Bug 32956

Summary: fontforge new security issues CVE-2024-2508[12]
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, dan, geiger.david68210, sysadmin-bugs, tarazed25
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: fontforge-20220308-2.mga9.src.rpm CVE: CVE-2024-25081, CVE-2024-25082
Status comment:
Attachments: Recipe for creating a test tar file for CVE-2024-25082

Description Nicolas Salguero 2024-03-11 10:04:13 CET 
Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2024/03/08/2
https://github.com/advisories/GHSA-rjx3-xwwm-jhj5
https://github.com/advisories/GHSA-2j3h-j2q3-wxp3

The following commit fixes the problem:
https://github.com/fontforge/fontforge/pull/5367

Mageia 9 is also affected.
Nicolas Salguero 2024-03-11 10:05:07 CET

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => fontforge-20230101-2.mga10.src.rpm
CVE: (none) => CVE-2024-25081, CVE-2024-25082

Comment 1 Lewis Smith 2024-03-12 21:07:06 CET 
(In reply to Nicolas Salguero from comment #0)
> The following commit fixes the problem:
> https://github.com/fontforge/fontforge/pull/5367
I think it is the 'Files Changed' tab:
 https://github.com/fontforge/fontforge/pull/5367/files
which gives the actual patch; which is big...

No obvious packager for this SRPM, so assigning globally. DavidG committed the current version, so CC'ing him.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210

Comment 2 Nicolas Salguero 2024-03-19 15:42:32 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Splinefont in FontForge through 20230101 allows command injection via crafted filenames. (CVE-2024-25081)

Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files. (CVE-2024-25082)

References:
https://www.openwall.com/lists/oss-security/2024/03/08/2
https://github.com/advisories/GHSA-rjx3-xwwm-jhj5
https://github.com/advisories/GHSA-2j3h-j2q3-wxp3
========================

Updated packages in core/updates_testing:
========================
fontforge-20220308-2.1.mga9
fontforge-doc-20220308-2.1.mga9
lib(64)fontforge4-20220308-2.1.mga9

from SRPM:
fontforge-20220308-2.1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Assignee: pkg-bugs => qa-bugs
Source RPM: fontforge-20230101-2.mga10.src.rpm => fontforge-20220308-2.mga9.src.rpm
Status: NEW => ASSIGNED

katnatek 2024-03-19 20:10:55 CET

Keywords: (none) => advisory

Comment 3 Len Lawrence 2024-03-21 19:47:38 CET 
mga9, x64

Had a go at the PoC for
CVE-2024-25082
https://www.canva.dev/blog/engineering/fonts-are-still-a-helvetica-of-a-problem/

Created makepoc.py
$ touch archive.zip\;id\;.zip
$ python makepoc.py
$ fontforge -lang=ff -c 'Open($1);' 'archive.zip;id;.zip'
Copyright (c) 2000-2022. See AUTHORS for Contributors.
 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
[...]
unzip:  cannot find or open /run/media/lcl/Toshiba/qa/fontforge/archive.zip, /run/media/lcl/Toshiba/qa/fontforge/archive.zip.zip or /run/media/lcl/Toshiba/qa/fontforge/archive.zip.ZIP.
uid=1000(lcl) gid=1000(lcl) groups=1000(lcl),950(vboxusers),951(wireshark),954(docker)
sh: line 1: .zip: command not found
Open: Failed to open: archive.zip;id;.zip
Called from...
 <command-string>: line 1

$ tar tf poc.tar
$(touch /tmp/poc)
$ cat poc.tar
$(touch /tmp/poc)0000644000000000000000000000000000000000000010606 0ustar00lcl@yildun:fontforge

Updated the packages.
Ran the PoC again.
$ fontforge -lang=ff -c 'Open($1);' 'archive.zip;id;.zip'
Copyright (c) 2000-2024. See AUTHORS for Contributors.
[...]
Open: Failed to open: archive.zip;id;.zip
Called from...
 <command-string>: line 1

That looks better, no id command was run.

Used fontforge to look at a few TTF and PostScript fonts.
$ fontforge -display :0 andalemo.ttf
Logo appeared in a temporary window and a separate view of the font characters.
$ fontforge -display :0 pinewood.ttf
This one also displayed fine but quoted copyright.  I lied about having permission to edit it since I had no intention of doing that.

This mode can also provide a filemenu for choosing the font.
That worked fine for xclois.ttf (= CloisterBlack).

$ fontforge -display :0 /usr/share/texmf-dist/fonts/type1/public/txfonts/rtxmi.pfb
and gemelli.pfb from a user directory.
Those worked as well.

This is as far as it goes for me.

CC: (none) => tarazed25
Whiteboard: (none) => MGA9-64-OK

Comment 4 Len Lawrence 2024-03-21 19:52:36 CET 
Created attachment 14476 [details]
Recipe for creating a test tar file for CVE-2024-25082

Run it with python3 or make executable and use ./makepoc.py.
Comment 5 Thomas Andrews 2024-03-21 20:19:44 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 6 Dan Fandrich 2024-03-22 00:13:49 CET 
The advisory is missing the SRPM name.

CC: (none) => dan

Comment 7 katnatek 2024-03-22 00:18:23 CET 
(In reply to Dan Fandrich from comment #6)
> The advisory is missing the SRPM name.

Fixed
Comment 8 Mageia Robot 2024-03-22 01:21:19 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0082.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED