0008946: Freetype patch for CVE-2022-27405

ID	Project	Category	View Status	Date Submitted	Last Update

0008946	Rocky-Linux-8	freetype	public	2025-01-30 23:28	2025-01-31 02:28

Reporter	David Gomez	Assigned To
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	new	Resolution	open

Summary	0008946: Freetype patch for CVE-2022-27405
Description	When checking to see if Rocky 8 was affected by CVE-2022-27405 I was looking at the upstream patch and the patch Rocky used for the fix. There seems to be a possible typo in the patch used. Rocky patch: https://git.rockylinux.org/staging/rpms/freetype/-/blob/r8/SOURCES/freetype-2.9.1-properly-guard-face-index.patch?ref_type=heads Upstream patch: https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 It looks like "face_index = -face_index;" was copied twice where the first one might not be necessary. I'm not sure if this affects the code/package usage but I wanted to raise the issue in case.
Additional Information	CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-27405 Issue: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1139 Commit which fixed the issue: https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5
Tags	cve, CVE-2022-27405, freetype, patch

Date Modified	Username	Field
2025-01-30 23:28	David Gomez	New Issue
2025-01-30 23:28	David Gomez	Tag Attached: cve
2025-01-30 23:28	David Gomez	Tag Attached: CVE-2022-27405
2025-01-30 23:28	David Gomez	Tag Attached: freetype
2025-01-30 23:28	David Gomez	Tag Attached: patch
2025-01-31 02:28	David Gomez	Note Added: 0009473

David Gomez 2025-01-31 02:28 reporter ~0009473	Looked into this more and saw the following commit was made later https://gitlab.freedesktop.org/freetype/freetype/-/commit/d014387ad4a5dd04d8e7f99587c7dacb70261924 The Rocky patch is right, this issue can be closed.