Those CVEs were announced here: https://www.openwall.com/lists/oss-security/2024/03/08/2 https://github.com/advisories/GHSA-rjx3-xwwm-jhj5 https://github.com/advisories/GHSA-2j3h-j2q3-wxp3 The following commit fixes the problem: https://github.com/fontforge/fontforge/pull/5367 Mageia 9 is also affected.
Whiteboard: (none) => MGA9TOOSource RPM: (none) => fontforge-20230101-2.mga10.src.rpmCVE: (none) => CVE-2024-25081, CVE-2024-25082
(In reply to Nicolas Salguero from comment #0) > The following commit fixes the problem: > https://github.com/fontforge/fontforge/pull/5367 I think it is the 'Files Changed' tab: https://github.com/fontforge/fontforge/pull/5367/files which gives the actual patch; which is big... No obvious packager for this SRPM, so assigning globally. DavidG committed the current version, so CC'ing him.
Assignee: bugsquad => pkg-bugsCC: (none) => geiger.david68210
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Splinefont in FontForge through 20230101 allows command injection via crafted filenames. (CVE-2024-25081) Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files. (CVE-2024-25082) References: https://www.openwall.com/lists/oss-security/2024/03/08/2 https://github.com/advisories/GHSA-rjx3-xwwm-jhj5 https://github.com/advisories/GHSA-2j3h-j2q3-wxp3 ======================== Updated packages in core/updates_testing: ======================== fontforge-20220308-2.1.mga9 fontforge-doc-20220308-2.1.mga9 lib(64)fontforge4-20220308-2.1.mga9 from SRPM: fontforge-20220308-2.1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Version: Cauldron => 9Assignee: pkg-bugs => qa-bugsSource RPM: fontforge-20230101-2.mga10.src.rpm => fontforge-20220308-2.mga9.src.rpmStatus: NEW => ASSIGNED
Keywords: (none) => advisory
mga9, x64 Had a go at the PoC for CVE-2024-25082 https://www.canva.dev/blog/engineering/fonts-are-still-a-helvetica-of-a-problem/ Created makepoc.py $ touch archive.zip\;id\;.zip $ python makepoc.py $ fontforge -lang=ff -c 'Open($1);' 'archive.zip;id;.zip' Copyright (c) 2000-2022. See AUTHORS for Contributors. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> [...] unzip: cannot find or open /run/media/lcl/Toshiba/qa/fontforge/archive.zip, /run/media/lcl/Toshiba/qa/fontforge/archive.zip.zip or /run/media/lcl/Toshiba/qa/fontforge/archive.zip.ZIP. uid=1000(lcl) gid=1000(lcl) groups=1000(lcl),950(vboxusers),951(wireshark),954(docker) sh: line 1: .zip: command not found Open: Failed to open: archive.zip;id;.zip Called from... <command-string>: line 1 $ tar tf poc.tar $(touch /tmp/poc) $ cat poc.tar $(touch /tmp/poc)0000644000000000000000000000000000000000000010606 0ustar00lcl@yildun:fontforge Updated the packages. Ran the PoC again. $ fontforge -lang=ff -c 'Open($1);' 'archive.zip;id;.zip' Copyright (c) 2000-2024. See AUTHORS for Contributors. [...] Open: Failed to open: archive.zip;id;.zip Called from... <command-string>: line 1 That looks better, no id command was run. Used fontforge to look at a few TTF and PostScript fonts. $ fontforge -display :0 andalemo.ttf Logo appeared in a temporary window and a separate view of the font characters. $ fontforge -display :0 pinewood.ttf This one also displayed fine but quoted copyright. I lied about having permission to edit it since I had no intention of doing that. This mode can also provide a filemenu for choosing the font. That worked fine for xclois.ttf (= CloisterBlack). $ fontforge -display :0 /usr/share/texmf-dist/fonts/type1/public/txfonts/rtxmi.pfb and gemelli.pfb from a user directory. Those worked as well. This is as far as it goes for me.
CC: (none) => tarazed25Whiteboard: (none) => MGA9-64-OK
Created attachment 14476 [details] Recipe for creating a test tar file for CVE-2024-25082 Run it with python3 or make executable and use ./makepoc.py.
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
The advisory is missing the SRPM name.
CC: (none) => dan
(In reply to Dan Fandrich from comment #6) > The advisory is missing the SRPM name. Fixed
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0082.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED