+build() {
+ rm -rf "${srcdir}/freetype-${pkgver}-build"
+ cp -a "${srcdir}/freetype-${pkgver}" "${srcdir}/freetype-${pkgver}-build"
+ cd "${srcdir}/freetype-${pkgver}-build"
+ cat "$srcdir/"{freetype-2.2.1-enable-valid.patch,freetype-entire-infinality-patchset-20130514-01.patch,freetype-2.4.11-CVE-2014-9657.patch,freetype-2.4.11-CVE-2014-9658.patch,freetype-2.4.11-ft-strncmp.patch,freetype-2.4.11-CVE-2014-9660.patch,freetype-2.4.11-CVE-2014-9663.patch,freetype-2.4.11-CVE-2014-9669.patch,freetype-2.4.11-CVE-2014-9670.patch,freetype-2.4.11-CVE-2014-9671.patch,freetype-2.5.0-CVE-2014-2240.patch,freetype-2.5.0-CVE-2014-2241.patch} | patch -Np1
+ ./configure --prefix=/usr
+ make
+}
+
+package() {
+ cd "${srcdir}/freetype-${pkgver}-build"
+ make DESTDIR="${pkgdir}" install
+ install -D -T "${srcdir}/infinality-settings.sh" "${pkgdir}/etc/profile.d/infinality-settings.sh"
+}
+md5sums=('3463102764315eb86c0d3c2e1f3ffb7d'
+ '4f5ff3fd3e3e56310953e25eade4a2d3'
+ '214119610444c9b02766ccee5e220680'
+ 'e29654122be7dbfbc828b1f890257f40'
+ '54d52c143c5e399972f2928d17b0f28e'
+ '451163e82887b59f0c0fad72a652f316'
+ 'd8c69d190a81133d40b92d1d2ab81c98'
+ '82055b1adb096766cf4269658ce5a68b'
+ '79e695ff3714fb66dcdadd2a4b82f418'
+ '817ff425988e4f91dbd08b1f4bfaf5b4'
+ 'a1560e1032cd0fb113aee6ce7b0c951e'
+ 'c5cbf68b7b2f3beeb766e8d97d9f723e'
+ '1bf2b83b8623ac4fed57dbe4e4f7714c'
+ 'f543132d39f801a230768dc133fd4870')
diff --git a/freetype-2.4.11-CVE-2014-9657.patch b/freetype-2.4.11-CVE-2014-9657.patch
new file mode 100644
index 00000000000..89544067708
--- /dev/null
+++ b/freetype-2.4.11-CVE-2014-9657.patch
@@ -0,0 +1,40 @@
+From eca0f067068020870a429fe91f6329e499390d55 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 24 Nov 2014 09:22:08 +0000
+Subject: [truetype] Fix Savannah bug #43679.
+
+* src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of
+`record_size'.
+---
+diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c
+index 9723a51..9991925 100644
+--- a/src/truetype/ttpload.c
++++ b/src/truetype/ttpload.c
+@@ -508,9 +508,9 @@
+ record_size = FT_NEXT_ULONG( p );
+
+ /* The maximum number of bytes in an hdmx device record is the */
+- /* maximum number of glyphs + 2; this is 0xFFFF + 2; this is */
+- /* the reason why `record_size' is a long (which we read as */
+- /* unsigned long for convenience). In practice, two bytes */
++ /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus */
++ /* explaining why `record_size' is a long (which we read as */
++ /* unsigned long for convenience). In practice, two bytes are */
+ /* sufficient to hold the size value. */
+ /* */
+ /* There are at least two fonts, HANNOM-A and HANNOM-B version */
+@@ -522,8 +522,10 @@
+ record_size &= 0xFFFFU;
+
+ /* The limit for `num_records' is a heuristic value. */
+-
+- if ( version != 0 || num_records > 255 || record_size > 0x10001L )
++ if ( version != 0 ||
++ num_records > 255 ||
++ record_size > 0x10001L ||
++ record_size < 4 )
+ {
+ error = TT_Err_Invalid_File_Format;
+ goto Fail;
+--
+cgit v0.9.0.2
diff --git a/freetype-2.4.11-CVE-2014-9658.patch b/freetype-2.4.11-CVE-2014-9658.patch
new file mode 100644
index 00000000000..7aec5c89ad3
--- /dev/null
+++ b/freetype-2.4.11-CVE-2014-9658.patch
@@ -0,0 +1,23 @@
+From f70d9342e65cd2cb44e9f26b6d7edeedf191fc6c Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 24 Nov 2014 08:31:32 +0000
+Subject: [sfnt] Fix Savannah bug #43672.
