35091 – fontforge new security issues CVE-2025-15269, CVE-2025-15270, CVE-2025-15275, CVE-2025-15279

Bug 35091 - fontforge new security issues CVE-2025-15269, CVE-2025-15270, CVE-2025-15275, CVE-2025-15279

Summary: fontforge new security issues CVE-2025-15269, CVE-2025-15270, CVE-2025-15275,...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-02-02 16:40 CET by Nicolas Salguero
Modified:	2026-02-09 23:54 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	fontforge-20220308-2.1.mga9.src.rpm
CVE:	CVE-2025-15269, CVE-2025-15270, CVE-2025-15275, CVE-2025-15279
Status comment:

Flags:	herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-02-02 16:40:52 CET

Fedora has issued an advisory on February 1:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NFM3OPUTYR55GA65K3XOPK3FXAH7EWEJ/

For CVE-2025-15270: https://github.com/advisories/GHSA-hp8x-4h95-9799

Nicolas Salguero 2026-02-02 16:41:33 CET

Source RPM: (none) => fontforge-20251009-1.mga10.src.rpm, fontforge-20220308-2.1.mga9.src.rpm
Flags: (none) => affects_mga9+
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2025-15269, CVE-2025-15270, CVE-2025-15275, CVE-2025-15279
Status comment: (none) => Patches available from upstream

Comment 1 Nicolas Salguero 2026-02-02 16:57:05 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability. (CVE-2025-15269)

FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability. (CVE-2025-15270)

FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. (CVE-2025-15275)

FontForge GUtils BMP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. (CVE-2025-15279)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NFM3OPUTYR55GA65K3XOPK3FXAH7EWEJ/
https://github.com/advisories/GHSA-hp8x-4h95-9799
========================

Updated packages in core/updates_testing:
========================
fontforge-20220308-2.2.mga9
fontforge-doc-20220308-2.2.mga9
lib(64)fontforge4-20220308-2.2.mga9

from SRPM:
fontforge-20220308-2.2.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Source RPM: fontforge-20251009-1.mga10.src.rpm, fontforge-20220308-2.1.mga9.src.rpm => fontforge-20220308-2.1.mga9.src.rpm
Flags: affects_mga9+ => (none)
Version: Cauldron => 9
Status comment: Patches available from upstream => (none)
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED

katnatek 2026-02-03 00:19:28 CET

Keywords: (none) => advisory

Comment 2 Herman Viaene 2026-02-03 11:04:42 CET

MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
Consulted a few previous updates, but run into a problem
cd /usr/share/fonts/ttf/western/
$ fontforge -display :0  babelfish.ttf 
Copyright (c) 2000-2026. See AUTHORS for Contributors.
 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 with many parts BSD <http://fontforge.org/license.html>. Please read LICENSE.
 Version: 20220308
 Based on sources from 2026-02-02 15:45 UTC-ML-D-GDK3.
Authorization required, but no authorization protocol specified

Could not open screen.

When I run tyhe commands as root, I get the same result.

CC: (none) => herman.viaene

Comment 3 katnatek 2026-02-03 18:08:12 CET

(In reply to Herman Viaene from comment #2)
> MGA9-64 server Plasma Wayland on Compaq H000SB.
> No installation issues.
> Consulted a few previous updates, but run into a problem
> cd /usr/share/fonts/ttf/western/
> $ fontforge -display :0  babelfish.ttf 
> Copyright (c) 2000-2026. See AUTHORS for Contributors.
>  License GPLv3+: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>
>  with many parts BSD <http://fontforge.org/license.html>. Please read
> LICENSE.
>  Version: 20220308
>  Based on sources from 2026-02-02 15:45 UTC-ML-D-GDK3.
> Authorization required, but no authorization protocol specified
> 
> Could not open screen.
> 
> When I run tyhe commands as root, I get the same result.

I think the application is not wayland ready, I'll test

Comment 4 Herman Viaene 2026-02-03 18:25:47 CET

Indeed, I tested in PlasmaX11 and the tools displays OK, I can navigate in it.
So, can this go with this restriction??

