CVE-2017-11573 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11573): FontForge 20161012 is vulnerable to a buffer over-read in ValidatePostScriptFontName (parsettf.c) resulting in DoS or code execution via a crafted otf file. CVE-2017-11570 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11570): FontForge 20161012 is vulnerable to a buffer over-read in umodenc (parsettf.c) resulting in DoS or code execution via a crafted otf file.
@maintainers. there is a purposed patch for both these CVE https://github.com/gnehsoah/poc/blob/master/fontforge/umodenc-in-parsettf.c-global-buffer-overflow.otf Michael Boyle Gentoo Security Padawan.
(In reply to Michael Boyle from comment #1) That link points at a font file, not a patch.
These are quite old and upstream couldn't reproduce these. No reply from reporter.