diff --git a/5720.patch b/5720.patch new file mode 100644 index 0000000..3837626 --- /dev/null +++ b/5720.patch @@ -0,0 +1,45 @@ +From c8c96212cf28d011f8294c66dc4bda70e9c09256 Mon Sep 17 00:00:00 2001 +From: Ahmet Furkan Kavraz +Date: Wed, 7 Jan 2026 14:46:09 +0000 +Subject: [PATCH] Fix CVE-2025-15279: Heap buffer overflow in BMP RLE + decompression + +The readpixels() function reads RLE count values from BMP files without +validating buffer bounds. A malicious BMP can specify excessive counts +causing heap buffer overflow during pixel decompression, potentially +leading to remote code execution. + +Add bounds checking after each count read to ensure ii + cnt does not +exceed the allocated buffer size (head->height * head->width). Return 0 +on validation failure to trigger error handling. + +CVE-2025-15279 +CVSS: 7.8 (High) +ZDI-CAN-27517 +--- + gutils/gimagereadbmp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c +index 5a137e28af..133336787c 100644 +--- a/gutils/gimagereadbmp.c ++++ b/gutils/gimagereadbmp.c +@@ -181,12 +181,18 @@ static int readpixels(FILE *file,struct bmpheader *head) { + int ii = 0; + while ( iiheight*head->width ) { + int cnt = getc(file); ++ if (cnt < 0 || ii + cnt > head->height * head->width) { ++ return 0; ++ } + if ( cnt!=0 ) { + int ch = getc(file); + while ( --cnt>=0 ) + head->byte_pixels[ii++] = ch; + } else { + cnt = getc(file); ++ if (cnt < 0 || ii + cnt > head->height * head->width) { ++ return 0; ++ } + if ( cnt>= 3 ) { + int odd = cnt&1; + while ( --cnt>=0 ) diff --git a/5721.patch b/5721.patch new file mode 100644 index 0000000..07aeebc --- /dev/null +++ b/5721.patch @@ -0,0 +1,28 @@ +From 9edd1cc5223d959687ccfd834433af5e830c56c2 Mon Sep 17 00:00:00 2001 +From: Ahmet Furkan Kavraz +Date: Thu, 8 Jan 2026 08:42:53 +0000 +Subject: [PATCH] Fix CVE-2025-15275: Heap buffer overflow in SFD image parsing + +Validate clutlen parameter (0-256) before use to prevent heap buffer +overflow when writing to fixed-size clut array. + +Fixes: CVE-2025-15275 | ZDI-25-1189 | ZDI-CAN-28543 +--- + fontforge/sfd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fontforge/sfd.c b/fontforge/sfd.c +index 6b980a4785..0590c119f3 100644 +--- a/fontforge/sfd.c ++++ b/fontforge/sfd.c +@@ -3653,6 +3653,10 @@ static ImageList *SFDGetImage(FILE *sfd) { + getint(sfd,&image_type); + getint(sfd,&bpl); + getint(sfd,&clutlen); ++ if ( clutlen < 0 || clutlen > 256 ) { ++ LogError(_("Invalid clut length %d in sfd file, must be between 0 and 256"), clutlen); ++ return NULL; ++ } + gethex(sfd,&trans); + image = GImageCreate(image_type,width,height); + base = image->list_len==0?image->u.image:image->u.images[0]; diff --git a/5722.patch b/5722.patch new file mode 100644 index 0000000..ef5778e --- /dev/null +++ b/5722.patch @@ -0,0 +1,27 @@ +From f99b1c886c0d9324440517a7a4253c5432e284ad Mon Sep 17 00:00:00 2001 +From: Ahmet Furkan Kavraz +Date: Thu, 8 Jan 2026 15:38:57 +0000 +Subject: [PATCH] Fix CVE-2025-15269: Use-after-free in SFD ligature parsing + +Prevent circular linked list in LigaCreateFromOldStyleMultiple by clearing +the next pointer after shallow copy. The shallow copy propagates liga's +modified next pointer from previous iterations, creating a cycle that +causes double-free when the list is traversed and freed. + +Fixes: CVE-2025-15269 | ZDI-25-1195 | ZDI-CAN-28564 +--- + fontforge/sfd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fontforge/sfd.c b/fontforge/sfd.c +index 6b980a4785..48b2b5f651 100644 +--- a/fontforge/sfd.c ++++ b/fontforge/sfd.c +@@ -4711,6 +4711,7 @@ static PST1 *LigaCreateFromOldStyleMultiple(PST1 *liga) { + while ( (pt = strrchr(liga->pst.u.lig.components,';'))!