CVE-2020-5496 (https://nvd.nist.gov/vuln/detail/CVE-2020-5496): FontForge 20190801 has a heap-based buffer overflow in the Type2NotDefSplines() function in splinesave.c.
Added to an existing GLSA.
I suppose this is fixed in fontforge-20200314.
(In reply to Mike Gilbert from comment #2) > I suppose this is fixed in fontforge-20200314. Looks like it: https://github.com/fontforge/fontforge/commit/048a91e2682c1a8936ae34dbc7bd70291ec05410
Ok, I would like to give this version around a week in ~arch before stabilizing it. Let's revisit this on Sunday, April 5.
CVE-2019-15785 (https://nvd.nist.gov/vuln/detail/CVE-2019-15785): FontForge 20190813 through 20190820 has a buffer overflow in PrefsUI_LoadPrefs in prefs.c.
(In reply to Mike Gilbert from comment #4) > Ok, I would like to give this version around a week in ~arch before > stabilizing it. Let's revisit this on Sunday, April 5. Whoops. Forgot about this. How're we looking?
Sanity check failed: > media-gfx/fontforge-20200314 > bdepend ppc stable profile default/linux/powerpc/ppc32/17.0 (10 total) > media-libs/woff2:0= > depend ppc stable profile default/linux/powerpc/ppc32/17.0 (10 total) > media-libs/woff2:0= > rdepend ppc stable profile default/linux/powerpc/ppc32/17.0 (10 total) > media-libs/woff2:0=
All sanity-check issues have been resolved
arm stable
x86 stable
amd64 stable
ppc stable
Sanity check failed: > media-gfx/fontforge-20200314 > bdepend sparc stable profile default/linux/sparc/17.0 (8 total) > media-libs/woff2:0= > depend sparc stable profile default/linux/sparc/17.0 (8 total) > media-libs/woff2:0= > rdepend sparc stable profile default/linux/sparc/17.0 (8 total) > media-libs/woff2:0=
sparc stable
Sanity check failed: > media-gfx/fontforge-20200314 > bdepend hppa stable profile default/linux/hppa/17.0 (3 total) > media-libs/woff2:0= > depend hppa stable profile default/linux/hppa/17.0 (3 total) > media-libs/woff2:0= > rdepend hppa stable profile default/linux/hppa/17.0 (3 total) > media-libs/woff2:0=
hppa stable
arm64 stable
ppc64 stable
This issue was resolved and addressed in GLSA 202004-14 at https://security.gentoo.org/glsa/202004-14 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architecture.
s390 stable. Maintainer(s), please cleanup.
All done.