From 1020f3bb60e20ba0b52628f28d80e7b2ee8d7af6 Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Wed, 8 Apr 2026 02:31:27 -0400
Subject: [PATCH] import Oracle_OSS fontforge-20230101-15.el10_1

---
 5743.patch     | 39 +++++++++++++++++++++++++++++++++++++++
 fontforge.spec |  9 ++++++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 5743.patch

diff --git a/5743.patch b/5743.patch
new file mode 100644
index 0000000..dd3c7ca
--- /dev/null
+++ b/5743.patch
@@ -0,0 +1,39 @@
+From a04b3e4d72a1709d2cd7a7dfb6552ab1fe9a9d31 Mon Sep 17 00:00:00 2001
+From: Ahmet Furkan Kavraz <kavraz@amazon.com>
+Date: Fri, 30 Jan 2026 09:54:28 +0000
+Subject: [PATCH] Fix CVE-2025-15270: Heap buffer overflow in SFD kern class
+ parsing
+
+Fixes: CVE-2025-15270 | ZDI-25-1194 | ZDI-CAN-28563
+
+Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
+---
+ fontforge/sfd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index 6b980a4785..78df7a8ff3 100644
+--- a/fontforge/sfd.c
++++ b/fontforge/sfd.c
+@@ -8275,6 +8275,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
+ 	for ( i=classstart; i<kc->first_cnt; ++i ) {
+ 	  if (kernclassversion < 3) {
+ 	    getint(sfd,&temp);
++	    if (temp < 0) {
++	      LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
++	      return false;
++	    }
+ 	    kc->firsts[i] = malloc(temp+1); kc->firsts[i][temp] = '\0';
+ 	    nlgetc(sfd);	/* skip space */
+ 	    fread(kc->firsts[i],1,temp,sfd);
+@@ -8292,6 +8296,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
+ 	for ( i=1; i<kc->second_cnt; ++i ) {
+ 	  if (kernclassversion < 3) {
+ 	    getint(sfd,&temp);
++	    if (temp < 0) {
++	      LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
++	      return false;
++	    }
+ 	    kc->seconds[i] = malloc(temp+1); kc->seconds[i][temp] = '\0';
+ 	    nlgetc(sfd);	/* skip space */
+ 	    fread(kc->seconds[i],1,temp,sfd);
diff --git a/fontforge.spec b/fontforge.spec
index d9fafef..62e068f 100644
--- a/fontforge.spec
+++ b/fontforge.spec
@@ -2,7 +2,7 @@
 
 Name:           fontforge
 Version:        20230101
-Release:        14%{?dist}
+Release:        15%{?dist}
 Summary:        Outline and bitmap font editor
 
 License:        GPL-3.0-or-later
@@ -25,6 +25,9 @@ Patch4:         https://patch-diff.githubusercontent.com/raw/fontforge/fontforge
 # CVE-2025-15279 https://github.com/fontforge/fontforge/pull/5723
 # https://sourceforge.net/p/fontforge/patches/32/
 Patch5:         https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5723.patch
+# CVE-2025-15270 https://github.com/fontforge/fontforge/pull/5743
+# https://sourceforge.net/p/fontforge/patches/41/
+Patch6:         https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5743.patch
 
 Requires:       xdg-utils
 Requires:       (autotrace or potrace)
@@ -138,6 +141,10 @@ popd
 %doc %{_pkgdocdir}
 
 %changelog
+* Tue Mar 30 2026 Parag Nemade <pnemade AT redhat DOT com> - 20230101-15
+- Resolves: RHEL-138129
+  CVE-2025-15270 SFD File Parsing Remote Code Execution Vulnerability
+
 * Tue Jan 27 2026 Parag Nemade <pnemade AT redhat DOT com> - 20230101-14
 - Resolves: RHEL-138159
   CVE-2025-15279 GUtils BMP File Parsing Heap-based Buffer Overflow