Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 715808 (CVE-2019-15785, CVE-2020-5496)

Summary: <media-gfx/fontforge-20200314: Multiple vulnerabilities (CVE-2019-15785, CVE-2020-5496)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: floppym, fonts
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/fontforge/fontforge/issues/4085
Whiteboard: B2 [glsa+ cve]
Package list:
media-gfx/fontforge-20200314 media-libs/woff2-1.0.2-r1 hppa ppc sparc
Runtime testing required: ---
Bug Depends on: 719058    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-01 20:36:27 UTC
CVE-2020-5496 (https://nvd.nist.gov/vuln/detail/CVE-2020-5496):
  FontForge 20190801 has a heap-based buffer overflow in the
  Type2NotDefSplines() function in splinesave.c.
Comment 1 Thomas Deutschmann gentoo-dev Security 2020-04-01 20:38:30 UTC
Added to an existing GLSA.
Comment 2 Mike Gilbert gentoo-dev 2020-04-01 21:51:38 UTC
I suppose this is fixed in fontforge-20200314.
Comment 3 Sam James archtester gentoo-dev Security 2020-04-01 21:52:41 UTC
(In reply to Mike Gilbert from comment #2)
> I suppose this is fixed in fontforge-20200314.

Looks like it: https://github.com/fontforge/fontforge/commit/048a91e2682c1a8936ae34dbc7bd70291ec05410
Comment 4 Mike Gilbert gentoo-dev 2020-04-01 21:57:20 UTC
Ok, I would like to give this version around a week in ~arch before stabilizing it. Let's revisit this on Sunday, April 5.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2020-04-22 15:26:12 UTC
CVE-2019-15785 (https://nvd.nist.gov/vuln/detail/CVE-2019-15785):
  FontForge 20190813 through 20190820 has a buffer overflow in
  PrefsUI_LoadPrefs in prefs.c.
Comment 6 Sam James archtester gentoo-dev Security 2020-04-22 15:26:46 UTC
(In reply to Mike Gilbert from comment #4)
> Ok, I would like to give this version around a week in ~arch before
> stabilizing it. Let's revisit this on Sunday, April 5.

Whoops. Forgot about this. How're we looking?
Comment 7 NATTkA bot gentoo-dev 2020-04-22 19:01:09 UTC
Sanity check failed:

> media-gfx/fontforge-20200314
>   bdepend ppc stable profile default/linux/powerpc/ppc32/17.0 (10 total)
>     media-libs/woff2:0=
>   depend ppc stable profile default/linux/powerpc/ppc32/17.0 (10 total)
>     media-libs/woff2:0=
>   rdepend ppc stable profile default/linux/powerpc/ppc32/17.0 (10 total)
>     media-libs/woff2:0=
Comment 8 NATTkA bot gentoo-dev 2020-04-22 19:32:44 UTC
All sanity-check issues have been resolved
Comment 9 Agostino Sarubbo gentoo-dev 2020-04-23 10:09:46 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-04-23 10:42:16 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-04-23 11:15:53 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-04-24 06:48:08 UTC
ppc stable
Comment 13 NATTkA bot gentoo-dev 2020-04-24 06:48:47 UTC
Sanity check failed:

> media-gfx/fontforge-20200314
>   bdepend sparc stable profile default/linux/sparc/17.0 (8 total)
>     media-libs/woff2:0=
>   depend sparc stable profile default/linux/sparc/17.0 (8 total)
>     media-libs/woff2:0=
>   rdepend sparc stable profile default/linux/sparc/17.0 (8 total)
>     media-libs/woff2:0=
Comment 14 NATTkA bot gentoo-dev 2020-04-24 15:48:38 UTC
All sanity-check issues have been resolved
Comment 15 Rolf Eike Beer 2020-04-24 21:53:24 UTC
sparc stable
Comment 16 NATTkA bot gentoo-dev 2020-04-26 10:12:43 UTC
Sanity check failed:

> media-gfx/fontforge-20200314
>   bdepend hppa stable profile default/linux/hppa/17.0 (3 total)
>     media-libs/woff2:0=
>   depend hppa stable profile default/linux/hppa/17.0 (3 total)
>     media-libs/woff2:0=
>   rdepend hppa stable profile default/linux/hppa/17.0 (3 total)
>     media-libs/woff2:0=
Comment 17 NATTkA bot gentoo-dev 2020-04-27 15:48:35 UTC
All sanity-check issues have been resolved
Comment 18 Rolf Eike Beer 2020-04-27 17:48:05 UTC
hppa stable
Comment 19 Sam James archtester gentoo-dev Security 2020-04-28 19:26:51 UTC
arm64 stable
Comment 20 Agostino Sarubbo gentoo-dev 2020-04-30 14:38:32 UTC
ppc64 stable
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2020-04-30 23:07:00 UTC
This issue was resolved and addressed in
 GLSA 202004-14 at https://security.gentoo.org/glsa/202004-14
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 22 Thomas Deutschmann gentoo-dev Security 2020-04-30 23:07:32 UTC
Re-opening for remaining architecture.
Comment 23 Agostino Sarubbo gentoo-dev 2020-05-13 10:06:20 UTC
s390 stable.

Maintainer(s), please cleanup.
Comment 24 Sam James archtester gentoo-dev Security 2020-06-13 16:23:25 UTC
All done.