diff --git a/.fontforge.metadata b/.fontforge.metadata deleted file mode 100644 index c6e6c1d..0000000 --- a/.fontforge.metadata +++ /dev/null @@ -1 +0,0 @@ -cca54440dd47414055507a5007cd9b663699f3e2 SOURCES/fontforge-20200314.tar.gz diff --git a/.gitignore b/.gitignore index 17fbee8..cc72027 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/fontforge-20200314.tar.gz +fontforge-20230101.tar.gz diff --git a/0001-Fix-errors-in-French-and-Italian-translations.patch b/0001-Fix-errors-in-French-and-Italian-translations.patch new file mode 100644 index 0000000..8158ea8 --- /dev/null +++ b/0001-Fix-errors-in-French-and-Italian-translations.patch @@ -0,0 +1,181 @@ +From 472e238cafcff113c7be9815a13ff864540d5ef9 Mon Sep 17 00:00:00 2001 +From: Yaakov Selkowitz +Date: Thu, 6 Jul 2023 19:15:53 -0400 +Subject: [PATCH] Fix errors in French and Italian translations + +With gettext-0.22, these mismatches trigger errors: + +'msgstr' is not a valid C format string, unlike 'msgid'. Reason: In the +directive number 2, the argument size specifier is invalid. +--- + po/fr.po | 36 ++++++++++++++++++------------------ + po/it.po | 8 ++++---- + 2 files changed, 22 insertions(+), 22 deletions(-) + +diff --git a/po/fr.po b/po/fr.po +index 26e446b38..cb492d7a0 100644 +--- a/po/fr.po ++++ b/po/fr.po +@@ -291,7 +291,7 @@ msgstr "chaîne %1$.30s pour %2$.30s" + #. GT: $4 is the changed flag ('*' for the changed items) + #, c-format + msgid "%1$.80s at %2$d from %3$.90s%4$s" +-msgstr "%1$.80s à %2$d de %3$.90hs%4$s" ++msgstr "%1$.80s à %2$d de %3$.90s%4$s" + + #. GT: This is the title for a window showing a bitmap character + #. GT: It will look something like: +@@ -302,7 +302,7 @@ msgstr "%1$.80s à %2$d de %3$.90hs%4$s" + #. GT: $4 is the font name + #, c-format + msgid "%1$.80s at %2$d size %3$d from %4$.80s" +-msgstr "%1$.80s (%2$d) taille %3$d de %4$.80hs" ++msgstr "%1$.80s (%2$d) taille %3$d de %4$.80s" + + #, c-format + msgid "%1$s from lookup subtable %2$.50s" +@@ -7433,7 +7433,7 @@ msgid "" + "Reverting the file will lose those changes.\n" + "Is that what you want?" + msgstr "" +-"La fonte %1$.40s dans le fichier %2$.40hs a été modifiée.\n" ++"La fonte %1$.40s dans le fichier %2$.40s a été modifiée.\n" + "Revenir vous fera perdre toutes les modifications.\n" + "Voulez vous vraiment revenir ?" + +@@ -19925,7 +19925,7 @@ msgid "" + "The fonts %1$.30s and %2$.30s have a different number of glyphs or different " + "encodings" + msgstr "" +-"Les fontes %1$.30s et %2$.30hs n'ont pas le même nombre de glyphes ou des " ++"Les fontes %1$.30s et %2$.30s n'ont pas le même nombre de glyphes ou des " + "codages différents" + + #, c-format +@@ -19933,7 +19933,7 @@ msgid "" + "The fonts %1$.30s and %2$.30s use different types of splines (one quadratic, " + "one cubic)" + msgstr "" +-"Les fontes %1$.30s et %2$.30hs utilisent des courbes de Bézier d'ordres " ++"Les fontes %1$.30s et %2$.30s utilisent des courbes de Bézier d'ordres " + "différents (quadratique et cubique)" + + msgid "The generated font won't work with ATM" +@@ -19968,8 +19968,8 @@ msgid "" + "The glyph %1$.30s in font %2$.30s has a different hint mask on its contours " + "than in %3$.30s" + msgstr "" +-"Le glyphe %1$.30s dans la police %2$.30hs a un masque de hints différent que " +-"dans %3$.30hs" ++"Le glyphe %1$.30s dans la police %2$.30s a un masque de hints différent que " ++"dans %3$.30s" + + #, c-format + msgid "" +@@ -19984,8 +19984,8 @@ msgid "" + "The glyph %1$.30s in font %2$.30s has a different number of references than " + "in %3$.30s" + msgstr "" +-"Le glyphe %1$.30s de la fonte %2$.30hs a un nombre de références différent " +-"dans %3$.30hs" ++"Le glyphe %1$.30s de la fonte %2$.30s a un nombre de références différent " ++"dans %3$.30s" + + #, c-format + msgid "" +@@ -20457,7 +20457,7 @@ msgstr "" + #, c-format + msgid "The outlines of glyph %2$.30s were not found in the font %1$.60s" + msgstr "" +-"Le contours du glyphe %2$.30s n'ont pas été trouvés dans la police %1$.60hs" ++"Le contours du glyphe %2$.30s n'ont pas été trouvés dans la police %1$.60s" + + msgid "The paths that make up this glyph intersect one another" + msgstr "Les chemins qui composent ce glyphe se coupent les uns les autres" +@@ -21042,7 +21042,7 @@ msgstr "Il y a déjà une sous-table avec ce nom, changez de nom SVP" + + #, c-format + msgid "There is already an anchor point named %1$.40s in %2$.40s." +-msgstr "Il y a déjà une ancre appelée %1$.40s dans %2$.40hs." ++msgstr "Il y a déjà une ancre appelée %1$.40s dans %2$.40s." + + msgid "There is another glyph in the font with this name" + msgstr "Il y a un autre glyphe dans la fonte avec ce nom" +@@ -21441,8 +21441,8 @@ msgid "" + "been able to find is %1$.20s-%2$.20s-%4$d.\n" + "Shall I use that or let you search?" + msgstr "" +-"Cette fonte est basée sur le jeu de caractères %1$.20s-%2$.20hs-%3$d, mais " +-"ce que j'ai trouvé de mieux c'est %1$.20hs-%2$.20hs-%4$d.\n" ++"Cette fonte est basée sur le jeu de caractères %1$.20s-%2$.20s-%3$d, mais " ++"ce que j'ai trouvé de mieux c'est %1$.20s-%2$.20s-%4$d.\n" + "Devrais-je utiliser cette valeur ou préférez vous chercher ?" + + msgid "" +@@ -21770,7 +21770,7 @@ msgid "" + "with a 0 offset for this combination. Would you like to alter this kerning " + "class entry (or create a kerning pair for just these two glyphs)?" + msgstr "" +-"Cette paire de crénage (%.20s et %.20hs) est dans une classe de crénage\n" ++"Cette paire de crénage (%.20s et %.20s) est dans une classe de crénage\n" + "avec un déplacement de 0 pour cette combinaison. Voulez-vous modifier cette " + "partie\n" + "de la classe de crénage (ou créer une nouvelle paire rien que pour ces 2 " +@@ -24551,8 +24551,8 @@ msgid "" + "referred to.\n" + "It will not be copied." + msgstr "" +-"Vous essayer de coller une référence vers %1$s dans %2$hs.\n" +-"Mais %1$hs n'existe pas dans cette fonte, et FontForge ne trouve pas le " ++"Vous essayer de coller une référence vers %1$s dans %2$s.\n" ++"Mais %1$s n'existe pas dans cette fonte, et FontForge ne trouve pas le " + "glyphe auquel il se référait.\n" + "Le glyphe ne sera pas copié." + +@@ -24562,8 +24562,8 @@ msgid "" + "But %1$s does not exist in this font.\n" + "Would you like to copy the original splines (or delete the reference)?" + msgstr "" +-"Vous essayer de coller une référence vers %1$s dans %2$hs.\n" +-"Mais %1$hs n'existe pas dans cette fonte.\n" ++"Vous essayer de coller une référence vers %1$s dans %2$s.\n" ++"Mais %1$s n'existe pas dans cette fonte.\n" + "Voulez vous copier le contour d'origine (ou supprimer la référence)?" + + msgid "" +diff --git a/po/it.po b/po/it.po +index e13711485..d0c3ea987 100644 +--- a/po/it.po ++++ b/po/it.po +@@ -2303,7 +2303,7 @@ msgid "" + "Reverting the file will lose those changes.