Version in base suite: 2.13.3+dfsg-1

Base version: freetype_2.13.3+dfsg-1
Target version: freetype_2.13.3+dfsg-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/f/freetype/freetype_2.13.3+dfsg-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/f/freetype/freetype_2.13.3+dfsg-1+deb13u1.dsc

 changelog                    |    6 ++++++
 patches/CVE-2026-23865.patch |   36 ++++++++++++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 43 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmptthk50g2/freetype_2.13.3+dfsg-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmptthk50g2/freetype_2.13.3+dfsg-1+deb13u1.dsc: no acceptable signature found
diff -Nru freetype-2.13.3+dfsg/debian/changelog freetype-2.13.3+dfsg/debian/changelog
--- freetype-2.13.3+dfsg/debian/changelog	2024-09-05 12:09:27.000000000 +0000
+++ freetype-2.13.3+dfsg/debian/changelog	2026-03-17 20:21:54.000000000 +0000
@@ -1,3 +1,9 @@
+freetype (2.13.3+dfsg-1+deb13u1) trixie-security; urgency=medium
+
+  * CVE-2026-23865 (Closes: #1129606)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Tue, 17 Mar 2026 21:21:54 +0100
+
 freetype (2.13.3+dfsg-1) unstable; urgency=medium
 
   * New upstream version 2.13.3.
diff -Nru freetype-2.13.3+dfsg/debian/patches/CVE-2026-23865.patch freetype-2.13.3+dfsg/debian/patches/CVE-2026-23865.patch
--- freetype-2.13.3+dfsg/debian/patches/CVE-2026-23865.patch	1970-01-01 00:00:00.000000000 +0000
+++ freetype-2.13.3+dfsg/debian/patches/CVE-2026-23865.patch	2026-03-17 20:21:48.000000000 +0000
@@ -0,0 +1,36 @@
+From fc85a255849229c024c8e65f536fe1875d84841c Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 3 Jan 2026 08:07:57 +0100
+Subject: [PATCH] [ttgxvar] Check for overflow in array size computation.
+
+--- freetype-2.13.3+dfsg.orig/src/truetype/ttgxvar.c
++++ freetype-2.13.3+dfsg/src/truetype/ttgxvar.c
+@@ -609,6 +609,7 @@
+       FT_UShort  word_delta_count;
+       FT_UInt    region_idx_count;
+       FT_UInt    per_region_size;
++      FT_UInt    delta_set_size;
+ 
+ 
+       if ( FT_STREAM_SEEK( offset + dataOffsetArray[i] ) )
+@@ -666,7 +667,19 @@
+       if ( long_words )
+         per_region_size *= 2;
+ 
+-      if ( FT_NEW_ARRAY( varData->deltaSet, per_region_size * item_count ) )
++      /* Check for overflow (we actually test whether the     */
++      /* multiplication of two unsigned values wraps around). */
++      delta_set_size = per_region_size * item_count;
++      if ( per_region_size                                &&
++           delta_set_size / per_region_size != item_count )
++      {
++        FT_TRACE2(( "tt_var_load_item_variation_store:"
++                    " bad delta set array size\n" ));
++        error = FT_THROW( Array_Too_Large );
++        goto Exit;
++      }
++
++      if ( FT_NEW_ARRAY( varData->deltaSet, delta_set_size ) )
+         goto Exit;
+       if ( FT_Stream_Read( stream,
+                            varData->deltaSet,
diff -Nru freetype-2.13.3+dfsg/debian/patches/series freetype-2.13.3+dfsg/debian/patches/series
--- freetype-2.13.3+dfsg/debian/patches/series	2024-09-05 10:59:04.000000000 +0000
+++ freetype-2.13.3+dfsg/debian/patches/series	2026-03-17 20:21:34.000000000 +0000
@@ -2,3 +2,4 @@
 ftoption.patch
 no-web-fonts.patch
 hide-donations-information.patch
+CVE-2026-23865.patch