Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 926521 (CVE-2024-25081, CVE-2024-25082) - <media-gfx/fontforge-20230101-r1: untrusted font files can lead to code execution
Summary: <media-gfx/fontforge-20230101-r1: untrusted font files can lead to code execu...
Alias: CVE-2024-25081, CVE-2024-25082
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B2 [stable?]
Keywords: PullRequest
Depends on:
Reported: 2024-03-08 18:25 UTC by Eddie Chapman
Modified: 2024-05-03 11:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Eddie Chapman 2024-03-08 18:25:22 UTC
CVE-2024-25081 Splinefont in FontForge through 20230101 allows command injection via crafted filenames.
CVE-2024-25082 Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files.

Fix for both has been applied in gh master branch upstrea:

but no new release at time of writing.

Reproducible: Didn't try
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-03-17 03:56:58 UTC
Thanks for reporting. Ping fonts@.
Comment 2 Larry the Git Cow gentoo-dev 2024-05-03 11:20:43 UTC
The bug has been referenced in the following commit(s):

commit 26a218c56917878f75b6fa995d3336de799462f1
Author:     Christopher Fore <>
AuthorDate: 2024-04-24 13:21:02 +0000
Commit:     Sam James <>
CommitDate: 2024-05-03 11:18:53 +0000

    media-gfx/fontforge: Add security patch
    - CVE-2024-25081, CVE-2024-25082
    - Tests pass
    - Revbump
    Signed-off-by: Christopher Fore <>
    Signed-off-by: Sam James <>

 ...01-fix-splinefont-shell-command-injection.patch | 174 +++++++++++++++++++++
 media-gfx/fontforge/fontforge-20230101-r1.ebuild   | 111 +++++++++++++
 2 files changed, 285 insertions(+)