Summary: | <media-gfx/fontforge-20230101-r1: untrusted font files can lead to code execution | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Eddie Chapman <maracay> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | major | CC: | ajak, fonts |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.canva.dev/blog/engineering/fonts-are-still-a-helvetica-of-a-problem/ | ||
See Also: | https://github.com/gentoo/gentoo/pull/36405 | ||
Whiteboard: | B2 [glsa? cleanup] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 934050 | ||
Bug Blocks: |
Description
Eddie Chapman
2024-03-08 18:25:22 UTC
Thanks for reporting. Ping fonts@. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26a218c56917878f75b6fa995d3336de799462f1 commit 26a218c56917878f75b6fa995d3336de799462f1 Author: Christopher Fore <csfore@posteo.net> AuthorDate: 2024-04-24 13:21:02 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-05-03 11:18:53 +0000 media-gfx/fontforge: Add security patch - CVE-2024-25081, CVE-2024-25082 - Tests pass - Revbump Bug: https://bugs.gentoo.org/926521 Signed-off-by: Christopher Fore <csfore@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/36405 Signed-off-by: Sam James <sam@gentoo.org> ...01-fix-splinefont-shell-command-injection.patch | 174 +++++++++++++++++++++ media-gfx/fontforge/fontforge-20230101-r1.ebuild | 111 +++++++++++++ 2 files changed, 285 insertions(+) |