926521 – (CVE-2024-25081, CVE-2024-25082) media-gfx/fontforge: untrusted font files can lead to code execution

Bug 926521 (CVE-2024-25081, CVE-2024-25082) - media-gfx/fontforge: untrusted font files can lead to code execution

Summary: media-gfx/fontforge: untrusted font files can lead to code execution

Status:	CONFIRMED

Alias:	CVE-2024-25081, CVE-2024-25082

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	https://www.canva.dev/blog/engineerin...
Whiteboard:	B2 [ebuild]
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2024-03-08 18:25 UTC by Eddie Chapman
Modified:	2024-04-24 13:24 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/36405
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Eddie Chapman 2024-03-08 18:25:22 UTC

CVE-2024-25081 Splinefont in FontForge through 20230101 allows command injection via crafted filenames.
CVE-2024-25082 Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files.

Fix for both has been applied in gh master branch upstrea:

https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429

but no new release at time of writing.

https://www.canva.dev/blog/engineering/fonts-are-still-a-helvetica-of-a-problem/
https://nvd.nist.gov/vuln/detail/CVE-2024-25081
https://nvd.nist.gov/vuln/detail/CVE-2024-25082

Reproducible: Didn't try

Comment 1 John Helmert III archtester

2024-03-17 03:56:58 UTC

Thanks for reporting. Ping fonts@.