- Resolves: RHEL-138206

CVE-2025-15279 GUtils BMP File Parsing Heap-based Buffer Overflow
- Resolves: RHEL-138228
  CVE-2025-15275 SFD File Parsing Heap-based Buffer Overflow
- Resolves: RHEL-138158
  CVE-2025-15269 SFD File Parsing Use-After-Free

5720.patch

@@ -0,0 +1,45 @@
+From c8c96212cf28d011f8294c66dc4bda70e9c09256 Mon Sep 17 00:00:00 2001
+From: Ahmet Furkan Kavraz <kavraz@amazon.com>
+Date: Wed, 7 Jan 2026 14:46:09 +0000
+Subject: [PATCH] Fix CVE-2025-15279: Heap buffer overflow in BMP RLE
+ decompression
+
+The readpixels() function reads RLE count values from BMP files without
+validating buffer bounds. A malicious BMP can specify excessive counts
+causing heap buffer overflow during pixel decompression, potentially
+leading to remote code execution.
+
+Add bounds checking after each count read to ensure ii + cnt does not
+exceed the allocated buffer size (head->height * head->width). Return 0
+on validation failure to trigger error handling.
+
+CVE-2025-15279
+CVSS: 7.8 (High)
+ZDI-CAN-27517
+---
+ gutils/gimagereadbmp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c
+index 5a137e28af..133336787c 100644
+--- a/gutils/gimagereadbmp.c
++++ b/gutils/gimagereadbmp.c
+@@ -181,12 +181,18 @@ static int readpixels(FILE *file,struct bmpheader *head) {
+ 	int ii = 0;
+ 	while ( ii<head->height*head->width ) {
+ 	    int cnt = getc(file);
++	    if (cnt < 0 || ii + cnt > head->height * head->width) {
++		return 0;
++	    }
+ 	    if ( cnt!=0 ) {
+ 		int ch = getc(file);
+ 		while ( --cnt>=0 )
+ 		    head->byte_pixels[ii++] = ch;
+ 	    } else {
+ 		cnt = getc(file);
++		if (cnt < 0 || ii + cnt > head->height * head->width) {
++		    return 0;
++		}
+ 		if ( cnt>= 3 ) {
+ 		    int odd = cnt&1;
+ 		    while ( --cnt>=0 )

5721.patch

@@ -0,0 +1,28 @@
+From 9edd1cc5223d959687ccfd834433af5e830c56c2 Mon Sep 17 00:00:00 2001
+From: Ahmet Furkan Kavraz <kavraz@amazon.com>
+Date: Thu, 8 Jan 2026 08:42:53 +0000
+Subject: [PATCH] Fix CVE-2025-15275: Heap buffer overflow in SFD image parsing
+
+Validate clutlen parameter (0-256) before use to prevent heap buffer
+overflow when writing to fixed-size clut array.
+
+Fixes: CVE-2025-15275 | ZDI-25-1189 | ZDI-CAN-28543
+---
+ fontforge/sfd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index 6b980a4785..0590c119f3 100644
+--- a/fontforge/sfd.c
++++ b/fontforge/sfd.c
+@@ -3653,6 +3653,10 @@ static ImageList *SFDGetImage(FILE *sfd) {
+     getint(sfd,&image_type);
+     getint(sfd,&bpl);
+     getint(sfd,&clutlen);
++    if ( clutlen < 0 || clutlen > 256 ) {
++        LogError(_("Invalid clut length %d in sfd file, must be between 0 and 256"), clutlen);
++        return NULL;
++    }
+     gethex(sfd,&trans);
+     image = GImageCreate(image_type,width,height);
+     base = image->list_len==0?image->u.image:image->u.images[0];

5722.patch

@@ -0,0 +1,27 @@
+From f99b1c886c0d9324440517a7a4253c5432e284ad Mon Sep 17 00:00:00 2001
+From: Ahmet Furkan Kavraz <kavraz@amazon.com>
+Date: Thu, 8 Jan 2026 15:38:57 +0000
+Subject: [PATCH] Fix CVE-2025-15269: Use-after-free in SFD ligature parsing
+
+Prevent circular linked list in LigaCreateFromOldStyleMultiple by clearing
+the next pointer after shallow copy. The shallow copy propagates liga's
+modified next pointer from previous iterations, creating a cycle that
+causes double-free when the list is traversed and freed.
+
+Fixes: CVE-2025-15269 | ZDI-25-1195 | ZDI-CAN-28564
+---
+ fontforge/sfd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index 6b980a4785..48b2b5f651 100644
+--- a/fontforge/sfd.c
++++ b/fontforge/sfd.c
+@@ -4711,6 +4711,7 @@ static PST1 *LigaCreateFromOldStyleMultiple(PST1 *liga) {
+     while ( (pt = strrchr(liga->pst.u.lig.components,';'))!=NULL ) {
+ 	new = chunkalloc(sizeof( PST1 ));
+ 	*new = *liga;
++	new->pst.next = NULL;
+ 	new->pst.u.lig.components = copy(pt+1);
+ 	last->pst.next = (PST *) new;
+ 	last = new;

5723.patch

@@ -0,0 +1,35 @@
+From a0eedb850e1216cece0f9be61bfd45ddfc4a719d Mon Sep 17 00:00:00 2001
+From: Ahmet Furkan Kavraz <kavraz@amazon.com>
+Date: Fri, 9 Jan 2026 13:39:17 +0000
+Subject: [PATCH] Fix CVE-2025-15279: Move bounds check inside cnt >= 3 block
+
+Move the bounds check to inside the 'if (cnt >= 3)' block. This fixes
+the issue where cnt == 0, cnt == 1, and cnt == 2 require different ii
+calculations (end-of-line, end-of-bitmap, delta) and the bounds check
+before the conditional would incorrectly reject valid operations.
+
+CVE-2025-15279
+CVSS: 7.8 (High)
+ZDI-CAN-27517
+---
+ gutils/gimagereadbmp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c
+index 133336787c..ad365158cc 100644
+--- a/gutils/gimagereadbmp.c
++++ b/gutils/gimagereadbmp.c
+@@ -190,10 +190,10 @@ static int readpixels(FILE *file,struct bmpheader *head) {
+ 		    head->byte_pixels[ii++] = ch;
+ 	    } else {
+ 		cnt = getc(file);
+-		if (cnt < 0 || ii + cnt > head->height * head->width) {
+-		    return 0;
+-		}
+ 		if ( cnt>= 3 ) {
++		    if (ii + cnt > head->height * head->width) {
++			return 0;
++		    }
+ 		    int odd = cnt&1;
+ 		    while ( --cnt>=0 )
+ 			head->byte_pixels[ii++] = getc(file);

fontforge.spec

@@ -2,7 +2,7 @@
 
 Name:           fontforge
 Version:        20201107
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        Outline and bitmap font editor
 
 License:        GPLv3+
@@ -14,6 +14,18 @@ Patch0:         0001-Fix-errors-in-French-and-Italian-translations.patch
 # https://github.com/fontforge/fontforge/pull/5367
 # Fixes CVE-2024-25081 and CVE-2024-25082
 Patch1:         https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5367.patch#/Fix_Splinefont_shell_invocation.patch
+# CVE-2025-15279 https://github.com/fontforge/fontforge/pull/5720
+# https://sourceforge.net/p/fontforge/patches/32/
+Patch2:         https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5720.patch
+# CVE-2025-15275 https://github.com/fontforge/fontforge/pull/5721
+# https://sourceforge.net/p/fontforge/patches/37/
+Patch3:          https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5721.patch
+# CVE-2025-15269 https://github.com/fontforge/fontforge/pull/5722
+# https://sourceforge.net/p/fontforge/patches/40/
+Patch4:         https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5722.patch
+# CVE-2025-15279 https://github.com/fontforge/fontforge/pull/5723
+# https://sourceforge.net/p/fontforge/patches/32/
+Patch5:         https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5723.patch
 
 Requires:       xdg-utils
 Requires:       autotrace
@@ -73,9 +85,7 @@ This package contains documentation files for %{name}.
 
 
 %prep
-%setup -q
-%patch -P 0 -p1
-%patch -P 1 -p1
+%autosetup -p1
 
 # Remove tests that requires Internet access
 sed -i '45d;83d;101d;102d;114d;115d;127d' tests/CMakeLists.txt
@@ -135,6 +145,14 @@ popd
 %doc %{_pkgdocdir}
 
 %changelog
+* Tue Jan 27 2026 Parag Nemade <pnemade AT redhat DOT com> - 20201107-7
+- Resolves: RHEL-138206
+  CVE-2025-15279 GUtils BMP File Parsing Heap-based Buffer Overflow
+- Resolves: RHEL-138228
+  CVE-2025-15275 SFD File Parsing Heap-based Buffer Overflow
+- Resolves: RHEL-138158
+  CVE-2025-15269 SFD File Parsing Use-After-Free
+
 * Tue Apr 02 2024 Parag Nemade <pnemade AT redhat DOT com> - 20201107-6
 - Resolves: RHEL-26716 - CVE-2024-25081 and CVE-2024-25082 fontforge: various flaws