#13488 closed defect (fixed)
fontforge-20200314
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | high | Milestone: | 10.0 |
Component: | BOOK | Version: | SVN |
Severity: | normal | Keywords: | |
Cc: |
Description
I just noticed gentoo have issued a security alert for fontforge,
CVE-2019-15785 https://nvd.nist.gov/vuln/detail/CVE-2019-15785
CVE-2020-5395 https://nvd.nist.gov/vuln/detail/CVE-2020-5395
CVE-2020-5496 https://nvd.nist.gov/vuln/detail/CVE-2020-5496
and report that all are fixed in 20200314.
The first is rated as Critical, the other two as High. Gentoo describe the impact as:
A remote attacker could entice a user to open a specially crafted font using FontForge, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.
But perhaps more significant for us, we seem to be stuck on 20170731.
Change History (14)
comment:1 by , 4 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 4 years ago
follow-up: 4 comment:3 by , 4 years ago
I'll fix the currency script. They changed the filename. I was looking for fontforge-dist-20*, but they've dropped the dist part.
follow-up: 8 comment:4 by , 4 years ago
Replying to bdubbs:
I'll fix the currency script. They changed the filename. I was looking for fontforge-dist-20*, but they've dropped the dist part.
Currency should be fixed now at revision 23063.
follow-up: 7 comment:5 by , 4 years ago
Thanks. It will take me a while to get on to this - updating my scripts for a fresh build, upcoming firefox, and ... revising my details of fonts, particularly the fallout from Cantarell no-longer providing cyrillic (and breaking xelatex if all the supplied OTFs are installed) and more generally kde's apparent preference for noto.
comment:6 by , 4 years ago
libuninameslist seems to be a separated part of fontforge, https://github.com/fontforge/libuninameslist/releases - looks as if we will want the -dist version (pre-generated configure script).
comment:7 by , 4 years ago
Replying to ken@…:
Thanks. It will take me a while to get on to this - updating my scripts for a fresh build, upcoming firefox, and ... revising my details of fonts, particularly the fallout from Cantarell no-longer providing cyrillic (and breaking xelatex if all the supplied OTFs are installed) and more generally kde's apparent preference for noto.
Hmm, at some point I seem to have lost a few marbles! Cantarell DOES still provide Cyrillic glyphs. Memo to self: it is *other* writing systems where the Cantarell developer recommended NotoSans*UI variants (arabic and indic or S.E. Asian scripts).
comment:8 by , 4 years ago
Replying to bdubbs:
Replying to bdubbs:
I'll fix the currency script. They changed the filename. I was looking for fontforge-dist-20*, but they've dropped the dist part.
Currency should be fixed now at revision 23063.
I'm starting to look at this now: the dist variant did not need autoreconf. So it ceased to be created when they moved to cmake.
Two new deps of libspiro and libuninameslist are both from fontforge's github and both have -dist versions to save needing to run autoreconf.
I suggest that when these get added to the book's php scripts it would be better to not test for the -dist part, if possible
comment:9 by , 4 years ago
Still looking at options/dependencies, but I tried a build with cmake ; make -j4 and then with cmake ; ninja using the smae settings : make took 55 seconds, ninja took 1m09 - not what I had expected.
comment:10 by , 4 years ago
My use-case for fontforge is very limited (generate a font from one of the components in a ttc, if I want to look at which glyphs if contains) I can do that, and also look at details of an installed font (font info etc). This version seems to work like previous versions.
It doesn't like the Variable Font otf from current Cantarell, but that is no surprise at all.
comment:12 by , 4 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Fontforge updated at r23105.
Errata added.
Release notes for realses since 2017:
20190317 :
This release, the first since 2017, includes countless small bug fixes and a few significant features.
20190413:
This is a bugfix focused release.
Most notably, it fixes a crash on MacOS when browsing files.
Plugin support and direct http/ftp browsing support has also been removed.
20190801:
Along with the usual bugfixes, there have been a couple of new features worth calling out:
As part of an ongoing effort to clean up the code base, there have additionally been multiple build system changes:
20200314:
Significant changes include the following.
Python, Spiro, and high-resolution displays.
Notes on build system changes: