RedHat has issued an advisory on November 3: https://access.redhat.com/errata/RHSA-2020:4844 If we backported the same patch in Bug 26095, we may have the issue.
Suggested advisory: ======================== The updated packages fix a security vulnerability: SFD_GetFontMetaData() insufficient CVE-2020-5395 backport. (CVE-2020-25690) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25690 https://access.redhat.com/errata/RHSA-2020:4844 ======================== Updated packages in core/updates_testing: ======================== fontforge-20190413-1.2.mga7 lib(64)fontforge-devel-20190413-1.2.mga7 from SRPM: fontforge-20190413-1.2.mga7.src.rpm
Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugsCVE: (none) => CVE-2020-25690
Summary: fontforge possible new security issue CVE-2020-25690 => fontforge new security issue CVE-2020-25690CC: (none) => nicolas.salguero
mga7, x64 fontforge updated cleanly but the development package would not because it depends on a python package older than the installed one: lib64python3-devel-3.7.6-1.mga7 How do we get out of this situation?
Keywords: (none) => feedbackCC: (none) => tarazed25
Did you install a python3 from updates_testing?
Cannot remember what has happened recently.... $ rpm -q python3 python3-3.7.8-1.mga7 No idea if that came from a testing repertory. No doubt there is some magic formula to determine that.
It looks like it. Just install the devel package from the same place.
With no updates_testing enabled: $ sudo urpmi python3 A requested package cannot be installed: python3-3.7.6-1.mga7.x86_64 (in order to keep python3-3.7.8-1.mga7.x86_64) Continue installation anyway? (Y/n) That might indicate that testing has been involved at some stage.
urpmi --downgrade might let you downgrade, but there's probably libs too. Either identify all of them and use rpm --force to go back, or just don't worry about it and install the devel package from updates_testing.
$ sudo urpmi python3-devel The following package cannot be installed because it depends on packages that are older than the installed ones: lib64python3-devel-3.7.6-1.mga7 Continue installation anyway? (Y/n) n Enabled updates testing $ urpmi.update -a $ sudo urpmi --searchmedia "Updates Testing" python3-devel No package named python3-devel $ sudo urpmi --searchmedia "Updates Testing" lib64fontforge-devel The following packages can't be installed because they depend on packages that are older than the installed ones: lib64python3-devel-3.7.6-1.mga7 lib64fontforge-devel-20190413-1.2.mga7 Continue installation anyway? (Y/n) While some packages may have been installed, there were failures. The following packages can't be installed because they depend on packages that are older than the installed ones: lib64python3-devel-3.7.6-1.mga7 lib64fontforge-devel-20190413-1.2.mga7 Continue installation anyway?
$ rpm -qa | grep lib64python3 lib64python3.7-stdlib-3.7.8-1.mga7 lib64python3.7-3.7.8-1.mga7
You need to install lib64python3-devel from updates_testing manually first before messing with fontforge.
I have managed to downgrade python3 and its libs.
That's the better solution. Just note that if you try to install fontforge's devel package with updates_testing enabled, you'll run into more problems, unless you install the python3 devel package beforehand.
Comment 10 procedure successful. $ sudo urpmi lib64fontforge-devel To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (Official7.1-1)") lib64uninameslist-devel 20190305 1.mga7 x86_64 (medium "Core Updates Testing (Official7.1-5)") lib64fontforge-devel 20190413 1.2.mga7 x86_64 553KB of additional disk space will be used. 145KB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n) $MIRRORLIST: media/core/release/lib64uninameslist-devel-20190305-1.mga7.x86_64.rpm $MIRRORLIST: media/core/updates_testing/lib64fontforge-devel-20190413-1.2.mga7.x86_64.rpm installing lib64uninameslist-devel-20190305-1.mga7.x86_64.rpm lib64fontforge-devel-20190413-1.2.mga7.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ############################################# 1/2: lib64uninameslist-devel ############################################# 2/2: lib64fontforge-devel ############################################# So, if you start with a tidy system there is no problem. Testing later. Not much for us to follow up on security issues. Thanks David for the advice.
Ran the older PoC tests again to show that the results agreed with those for bug #26095. Opened the gui from the command line: $ fontforge Navigated to local fontpack directory which contains TTF font files. Selected acadian.ttf to display the character set. Selected a character, then Element from the menu then selected 'glyph info' which raised what seemed to be an editing window showing Unicode information. Uncharted territory, so exited at that point. Tried AlienEncounters: $ fontforge -display :1 ALIEE___.TTF This posted a warning - restricted - font and asked if user had permission of legal owner to edit - replied no. Tried similar command for Alison Regular: $ fontforge -display :1 alison.ttf Reported that PostScript font name is invalid - not sure what that means because this font has been used on this machine after conversion to .afm and .pfb files and installed via type1inst. Nevertheless, the character set was displayed. $ fontforge -display :1 gunplay.ttf Copyright (c) 2000-2018 by George Williams. See AUTHORS for Contributors. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> with many parts BSD <http://fontforge.org/license.html>. Please read LICENSE. Based on sources from 13:17 UTC 6-Nov-2020-ML-D. Based on source from git with hash: No problems there. There was a warning panel with messages like: The glyph named hyphen is mapped to U+00AD But its name indicates it should be mapped to U+002D. All technical stuff. $ fontforge -display :1 Ubuntu.ttf All OK - displayed Ubuntu-Light glyphs and issued warnings about mappings. Cannot take this any further but it works as a font viewer.
Whiteboard: (none) => MGA7-64-OKKeywords: feedback => (none)
Validating update Advisory pushed to SVN.
Keywords: (none) => advisory, validated_updateCC: (none) => ouaurelien, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0405.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED