Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 637136 (CVE-2017-11570, CVE-2017-11573) - media-gfx/fontforge: Multiple vulnerabilities (CVE-2017-11570, CVE-2017-11573)
Summary: media-gfx/fontforge: Multiple vulnerabilities (CVE-2017-11570, CVE-2017-11573)
Status: RESOLVED INVALID
Alias: CVE-2017-11570, CVE-2017-11573
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B3 [upstream cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-11 15:04 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2020-06-20 01:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-11 15:04:14 UTC
CVE-2017-11573 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11573):
  FontForge 20161012 is vulnerable to a buffer over-read in
  ValidatePostScriptFontName (parsettf.c) resulting in DoS or code execution
  via a crafted otf file.

CVE-2017-11570 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11570):
  FontForge 20161012 is vulnerable to a buffer over-read in umodenc
  (parsettf.c) resulting in DoS or code execution via a crafted otf file.
Comment 1 Michael Boyle 2018-05-11 02:56:21 UTC
@maintainers. there is a purposed patch for both these CVE
https://github.com/gnehsoah/poc/blob/master/fontforge/umodenc-in-parsettf.c-global-buffer-overflow.otf

Michael Boyle
Gentoo Security Padawan.
Comment 2 Mike Gilbert gentoo-dev 2018-05-28 18:49:13 UTC
(In reply to Michael Boyle from comment #1)

That link points at a font file, not a patch.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-20 01:16:51 UTC
These are quite old and upstream couldn't reproduce these. No reply from reporter.