Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 715808 (CVE-2019-15785, CVE-2020-5496) - <media-gfx/fontforge-20200314: Multiple vulnerabilities (CVE-2019-15785, CVE-2020-5496)
Summary: <media-gfx/fontforge-20200314: Multiple vulnerabilities (CVE-2019-15785, CVE-...
Status: RESOLVED FIXED
Alias: CVE-2019-15785, CVE-2020-5496
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/fontforge/fontforg...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on: 719058
Blocks:
  Show dependency tree
 
Reported: 2020-04-01 20:36 UTC by GLSAMaker/CVETool Bot
Modified: 2020-06-13 16:23 UTC (History)
2 users (show)

See Also:
Package list:
media-gfx/fontforge-20200314 media-libs/woff2-1.0.2-r1 hppa ppc sparc
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-01 20:36:27 UTC 
CVE-2020-5496 (https://nvd.nist.gov/vuln/detail/CVE-2020-5496):
  FontForge 20190801 has a heap-based buffer overflow in the
  Type2NotDefSplines() function in splinesave.c.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-01 20:38:30 UTC 
Added to an existing GLSA.
Comment 2 Mike Gilbert gentoo-dev 2020-04-01 21:51:38 UTC 
I suppose this is fixed in fontforge-20200314.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-01 21:52:41 UTC 
(In reply to Mike Gilbert from comment #2)
> I suppose this is fixed in fontforge-20200314.

Looks like it: https://github.com/fontforge/fontforge/commit/048a91e2682c1a8936ae34dbc7bd70291ec05410
Comment 4 Mike Gilbert gentoo-dev 2020-04-01 21:57:20 UTC 
Ok, I would like to give this version around a week in ~arch before stabilizing it. Let's revisit this on Sunday, April 5.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2020-04-22 15:26:12 UTC 
CVE-2019-15785 (https://nvd.nist.gov/vuln/detail/CVE-2019-15785):
  FontForge 20190813 through 20190820 has a buffer overflow in
  PrefsUI_LoadPrefs in prefs.c.
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-22 15:26:46 UTC 
(In reply to Mike Gilbert from comment #4)
> Ok, I would like to give this version around a week in ~arch before
> stabilizing it. Let's revisit this on Sunday, April 5.

Whoops. Forgot about this. How're we looking?
Comment 7 NATTkA bot gentoo-dev 2020-04-22 19:01:09 UTC 
Sanity check failed:

> media-gfx/fontforge-20200314
>   bdepend ppc stable profile default/linux/powerpc/ppc32/17.0 (10 total)
>     media-libs/woff2:0=
>   depend ppc stable profile default/linux/powerpc/ppc32/17.0 (10 total)
>     media-libs/woff2:0=
>   rdepend ppc stable profile default/linux/powerpc/ppc32/17.0 (10 total)
>     media-libs/woff2:0=
Comment 8 NATTkA bot gentoo-dev 2020-04-22 19:32:44 UTC 
All sanity-check issues have been resolved
Comment 9 Agostino Sarubbo gentoo-dev 2020-04-23 10:09:46 UTC 
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-04-23 10:42:16 UTC 
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-04-23 11:15:53 UTC 
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-04-24 06:48:08 UTC 
ppc stable
Comment 13 NATTkA bot gentoo-dev 2020-04-24 06:48:47 UTC 
Sanity check failed:

> media-gfx/fontforge-20200314
>   bdepend sparc stable profile default/linux/sparc/17.0 (8 total)
>     media-libs/woff2:0=
>   depend sparc stable profile default/linux/sparc/17.0 (8 total)
>     media-libs/woff2:0=
>   rdepend sparc stable profile default/linux/sparc/17.0 (8 total)
>     media-libs/woff2:0=
Comment 14 NATTkA bot gentoo-dev 2020-04-24 15:48:38 UTC 
All sanity-check issues have been resolved
Comment 15 Rolf Eike Beer archtester 2020-04-24 21:53:24 UTC 
sparc stable
Comment 16 NATTkA bot gentoo-dev 2020-04-26 10:12:43 UTC 
Sanity check failed:

> media-gfx/fontforge-20200314
>   bdepend hppa stable profile default/linux/hppa/17.0 (3 total)
>     media-libs/woff2:0=
>   depend hppa stable profile default/linux/hppa/17.0 (3 total)
>     media-libs/woff2:0=
>   rdepend hppa stable profile default/linux/hppa/17.0 (3 total)
>     media-libs/woff2:0=
Comment 17 NATTkA bot gentoo-dev 2020-04-27 15:48:35 UTC 
All sanity-check issues have been resolved
Comment 18 Rolf Eike Beer archtester 2020-04-27 17:48:05 UTC 
hppa stable
Comment 19 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-28 19:26:51 UTC 
arm64 stable
Comment 20 Agostino Sarubbo gentoo-dev 2020-04-30 14:38:32 UTC 
ppc64 stable
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2020-04-30 23:07:00 UTC 
This issue was resolved and addressed in
 GLSA 202004-14 at https://security.gentoo.org/glsa/202004-14
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 22 Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-30 23:07:32 UTC 
Re-opening for remaining architecture.
Comment 23 Agostino Sarubbo gentoo-dev 2020-05-13 10:06:20 UTC 
s390 stable.

Maintainer(s), please cleanup.
Comment 24 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-13 16:23:25 UTC 
All done.