+
+* src/sfnt/ttkern.c (tt_face_load_kern): Use correct value for
+minimum table length test.
+---
+diff --git a/src/sfnt/ttkern.c b/src/sfnt/ttkern.c
+index 32c4008..455e7b5 100644
+--- a/src/sfnt/ttkern.c
++++ b/src/sfnt/ttkern.c
+@@ -99,7 +99,7 @@
+ length = FT_NEXT_USHORT( p );
+ coverage = FT_NEXT_USHORT( p );
+
+- if ( length <= 6 )
++ if ( length <= 6 + 8 )
+ break;
+
+ p_next += length;
+--
+cgit v0.9.0.2
diff --git a/freetype-2.4.11-CVE-2014-9660.patch b/freetype-2.4.11-CVE-2014-9660.patch
new file mode 100644
index 00000000000..fc310f7ccfc
--- /dev/null
+++ b/freetype-2.4.11-CVE-2014-9660.patch
@@ -0,0 +1,29 @@
+From af8346172a7b573715134f7a51e6c5c60fa7f2ab Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 22 Nov 2014 12:29:10 +0000
+Subject: [bdf] Fix Savannah bug #43660.
+
+* src/bdf/bdflib.c (_bdf_parse_glyphs) <"ENDFONT">: Check
+`_BDF_GLYPH_BITS'.
+---
+diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
+index c128526..369c111 100644
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -1549,6 +1549,14 @@
+ /* Check for the ENDFONT field. */
+ if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 )
+ {
++ if ( p->flags & _BDF_GLYPH_BITS )
++ {
++ /* Missing ENDCHAR field. */
++ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENDCHAR" ));
++ error = BDF_Err_Corrupted_Font_Glyphs;
++ goto Exit;
++ }
++
+ /* Sort the glyphs by encoding. */
+ ft_qsort( (char *)font->glyphs,
+ font->glyphs_used,
+--
+cgit v0.9.0.2
diff --git a/freetype-2.4.11-CVE-2014-9663.patch b/freetype-2.4.11-CVE-2014-9663.patch
new file mode 100644
index 00000000000..9e2496a4a59
--- /dev/null
+++ b/freetype-2.4.11-CVE-2014-9663.patch
@@ -0,0 +1,34 @@
+From 9bd20b7304aae61de5d50ac359cf27132bafd4c1 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 22 Nov 2014 05:24:45 +0000
+Subject: [sfnt] Fix Savannah bug #43656.
+
+* src/sfnt/ttcmap.c (tt_cmap4_validate): Fix order of validity
+tests.
+---
+diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
+index 712bd4f..fb863c3 100644
+--- a/src/sfnt/ttcmap.c
++++ b/src/sfnt/ttcmap.c
+@@ -823,9 +823,6 @@
+ FT_Error error = SFNT_Err_Ok;
+
+
+- if ( length < 16 )
+- FT_INVALID_TOO_SHORT;
+-
+ /* in certain fonts, the `length' field is invalid and goes */
+ /* out of bound. We try to correct this here... */
+ if ( table + length > valid->limit )
+@@ -836,6 +833,9 @@
+ length = (FT_UInt)( valid->limit - table );
+ }
+
++ if ( length < 16 )
++ FT_INVALID_TOO_SHORT;
++
+ p = table + 6;
+ num_segs = TT_NEXT_USHORT( p ); /* read segCountX2 */
+
+--
+cgit v0.9.0.2
diff --git a/freetype-2.4.11-CVE-2014-9667.patch b/freetype-2.4.11-CVE-2014-9667.patch
new file mode 100644
index 00000000000..1e349405c40
--- /dev/null
+++ b/freetype-2.4.11-CVE-2014-9667.patch
@@ -0,0 +1,47 @@
+From 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Wed, 12 Nov 2014 20:26:44 +0000
+Subject: [sfnt] Fix Savannah bug #43590.
