(In reply to Nicolas Salguero from comment #0)
> The following commit fixes the problem:
> https://github.com/fontforge/fontforge/pull/5367
I think it is the 'Files Changed' tab:
 https://github.com/fontforge/fontforge/pull/5367/files
which gives the actual patch; which is big...

No obvious packager for this SRPM, so assigning globally. DavidG committed the current version, so CC'ing him.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Splinefont in FontForge through 20230101 allows command injection via crafted filenames. (CVE-2024-25081)

Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files. (CVE-2024-25082)

References:
https://www.openwall.com/lists/oss-security/2024/03/08/2
https://github.com/advisories/GHSA-rjx3-xwwm-jhj5
https://github.com/advisories/GHSA-2j3h-j2q3-wxp3
========================

Updated packages in core/updates_testing:
========================
fontforge-20220308-2.1.mga9
fontforge-doc-20220308-2.1.mga9
lib(64)fontforge4-20220308-2.1.mga9

from SRPM:
fontforge-20220308-2.1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Assignee: pkg-bugs => qa-bugs
Source RPM: fontforge-20230101-2.mga10.src.rpm => fontforge-20220308-2.mga9.src.rpm
Status: NEW => ASSIGNED

mga9, x64

Had a go at the PoC for
CVE-2024-25082
https://www.canva.dev/blog/engineering/fonts-are-still-a-helvetica-of-a-problem/

Created makepoc.py
$ touch archive.zip\;id\;.zip
$ python makepoc.py
$ fontforge -lang=ff -c 'Open($1);' 'archive.zip;id;.zip'
Copyright (c) 2000-2022. See AUTHORS for Contributors.
 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
[...]
unzip:  cannot find or open /run/media/lcl/Toshiba/qa/fontforge/archive.zip, /run/media/lcl/Toshiba/qa/fontforge/archive.zip.zip or /run/media/lcl/Toshiba/qa/fontforge/archive.zip.ZIP.
uid=1000(lcl) gid=1000(lcl) groups=1000(lcl),950(vboxusers),951(wireshark),954(docker)
sh: line 1: .zip: command not found
Open: Failed to open: archive.zip;id;.zip
Called from...
 <command-string>: line 1

$ tar tf poc.tar
$(touch /tmp/poc)
$ cat poc.tar
$(touch /tmp/poc)0000644000000000000000000000000000000000000010606 0ustar00lcl@yildun:fontforge

Updated the packages.
Ran the PoC again.
$ fontforge -lang=ff -c 'Open($1);' 'archive.zip;id;.zip'
Copyright (c) 2000-2024. See AUTHORS for Contributors.
[...]
Open: Failed to open: archive.zip;id;.zip
Called from...
 <command-string>: line 1

That looks better, no id command was run.

Used fontforge to look at a few TTF and PostScript fonts.
$ fontforge -display :0 andalemo.ttf
Logo appeared in a temporary window and a separate view of the font characters.
$ fontforge -display :0 pinewood.ttf
This one also displayed fine but quoted copyright.  I lied about having permission to edit it since I had no intention of doing that.

This mode can also provide a filemenu for choosing the font.
That worked fine for xclois.ttf (= CloisterBlack).

$ fontforge -display :0 /usr/share/texmf-dist/fonts/type1/public/txfonts/rtxmi.pfb
and gemelli.pfb from a user directory.
Those worked as well.

This is as far as it goes for me.

CC: (none) => tarazed25
Whiteboard: (none) => MGA9-64-OK

Created attachment 14476 [details]
Recipe for creating a test tar file for CVE-2024-25082

Run it with python3 or make executable and use ./makepoc.py.

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

The advisory is missing the SRPM name.

CC: (none) => dan

(In reply to Dan Fandrich from comment #6)
> The advisory is missing the SRPM name.

Fixed

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0082.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED