CVE-2024-25081 Splinefont in FontForge through 20230101 allows command injection via crafted filenames. CVE-2024-25082 Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files. Fix for both has been applied in gh master branch upstrea: https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429 but no new release at time of writing. https://www.canva.dev/blog/engineering/fonts-are-still-a-helvetica-of-a-problem/ https://nvd.nist.gov/vuln/detail/CVE-2024-25081 https://nvd.nist.gov/vuln/detail/CVE-2024-25082 Reproducible: Didn't try
Thanks for reporting. Ping fonts@.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26a218c56917878f75b6fa995d3336de799462f1 commit 26a218c56917878f75b6fa995d3336de799462f1 Author: Christopher Fore <csfore@posteo.net> AuthorDate: 2024-04-24 13:21:02 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-05-03 11:18:53 +0000 media-gfx/fontforge: Add security patch - CVE-2024-25081, CVE-2024-25082 - Tests pass - Revbump Bug: https://bugs.gentoo.org/926521 Signed-off-by: Christopher Fore <csfore@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/36405 Signed-off-by: Sam James <sam@gentoo.org> ...01-fix-splinefont-shell-command-injection.patch | 174 +++++++++++++++++++++ media-gfx/fontforge/fontforge-20230101-r1.ebuild | 111 +++++++++++++ 2 files changed, 285 insertions(+)