=NULL ) { + new = chunkalloc(sizeof( PST1 )); + *new = *liga; ++ new->pst.next = NULL; + new->pst.u.lig.components = copy(pt+1); + last->pst.next = (PST *) new; + last = new; diff --git a/5723.patch b/5723.patch new file mode 100644 index 0000000..1ac73b5 --- /dev/null +++ b/5723.patch @@ -0,0 +1,35 @@ +From a0eedb850e1216cece0f9be61bfd45ddfc4a719d Mon Sep 17 00:00:00 2001 +From: Ahmet Furkan Kavraz +Date: Fri, 9 Jan 2026 13:39:17 +0000 +Subject: [PATCH] Fix CVE-2025-15279: Move bounds check inside cnt >= 3 block + +Move the bounds check to inside the 'if (cnt >= 3)' block. This fixes +the issue where cnt == 0, cnt == 1, and cnt == 2 require different ii +calculations (end-of-line, end-of-bitmap, delta) and the bounds check +before the conditional would incorrectly reject valid operations. + +CVE-2025-15279 +CVSS: 7.8 (High) +ZDI-CAN-27517 +--- + gutils/gimagereadbmp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c +index 133336787c..ad365158cc 100644 +--- a/gutils/gimagereadbmp.c ++++ b/gutils/gimagereadbmp.c +@@ -190,10 +190,10 @@ static int readpixels(FILE *file,struct bmpheader *head) { + head->byte_pixels[ii++] = ch; + } else { + cnt = getc(file); +- if (cnt < 0 || ii + cnt > head->height * head->width) { +- return 0; +- } + if ( cnt>= 3 ) { ++ if (ii + cnt > head->height * head->width) { ++ return 0; ++ } + int odd = cnt&1; + while ( --cnt>=0 ) + head->byte_pixels[ii++] = getc(file); diff --git a/fontforge.spec b/fontforge.spec index 359dfe4..df87f3e 100644 --- a/fontforge.spec +++ b/fontforge.spec @@ -2,7 +2,7 @@ Name: fontforge Version: 20201107 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Outline and bitmap font editor License: GPLv3+ @@ -14,6 +14,18 @@ Patch0: 0001-Fix-errors-in-French-and-Italian-translations.patch # https://github.com/fontforge/fontforge/pull/5367 # Fixes CVE-2024-25081 and CVE-2024-25082 Patch1: https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5367.patch#/Fix_Splinefont_shell_invocation.patch +# CVE-2025-15279 https://github.com/fontforge/fontforge/pull/5720 +# https://sourceforge.net/p/fontforge/patches/32/ +Patch2: https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5720.patch +# CVE-2025-15275 https://github.com/fontforge/fontforge/pull/5721 +# https://sourceforge.net/p/fontforge/patches/37/ +Patch3: https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5721.patch +# CVE-2025-15269 https://github.com/fontforge/fontforge/pull/5722 +# https://sourceforge.net/p/fontforge/patches/40/ +Patch4: https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5722.patch +# CVE-2025-15279 https://github.com/fontforge/fontforge/pull/5723 +# https://sourceforge.net/p/fontforge/patches/32/ +Patch5: https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5723.patch Requires: xdg-utils Requires: autotrace @@ -73,9 +85,7 @@ This package contains documentation files for %{name}. %prep -%setup -q -%patch -P 0 -p1 -%patch -P 1 -p1 +%autosetup -p1 # Remove tests that requires Internet access sed -i '45d;83d;101d;102d;114d;115d;127d' tests/CMakeLists.txt @@ -135,6 +145,14 @@ popd %doc %{_pkgdocdir} %changelog +* Tue Jan 27 2026 Parag Nemade - 20201107-7 +- Resolves: RHEL-138206 + CVE-2025-15279 GUtils BMP File Parsing Heap-based Buffer Overflow +- Resolves: RHEL-138228 + CVE-2025-15275 SFD File Parsing Heap-based Buffer Overflow +- Resolves: RHEL-138158 + CVE-2025-15269 SFD File Parsing Use-After-Free + * Tue Apr 02 2024 Parag Nemade - 20201107-6 - Resolves: RHEL-26716 - CVE-2024-25081 and CVE-2024-25082 fontforge: various flaws