+
+* src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir):
+Protect against addition overflow.
+---
+diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c
+index 0a3cd29..8338150 100644
+--- a/src/sfnt/ttload.c
++++ b/src/sfnt/ttload.c
+@@ -5,7 +5,7 @@
+ /* Load the basic TrueType tables, i.e., tables that can be either in */
+ /* TTF or OTF fonts (body). */
+ /* */
+-/* Copyright 1996-2010, 2012 by */
++/* Copyright 1996-2010, 2012-2014 by */
+ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used, */
+@@ -207,7 +207,10 @@
+ }
+
+ /* we ignore invalid tables */
+- if ( table.Offset + table.Length > stream->size )
++
++ /* table.Offset + table.Length > stream->size ? */
++ if ( table.Length > stream->size ||
++ table.Offset > stream->size - table.Length )
+ {
+ FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
+ continue;
+@@ -398,7 +398,10 @@
+ entry->Length = FT_GET_LONG();
+
+ /* ignore invalid tables */
+- if ( entry->Offset + entry->Length > stream->size )
++
++ /* entry->Offset + entry->Length > stream->size ? */
++ if ( entry->Length > stream->size ||
++ entry->Offset > stream->size - entry->Length )
+ continue;
+ else
+ {
+--
+cgit v0.9.0.2
diff --git a/freetype-2.4.11-CVE-2014-9669.patch b/freetype-2.4.11-CVE-2014-9669.patch
new file mode 100644
index 00000000000..59fe8c3b67c
--- /dev/null
+++ b/freetype-2.4.11-CVE-2014-9669.patch
@@ -0,0 +1,117 @@
+From 602040b1112c9f94d68e200be59ea7ac3d104565 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Wed, 12 Nov 2014 19:51:20 +0000
+Subject: [sfnt] Fix Savannah bug #43588.
+
+* src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate,
+tt_cmap12_validate, tt_cmap13_validate, tt_cmap14_validate): Protect
+against overflow in additions and multiplications.
+---
+diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
+index f9acf5d..712bd4f 100644
+--- a/src/sfnt/ttcmap.c
++++ b/src/sfnt/ttcmap.c
+@@ -1647,7 +1647,8 @@
+ p = is32 + 8192; /* skip `is32' array */
+ num_groups = TT_NEXT_ULONG( p );
+
+- if ( p + num_groups * 12 > valid->limit )
++ /* p + num_groups * 12 > valid->limit ? */
++ if ( num_groups > (FT_UInt32)( valid->limit - p ) / 12 )
+ FT_INVALID_TOO_SHORT;
+
+ /* check groups, they must be in increasing order */
+@@ -1672,7 +1673,12 @@
+
+ if ( valid->level >= FT_VALIDATE_TIGHT )
+ {
+- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
++ FT_UInt32 d = end - start;
++
++
++ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
++ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
++ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
+ FT_INVALID_GLYPH_ID;
+
+ count = (FT_UInt32)( end - start + 1 );
+@@ -1870,7 +1876,9 @@
+ count = TT_NEXT_ULONG( p );
+
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+- length < 20 + count * 2 )
++ /* length < 20 + count * 2 ? */
++ length < 20 ||
++ ( length - 20 ) / 2 < count )
+ FT_INVALID_TOO_SHORT;
+
+ /* check glyph indices */
+@@ -2057,7 +2065,9 @@
+ num_groups = TT_NEXT_ULONG( p );
+
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+- length < 16 + 12 * num_groups )
++ /* length < 16 + 12 * num_groups ? */
++ length < 16 ||
++ ( length - 16 ) / 12 < num_groups )
+ FT_INVALID_TOO_SHORT;
+
+ /* check groups, they must be in increasing order */
+@@ -2079,7 +2089,12 @@
+
+ if ( valid->level >= FT_VALIDATE_TIGHT )
+ {
+- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
++ FT_UInt32 d = end - start;
++
++
++ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
++ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
++ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
+ FT_INVALID_GLYPH_ID;
+ }
+
+@@ -2381,7 +2396,9 @@
+ num_groups = TT_NEXT_ULONG( p );
+
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+- length < 16 + 12 * num_groups )
++ /* length < 16 + 12 * num_groups ? */
++ length < 16 ||
++ ( length - 16 ) / 12 < num_groups )
+ FT_INVALID_TOO_SHORT;
+
+ /* check groups, they must be in increasing order */
+@@ -2762,7 +2779,9 @@
+
+
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+- length < 10 + 11 * num_selectors )
++ /* length < 10 + 11 * num_selectors ? */
++ length < 10 ||
++ ( length - 10 ) / 11 < num_selectors )
+ FT_INVALID_TOO_SHORT;
+
+ /* check selectors, they must be in increasing order */
+@@ -2798,7 +2817,8 @@
+ FT_ULong lastBase = 0;
+
+
+- if ( defp + numRanges * 4 > valid->limit )
++ /* defp + numRanges * 4 > valid->limit ? */
++ if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 )
+ FT_INVALID_TOO_SHORT;
+
+ for ( i = 0; i < numRanges; ++i )
+@@ -2825,7 +2845,8 @@
+ FT_ULong i, lastUni = 0;
+
+
+- if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
++ /* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */
++ if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 )
+ FT_INVALID_TOO_SHORT;
+
+ for ( i = 0; i < numMappings; ++i )
+--
+cgit v0.9.0.2
diff --git a/freetype-2.4.11-CVE-2014-9670.patch b/freetype-2.4.11-CVE-2014-9670.patch
new file mode 100644
index 00000000000..0a9b70a03e2
--- /dev/null
+++ b/freetype-2.4.11-CVE-2014-9670.patch
@@ -0,0 +1,30 @@
+From ef1eba75187adfac750f326b563fe543dd5ff4e6 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Thu, 06 Nov 2014 22:25:05 +0000
+Subject: Fix Savannah bug #43548.
+
+* src/pcf/pcfread (pcf_get_encodings): Add sanity checks for row and
+column values.
+---
+diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
+index 8db31bd..668c962 100644
+--- a/src/pcf/pcfread.c
++++ b/src/pcf/pcfread.c
+@@ -812,6 +812,15 @@ THE SOFTWARE.
+ if ( !PCF_FORMAT_MATCH( format, PCF_DEFAULT_FORMAT ) )
+ return PCF_Err_Invalid_File_Format;
+
++ /* sanity checks */
++ if ( firstCol < 0 ||
++ firstCol > lastCol ||
++ lastCol > 0xFF ||
++ firstRow < 0 ||
++ firstRow > lastRow ||
++ lastRow > 0xFF )
++ return PCF_Err_Invalid_Table;
++
+ FT_TRACE4(( "pdf_get_encodings:\n" ));
+
+ FT_TRACE4(( " firstCol %d, lastCol %d, firstRow %d, lastRow %d\n",
+--
+cgit v0.9.0.2
diff --git a/freetype-2.4.11-CVE-2014-9671.patch b/freetype-2.4.11-CVE-2014-9671.patch
new file mode 100644
index 00000000000..a29115095cd
--- /dev/null
+++ b/freetype-2.4.11-CVE-2014-9671.patch
@@ -0,0 +1,36 @@
+From 0e2f5d518c60e2978f26400d110eff178fa7e3c3 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Thu, 06 Nov 2014 21:32:46 +0000
+Subject: Fix Savannah bug #43547.
+
+* src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset'
+values.
+---
+diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
+index f63377b..8db31bd 100644
+--- a/src/pcf/pcfread.c
++++ b/src/pcf/pcfread.c
+@@ -151,6 +151,21 @@ THE SOFTWARE.
+ break;
+ }
+
++ /* we now check whether the `size' and `offset' values are reasonable: */
++ /* `offset' + `size' must not exceed the stream size */
++ tables = face->toc.tables;
++ for ( n = 0; n < toc->count; n++ )
++ {
++ /* we need two checks to avoid overflow */
++ if ( ( tables->size > stream->size ) ||
++ ( tables->offset > stream->size - tables->size ) )
++ {
++ error = PCF_Err_Invalid_Table;
++ goto Exit;
++ }
++ tables++;
++ }
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+
+ {
+--
+cgit v0.9.0.2
diff --git a/freetype-2.4.11-ft-strncmp.patch b/freetype-2.4.11-ft-strncmp.patch
new file mode 100644
index 00000000000..6de33c58b30
--- /dev/null
+++ b/freetype-2.4.11-ft-strncmp.patch
@@ -0,0 +1,228 @@
+commit 9a56764037dfc01a89fe61f5c67971bf50343d00
+Author: Werner Lemberg <wl@gnu.org>
+Date: Wed Feb 26 13:08:07 2014 +0100
+
+ [bdf] Fix Savannah bug #41692.
+
+ bdflib puts data from the input stream into a buffer in chunks of
+ 1024 bytes. The data itself gets then parsed line by line, simply
+ increasing the current pointer into the buffer; if the search for
+ the final newline character exceeds the buffer size, more data gets
+ read.
+
+ However, in case the current line's end is very near to the buffer
+ end, and the keyword to compare with is longer than the current
+ line's length, an out-of-bounds read might happen since `memcmp'
+ doesn't stop properly at the string end.
+
+ * src/bdf/bdflib.c: s/ft_memcmp/ft_strncmp/ to make comparisons
+ stop at string ends.
+
+diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
+index c9e231e..b0ec292 100644
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -1402,7 +1402,7 @@
+
+ /* If the property happens to be a comment, then it doesn't need */
+ /* to be added to the internal hash table. */
+- if ( ft_memcmp( name, "COMMENT", 7 ) != 0 )
++ if ( ft_strncmp( name, "COMMENT", 7 ) != 0 )
+ {
+ /* Add the property to the font property table. */
+ error = hash_insert( fp->name,
+@@ -1420,13 +1420,13 @@
+ /* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */
+ /* present, and the SPACING property should override the default */
+ /* spacing. */
+- if ( ft_memcmp( name, "DEFAULT_CHAR", 12 ) == 0 )
++ if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 )
+ font->default_char = fp->value.l;
+- else if ( ft_memcmp( name, "FONT_ASCENT", 11 ) == 0 )
++ else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 )
+ font->font_ascent = fp->value.l;
+- else if ( ft_memcmp( name, "FONT_DESCENT", 12 ) == 0 )
++ else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 )
+ font->font_descent = fp->value.l;
+- else if ( ft_memcmp( name, "SPACING", 7 ) == 0 )
++ else if ( ft_strncmp( name, "SPACING", 7 ) == 0 )
+ {
+ if ( !fp->value.atom )
+ {
+@@ -1484,7 +1484,7 @@
+ memory = font->memory;
+
+ /* Check for a comment. */
+- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 )
++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
+ {
+ linelen -= 7;
+
+@@ -1501,7 +1501,7 @@
+ /* The very first thing expected is the number of glyphs. */
+ if ( !( p->flags & _BDF_GLYPHS ) )
+ {
+- if ( ft_memcmp( line, "CHARS", 5 ) != 0 )
++ if ( ft_strncmp( line, "CHARS", 5 ) != 0 )
+ {
+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" ));
+ error = BDF_Err_Missing_Chars_Field;
+@@ -1535,7 +1535,7 @@
+ }
+
+ /* Check for the ENDFONT field. */
+- if ( ft_memcmp( line, "ENDFONT", 7 ) == 0 )
++ if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 )
+ {
+ /* Sort the glyphs by encoding. */
+ ft_qsort( (char *)font->glyphs,
+@@ -1549,7 +1549,7 @@
+ }
+
+ /* Check for the ENDCHAR field. */
+- if ( ft_memcmp( line, "ENDCHAR", 7 ) == 0 )
++ if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 )
+ {
+ p->glyph_enc = 0;
+ p->flags &= ~_BDF_GLYPH_BITS;
+@@ -1565,7 +1565,7 @@
+ goto Exit;
+
+ /* Check for the STARTCHAR field. */
+- if ( ft_memcmp( line, "STARTCHAR", 9 ) == 0 )
++ if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 )
+ {
+ /* Set the character name in the parse info first until the */
