Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 926521 (CVE-2024-25081, CVE-2024-25082) - <media-gfx/fontforge-20230101-r1: untrusted font files can lead to code execution
Summary: <media-gfx/fontforge-20230101-r1: untrusted font files can lead to code execu...
Status: IN_PROGRESS
Alias: CVE-2024-25081, CVE-2024-25082
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://www.canva.dev/blog/engineerin...
Whiteboard: B2 [stable?]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2024-03-08 18:25 UTC by Eddie Chapman
Modified: 2024-05-03 11:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eddie Chapman 2024-03-08 18:25:22 UTC
CVE-2024-25081 Splinefont in FontForge through 20230101 allows command injection via crafted filenames.
CVE-2024-25082 Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files.

Fix for both has been applied in gh master branch upstrea:

https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429

but no new release at time of writing.

https://www.canva.dev/blog/engineering/fonts-are-still-a-helvetica-of-a-problem/
https://nvd.nist.gov/vuln/detail/CVE-2024-25081
https://nvd.nist.gov/vuln/detail/CVE-2024-25082

Reproducible: Didn't try
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-03-17 03:56:58 UTC
Thanks for reporting. Ping fonts@.
Comment 2 Larry the Git Cow gentoo-dev 2024-05-03 11:20:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26a218c56917878f75b6fa995d3336de799462f1

commit 26a218c56917878f75b6fa995d3336de799462f1
Author:     Christopher Fore <csfore@posteo.net>
AuthorDate: 2024-04-24 13:21:02 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-05-03 11:18:53 +0000

    media-gfx/fontforge: Add security patch
    
    - CVE-2024-25081, CVE-2024-25082
    - Tests pass
    - Revbump
    
    Bug: https://bugs.gentoo.org/926521
    Signed-off-by: Christopher Fore <csfore@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/36405
    Signed-off-by: Sam James <sam@gentoo.org>

 ...01-fix-splinefont-shell-command-injection.patch | 174 +++++++++++++++++++++
 media-gfx/fontforge/fontforge-20230101-r1.ebuild   | 111 +++++++++++++
 2 files changed, 285 insertions(+)