rpms/fontforge
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-138222

Browse Source 
CVE-2025-15270 SFD File Parsing Remote Code Execution Vulnerability
This commit is contained in:
Parag Nemade 2026-03-24 11:28:58 +05:30
parent bccabcf0bd
commit d2b39d2d1a
No known key found for this signature in database
GPG Key ID: 71932951EB71E972
2 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
5743.patch Normal file
View File

@ -0,0 +1,39 @@
From a04b3e4d72a1709d2cd7a7dfb6552ab1fe9a9d31 Mon Sep 17 00:00:00 2001
From: Ahmet Furkan Kavraz <kavraz@amazon.com>
Date: Fri, 30 Jan 2026 09:54:28 +0000
Subject: [PATCH] Fix CVE-2025-15270: Heap buffer overflow in SFD kern class
parsing
Fixes: CVE-2025-15270 | ZDI-25-1194 | ZDI-CAN-28563
Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
---
fontforge/sfd.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fontforge/sfd.c b/fontforge/sfd.c
index 6b980a4785..78df7a8ff3 100644
--- a/fontforge/sfd.c
+++ b/fontforge/sfd.c
@@ -8275,6 +8275,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
for ( i=classstart; i<kc->first_cnt; ++i ) {
if (kernclassversion < 3) {
getint(sfd,&temp);
+ if (temp < 0) {
+ LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
+ return false;
+ }
kc->firsts[i] = malloc(temp+1); kc->firsts[i][temp] = '\0';
nlgetc(sfd); /* skip space */
fread(kc->firsts[i],1,temp,sfd);
@@ -8292,6 +8296,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
for ( i=1; i<kc->second_cnt; ++i ) {
if (kernclassversion < 3) {
getint(sfd,&temp);
+ if (temp < 0) {
+ LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
+ return false;
+ }
kc->seconds[i] = malloc(temp+1); kc->seconds[i][temp] = '\0';
nlgetc(sfd); /* skip space */
fread(kc->seconds[i],1,temp,sfd);

9
fontforge.spec
View File

@ -2,7 +2,7 @@
Name: fontforge
Version: 20201107
Release: 7%{?dist}
Release: 8%{?dist}
Summary: Outline and bitmap font editor
License: GPLv3+
@ -26,6 +26,9 @@ Patch4: https://patch-diff.githubusercontent.com/raw/fontforge/fontforge
# CVE-2025-15279 https://github.com/fontforge/fontforge/pull/5723
# https://sourceforge.net/p/fontforge/patches/32/
Patch5: https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5723.patch
# CVE-2025-15270 https://github.com/fontforge/fontforge/pull/5743
# https://sourceforge.net/p/fontforge/patches/41/
Patch6: https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5743.patch
Requires: xdg-utils
Requires: autotrace
@ -145,6 +148,10 @@ popd
%doc %{_pkgdocdir}
%changelog
* Tue Mar 24 2026 Parag Nemade <pnemade AT redhat DOT com> - 20201107-8
- Resolves: RHEL-138222
CVE-2025-15270 SFD File Parsing Remote Code Execution Vulnerability
* Tue Jan 27 2026 Parag Nemade <pnemade AT redhat DOT com> - 20201107-7
- Resolves: RHEL-138206
CVE-2025-15279 GUtils BMP File Parsing Heap-based Buffer Overflow