Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 637136 (CVE-2017-11570, CVE-2017-11573) - media-gfx/fontforge: Multiple vulnerabilities (CVE-2017-11570, CVE-2017-11573)
Summary: media-gfx/fontforge: Multiple vulnerabilities (CVE-2017-11570, CVE-2017-11573)
Status: RESOLVED INVALID
Alias: CVE-2017-11570, CVE-2017-11573
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [upstream cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-11 15:04 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2020-06-20 01:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-11 15:04:14 UTC 
CVE-2017-11573 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11573):
  FontForge 20161012 is vulnerable to a buffer over-read in
  ValidatePostScriptFontName (parsettf.c) resulting in DoS or code execution
  via a crafted otf file.

CVE-2017-11570 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11570):
  FontForge 20161012 is vulnerable to a buffer over-read in umodenc
  (parsettf.c) resulting in DoS or code execution via a crafted otf file.
Comment 1 Michael Boyle 2018-05-11 02:56:21 UTC 
@maintainers. there is a purposed patch for both these CVE
https://github.com/gnehsoah/poc/blob/master/fontforge/umodenc-in-parsettf.c-global-buffer-overflow.otf

Michael Boyle
Gentoo Security Padawan.
Comment 2 Mike Gilbert gentoo-dev 2018-05-28 18:49:13 UTC 
(In reply to Michael Boyle from comment #1)

That link points at a font file, not a patch.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-20 01:16:51 UTC 
These are quite old and upstream couldn't reproduce these. No reply from reporter.