Bug 26095 - fontforge new security issues CVE-2020-5395 and CVE-2020-5496
Summary: fontforge new security issues CVE-2020-5395 and CVE-2020-5496
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-01-16 23:59 CET by David Walser
Modified: 2020-01-28 08:54 CET (History)
4 users (show)

See Also:
Source RPM: fontforge-20190413-1.mga7.src.rpm
CVE: CVE-2020-5395, CVE-2020-5496
Status comment:


Attachments

Description David Walser 2020-01-16 23:59:59 CET
SUSE has issued an advisory today (January 16):
http://lists.suse.com/pipermail/sle-security-updates/2020-January/006374.html

Mageia 7 is also affected.
David Walser 2020-01-17 00:00:11 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-01-17 20:28:40 CET
Assigning globally as there is no obvious maintainer.

Assignee: bugsquad => pkg-bugs
CVE: (none) => CVE-2020-5395,CVE-2020-5496

Comment 2 Nicolas Salguero 2020-01-21 13:03:55 CET
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd.c. (CVE-2020-5395)

FontForge 20190801 has a heap-based buffer overflow in the Type2NotDefSplines() function in splinesave.c. (CVE-2020-5496)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5395
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5496
http://lists.suse.com/pipermail/sle-security-updates/2020-January/006374.html
========================

Updated packages in core/updates_testing:
========================
fontforge-20190413-1.1.mga7
lib(64)fontforge-devel-20190413-1.1.mga7

from SRPMS:
fontforge-20190413-1.1.mga7.src.rpm

Version: Cauldron => 7
CC: (none) => nicolas.salguero
Source RPM: fontforge-20190801-4.mga8.src.rpm => fontforge-20190413-1.mga7.src.rpm
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CVE: CVE-2020-5395,CVE-2020-5496 => CVE-2020-5395, CVE-2020-5496
Whiteboard: MGA7TOO => (none)

Comment 3 Len Lawrence 2020-01-21 17:11:43 CET
Mageia7, x86_64

Installed the two packages.

CVE-2020-5395
https://github.com/fontforge/fontforge/issues/4084
$ fontforge test01.sfd
Copyright (c) 2000-2018 by George Williams. See AUTHORS for Contributors.
[...]
realloc(): invalid pointer
Aborted (core dumped)

CVE-2020-5496
https://github.com/fontforge/fontforge/issues/4085
$ fontforge -lang ff -c 'Open("test02.sfd"); Generate("test02.otf")'
[...]
Warning: Font contained no glyphs
Number out of range: 2.14748e+09 in type2 output (must be [-65536,65535])
malloc(): invalid next size (unsorted)
Aborted (core dumped)

Updated fontforge packages.

CVE-2020-5395
$ fontforge test01.sfd.gz 
[...]
sh: /data/qa/fontforge/test01.sfd.gz: No such file or directory

<Gui launches, accompanied by an error popup "Decompress Failed!">
On OK, a window comes up, displaying the .sfd and .otf files in the current directory.

CVE-2020-5496
$ fontforge -lang ff -c 'Open("test02.sfd"); Generate("test02.otf")'
[...]
Warning: Font contained no glyphs
Number out of range: 2.14748e+09 in type2 output (must be [-65536,65535])

<good result>

So, both issues have been dealt with.

In the absence of any font-building knowledge, I used this to display fonts only.
$ fontforge -display :0 gunplay.ttf

The Logo screen popped up for a second or two and the individual characters of the font were displayed in a separate window which also contained a menu for tools and options.  The View option allows the user to magnify or diminish the displayed characters.  Other fonts may be selected via the File option without removing the original window.

Tried a few other TTF fonts - all OK.
Also, other formats.
$ fontforge vibro.pfb
Showed Vibrocentric font OK.
$ fontforge bchb.pfa
Displays CharterBT-Bold.

This all looks good so far.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-01-22 19:07:22 CET
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 David Walser 2020-01-23 23:28:34 CET
openSUSE has issued an advisory for this on January 22:
https://lists.opensuse.org/opensuse-updates/2020-01/msg00090.html

(I'd use that in the advisory instead of the SUSE one, not that it matters much)
Comment 6 Lewis Smith 2020-01-27 21:34:12 CET
Heeded the note above for the advisory.

Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-01-28 08:54:33 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0057.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.