Comment 5 katnatek 2026-02-03 18:29:18 CET

Current

rpm -q fontforge
fontforge-20220308-2.1.mga9

fontforge /usr/share/fonts/ttf/western/Adventure.ttf 
Copyright (c) 2000-2024. See AUTHORS for Contributors.
 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 with many parts BSD <http://fontforge.org/license.html>. Please read LICENSE.
 Version: 20220308
 Based on sources from 2024-03-19 14:25 UTC-ML-D-GDK3.


Works on Plasma Wayland normal user & root

installing fontforge-20220308-2.2.mga9.x86_64.rpm lib64fontforge4-20220308-2.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###################################################################################################
      1/2: lib64fontforge4       ###################################################################################################
      2/2: fontforge             ###################################################################################################
      1/2: removing fontforge-20220308-2.1.mga9.x86_64
                                 ###################################################################################################
      2/2: removing lib64fontforge4-20220308-2.1.mga9.x86_64
                                 ###################################################################################################

Working for me, I'll test closing session

Comment 6 katnatek 2026-02-03 18:34:26 CET

Works after close/start session
After delete .config/fontforge

@Herman did you see something in 

.local/share/sddm/wayland-session.log

That could help to debug the cause of the fail for you?

Comment 7 Herman Viaene 2026-02-05 11:12:57 CET

Contents of that file after failure yo launch the test command as in Comment 3 above:
kf.coreaddons.kaboutdata: QGuiApplication::applicationDisplayName "" is out-of-sync with KAboutData::applicationData().displayName "startplasma-wayland"
kf.coreaddons.kaboutdata: QGuiApplication::applicationDisplayName "" is out-of-sync with KAboutData::applicationData().displayName "startplasma-wayland"

Comment 8 katnatek 2026-02-05 20:40:23 CET

(In reply to Herman Viaene from comment #2)
> MGA9-64 server Plasma Wayland on Compaq H000SB.
> No installation issues.
> Consulted a few previous updates, but run into a problem
> cd /usr/share/fonts/ttf/western/
> $ fontforge -display :0  babelfish.ttf 

I think this is the issue on wayland, please test without -display :0
Is not necessary, I did not use in my test

Comment 9 Herman Viaene 2026-02-06 11:29:31 CET

(In reply to katnatek from comment #8)
> (In reply to Herman Viaene from comment #2)
> > MGA9-64 server Plasma Wayland on Compaq H000SB.
> > No installation issues.
> > Consulted a few previous updates, but run into a problem
> > cd /usr/share/fonts/ttf/western/
> > $ fontforge -display :0  babelfish.ttf 
> 
> I think this is the issue on wayland, please test without -display :0
> Is not necessary, I did not use in my test

Indeed, in Wayland without the "-display :0" it works OK.
This is IMHO opinion a usage restriction, but I think it should not block this update.

Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+

Comment 10 katnatek 2026-02-07 01:47:03 CET

(In reply to Herman Viaene from comment #9)
> (In reply to katnatek from comment #8)
> > (In reply to Herman Viaene from comment #2)
> > > MGA9-64 server Plasma Wayland on Compaq H000SB.
> > > No installation issues.
> > > Consulted a few previous updates, but run into a problem
> > > cd /usr/share/fonts/ttf/western/
> > > $ fontforge -display :0  babelfish.ttf 
> > 
> > I think this is the issue on wayland, please test without -display :0
> > Is not necessary, I did not use in my test
> 
> Indeed, in Wayland without the "-display :0" it works OK.
> This is IMHO opinion a usage restriction, but I think it should not block
> this update.

That notation is for screens under X11, I not think that could be used in wayland without some dark magic

Comment 11 katnatek 2026-02-07 02:01:55 CET

My mistake is possible, but you have to pass the right display under wayland

echo $DISPLAY
:1

fontforge -display :1 /usr/share/fonts/ttf/western/Adventure.ttf

That works

Comment 12 Thomas Andrews 2026-02-09 00:46:58 CET

Validating to get the security updates out.

The Wayland issue should be addressed in another bug.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 13 Mageia Robot 2026-02-09 20:57:25 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0034.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 14 katnatek 2026-02-09 23:54:06 CET

(In reply to Thomas Andrews from comment #12)
> Validating to get the security updates out.
> 
> The Wayland issue should be addressed in another bug.

For me is not a bug, is part of how plasma wayland works in mga9

Note You need to log in before you can comment on or make changes to this bug.