Opened 5 weeks ago
Closed 12 days ago
#19545 closed enhancement (fixed)
Fix CVE-2024-25081 and CVE-2024-25082 in FontForge
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.2 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
Noticed on oss-security:
- CVE-2024-25081 & CVE-2024-25082 in FontForge, fixed in git repo
FontForge used the system() function to execute commands to unpack fonts from archives, and the command line arguments it provides include both the name of the archive and the name of a font file specified inside the archive, leading to a classic command injection vulnerability if used to unpack a specially-named or a specially-crafted archive file.
A patch to switch from system() to glib's g_spawn_sync() was merged upstream on Feb. 6, but there don't seem to be any new releases yet: https://github.com/fontforge/fontforge/pull/5367
Change History (3)
comment:1 by , 5 weeks ago
comment:2 by , 3 weeks ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 12 days ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at 044207b10066b3c8881fc7c0067dcf1141d70e75
SA-12.1-028 issued
Note:
See TracTickets
for help on using tickets.
According to https://alas.aws.amazon.com/cve/html/CVE-2024-25082.html the score is 4.2 -- medium.