Opened 12 months ago
Closed 12 months ago
#19545 closed enhancement (fixed)
Fix CVE-2024-25081 and CVE-2024-25082 in FontForge
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.2 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
Noticed on oss-security:
- CVE-2024-25081 & CVE-2024-25082 in FontForge, fixed in git repo
FontForge used the system() function to execute commands to unpack fonts from archives, and the command line arguments it provides include both the name of the archive and the name of a font file specified inside the archive, leading to a classic command injection vulnerability if used to unpack a specially-named or a specially-crafted archive file.
A patch to switch from system() to glib's g_spawn_sync() was merged upstream on Feb. 6, but there don't seem to be any new releases yet: https://github.com/fontforge/fontforge/pull/5367
Change History (3)
comment:1 by , 12 months ago
comment:2 by , 12 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 12 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at 044207b10066b3c8881fc7c0067dcf1141d70e75
SA-12.1-028 issued
Note:
See TracTickets
for help on using tickets.
According to https://alas.aws.amazon.com/cve/html/CVE-2024-25082.html the score is 4.2 -- medium.