+ /* encoding can be checked for an unencoded character. */
+@@ -1599,7 +1599,7 @@
+ }
+
+ /* Check for the ENCODING field. */
+- if ( ft_memcmp( line, "ENCODING", 8 ) == 0 )
++ if ( ft_strncmp( line, "ENCODING", 8 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_GLYPH ) )
+ {
+@@ -1785,7 +1785,7 @@
+ }
+
+ /* Expect the SWIDTH (scalable width) field next. */
+- if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 )
++ if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+@@ -1801,7 +1801,7 @@
+ }
+
+ /* Expect the DWIDTH (scalable width) field next. */
+- if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 )
++ if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+@@ -1829,7 +1829,7 @@
+ }
+
+ /* Expect the BBX field next. */
+- if ( ft_memcmp( line, "BBX", 3 ) == 0 )
++ if ( ft_strncmp( line, "BBX", 3 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+@@ -1897,7 +1897,7 @@
+ }
+
+ /* And finally, gather up the bitmap. */
+- if ( ft_memcmp( line, "BITMAP", 6 ) == 0 )
++ if ( ft_strncmp( line, "BITMAP", 6 ) == 0 )
+ {
+ unsigned long bitmap_size;
+
+@@ -1972,7 +1972,7 @@
+ p = (_bdf_parse_t *) client_data;
+
+ /* Check for the end of the properties. */
+- if ( ft_memcmp( line, "ENDPROPERTIES", 13 ) == 0 )
++ if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 )
+ {
+ /* If the FONT_ASCENT or FONT_DESCENT properties have not been */
+ /* encountered yet, then make sure they are added as properties and */
+@@ -2013,12 +2013,12 @@
+ }
+
+ /* Ignore the _XFREE86_GLYPH_RANGES properties. */
+- if ( ft_memcmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
++ if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
+ goto Exit;
+
+ /* Handle COMMENT fields and properties in a special way to preserve */
+ /* the spacing. */
+- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 )
++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
+ {
+ name = value = line;
+ value += 7;
+@@ -2082,7 +2082,7 @@
+
+ /* Check for a comment. This is done to handle those fonts that have */
+ /* comments before the STARTFONT line for some reason. */
+- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 )
++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
+ {
+ if ( p->opts->keep_comments != 0 && p->font != 0 )
+ {
+@@ -2108,7 +2108,7 @@
+ {
+ memory = p->memory;
+
+- if ( ft_memcmp( line, "STARTFONT", 9 ) != 0 )
++ if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 )
+ {
+ /* we don't emit an error message since this code gets */
+ /* explicitly caught one level higher */
+@@ -2156,7 +2156,7 @@
+ }
+
+ /* Check for the start of the properties. */
+- if ( ft_memcmp( line, "STARTPROPERTIES", 15 ) == 0 )
++ if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_FONT_BBX ) )
+ {
+@@ -2185,7 +2185,7 @@
+ }
+
+ /* Check for the FONTBOUNDINGBOX field. */
+- if ( ft_memcmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
++ if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_SIZE ) )
+ {
+@@ -2216,7 +2216,7 @@
+ }
+
+ /* The next thing to check for is the FONT field. */
+- if ( ft_memcmp( line, "FONT", 4 ) == 0 )
++ if ( ft_strncmp( line, "FONT", 4 ) == 0 )
+ {
+ error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
+ if ( error )
+@@ -2251,7 +2251,7 @@
+ }
+
+ /* Check for the SIZE field. */
+- if ( ft_memcmp( line, "SIZE", 4 ) == 0 )
++ if ( ft_strncmp( line, "SIZE", 4 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_FONT_NAME ) )
+ {
+@@ -2305,7 +2305,7 @@
+ }
+
+ /* Check for the CHARS field -- font properties are optional */
+- if ( ft_memcmp( line, "CHARS", 5 ) == 0 )
++ if ( ft_strncmp( line, "CHARS", 5 ) == 0 )
+ {
+ char nbuf[128];
+
diff --git a/freetype-2.5.0-CVE-2014-2240.patch b/freetype-2.5.0-CVE-2014-2240.patch
new file mode 100644
index 00000000000..d838de3a265
--- /dev/null
+++ b/freetype-2.5.0-CVE-2014-2240.patch
@@ -0,0 +1,25 @@
+From 0eae6eb0645264c98812f0095e0f5df4541830e6 Mon Sep 17 00:00:00 2001
+From: Dave Arnold <darnold@adobe.com>
+Date: Fri, 28 Feb 2014 06:40:01 +0000
+Subject: Fix Savannah bug #41697, part 1.
+
+* src/cff/cf2hints.c (cf2_hintmap_build): Return when `hintMask' is
+invalid. In this case, it is not safe to use the length of
+`hStemHintArray'; the exception has already been recorded in
+`hintMask'.
+---
+diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
+index 5f44161..79f84fc 100644
+--- a/src/cff/cf2hints.c
++++ b/src/cff/cf2hints.c
+@@ -781,6 +781,8 @@
+ cf2_hintmask_setAll( hintMask,
+ cf2_arrstack_size( hStemHintArray ) +
+ cf2_arrstack_size( vStemHintArray ) );
++ if ( !cf2_hintmask_isValid( hintMask ) )
++ return; /* too many stem hints */
+ }
+
+ /* begin by clearing the map */
+--
+cgit v0.9.0.2
diff --git a/freetype-2.5.0-CVE-2014-2241.patch b/freetype-2.5.0-CVE-2014-2241.patch
new file mode 100644
index 00000000000..3e6cd60c9bb
--- /dev/null
+++ b/freetype-2.5.0-CVE-2014-2241.patch
@@ -0,0 +1,52 @@
+From 135c3faebb96f8f550bd4f318716f2e1e095a969 Mon Sep 17 00:00:00 2001
+From: Dave Arnold <darnold@adobe.com>
+Date: Fri, 28 Feb 2014 06:42:42 +0000
+Subject: Fix Savannah bug #41697, part 2.
+
+* src/cff/cf2ft.c (cf2_initLocalRegionBuffer,
+cf2_initGlobalRegionBuffer): It is possible for a charstring to call
+a subroutine if no subroutines exist. This is an error but should
+not trigger an assert. Split the assert to account for this.
+---
+diff --git a/src/cff/cf2ft.c b/src/cff/cf2ft.c
+index df5f8fb..82bac75 100644
+--- a/src/cff/cf2ft.c
++++ b/src/cff/cf2ft.c
+@@ -521,7 +521,7 @@
+ CF2_UInt idx,
+ CF2_Buffer buf )
+ {
+- FT_ASSERT( decoder && decoder->globals );
++ FT_ASSERT( decoder );
+
+ FT_ZERO( buf );
+
+@@ -529,6 +529,8 @@
+ if ( idx >= decoder->num_globals )
+ return TRUE; /* error */
+
++ FT_ASSERT( decoder->globals );
++
+ buf->start =
+ buf->ptr = decoder->globals[idx];
+ buf->end = decoder->globals[idx + 1];
+@@ -594,7 +596,7 @@
+ CF2_UInt idx,
+ CF2_Buffer buf )
+ {
+- FT_ASSERT( decoder && decoder->locals );
++ FT_ASSERT( decoder );
+
+ FT_ZERO( buf );
+
+@@ -602,6 +604,8 @@
+ if ( idx >= decoder->num_locals )
+ return TRUE; /* error */
+
++ FT_ASSERT( decoder->locals );
++
+ buf->start =
+ buf->ptr = decoder->locals[idx];
+ buf->end = decoder->locals[idx + 1];
+--
+cgit v0.9.0.2
diff --git a/install.sh b/install.sh
new file mode 100644
index 00000000000..0924737fe07
--- /dev/null
+++ b/install.sh
@@ -0,0 +1,11 @@
+post_install() {
+ cat <<- EOF
+ ==> Infinality environment variables are located in the file /etc/profile.d/infinality-settings.sh. Change it according to your taste.
+ ==> Fontconfig files have moved to fontconfig-infinality package which should be installed and configured separately.
+ ==> For best experience, install either Windows, Apple or Google fonts. More information is available at http://www.infinality.net.
+ EOF
+}
+
+post_upgrade() {
+ post_install $0
+}