\n" + "Is that what you want?" + msgstr "" +-"Il font %1$.40s nel file %2$.40hs è stato modificato.\n" ++"Il font %1$.40s nel file %2$.40s è stato modificato.\n" + "Ripristinando il file perderai tutte le modifiche.\n" + "È quello che vuoi fare?" + +@@ -5835,7 +5835,7 @@ msgid "" + "The glyph %1$.30s has a different number of contours in font %2$.30s than in " + "%3$.30s" + msgstr "" +-"Il glifo %1$.30s ha un diverso numero di contorni nel font %2$.30hs rispetto " ++"Il glifo %1$.30s ha un diverso numero di contorni nel font %2$.30s rispetto " + "a %3$.30s" + + #, c-format +@@ -6235,8 +6235,8 @@ msgid "" + "been able to find is %1$.20s-%2$.20s-%4$d.\n" + "Shall I use that or let you search?" + msgstr "" +-"Questo font è basato sulla codifica di caratteri %1$.20s-%2$.20hs-%3$d, ma " +-"il migliore che io abbia trovato è %1$.20hs-%2$.20hs-%4$d.\n" ++"Questo font è basato sulla codifica di caratteri %1$.20s-%2$.20s-%3$d, ma " ++"il migliore che io abbia trovato è %1$.20s-%2$.20s-%4$d.\n" + "Devo usare questo valore o preferisci cercare tu stesso?" + + msgid "" +-- +2.41.0 + diff --git a/5720.patch b/5720.patch new file mode 100644 index 0000000..3837626 --- /dev/null +++ b/5720.patch @@ -0,0 +1,45 @@ +From c8c96212cf28d011f8294c66dc4bda70e9c09256 Mon Sep 17 00:00:00 2001 +From: Ahmet Furkan Kavraz +Date: Wed, 7 Jan 2026 14:46:09 +0000 +Subject: [PATCH] Fix CVE-2025-15279: Heap buffer overflow in BMP RLE + decompression + +The readpixels() function reads RLE count values from BMP files without +validating buffer bounds. A malicious BMP can specify excessive counts +causing heap buffer overflow during pixel decompression, potentially +leading to remote code execution. + +Add bounds checking after each count read to ensure ii + cnt does not +exceed the allocated buffer size (head->height * head->width). Return 0 +on validation failure to trigger error handling. + +CVE-2025-15279 +CVSS: 7.8 (High) +ZDI-CAN-27517 +--- + gutils/gimagereadbmp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c +index 5a137e28af..133336787c 100644 +--- a/gutils/gimagereadbmp.c ++++ b/gutils/gimagereadbmp.c +@@ -181,12 +181,18 @@ static int readpixels(FILE *file,struct bmpheader *head) { + int ii = 0; + while ( iiheight*head->width ) { + int cnt = getc(file); ++ if (cnt < 0 || ii + cnt > head->height * head->width) { ++ return 0; ++ } + if ( cnt!=0 ) { + int ch = getc(file); + while ( --cnt>=0 ) + head->byte_pixels[ii++] = ch; + } else { + cnt = getc(file); ++ if (cnt < 0 || ii + cnt > head->height * head->width) { ++ return 0; ++ } + if ( cnt>= 3 ) { + int odd = cnt&1; + while ( --cnt>=0 ) diff --git a/5721.patch b/5721.patch new file mode 100644 index 0000000..07aeebc --- /dev/null +++ b/5721.patch @@ -0,0 +1,28 @@ +From 9edd1cc5223d959687ccfd834433af5e830c56c2 Mon Sep 17 00:00:00 2001 +From: Ahmet Furkan Kavraz +Date: Thu, 8 Jan 2026 08:42:53 +0000 +Subject: [PATCH] Fix CVE-2025-15275: Heap buffer overflow in SFD image parsing + +Validate clutlen parameter (0-256) before use to prevent heap buffer +overflow when writing to fixed-size clut array. + +Fixes: CVE-2025-15275 | ZDI-25-1189 | ZDI-CAN-28543 +--- + fontforge/sfd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fontforge/sfd.c b/fontforge/sfd.c +index 6b980a4785..0590c119f3 100644 +--- a/fontforge/sfd.c ++++ b/fontforge/sfd.c +@@ -3653,6 +3653,10 @@ static ImageList *SFDGetImage(FILE *sfd) { + getint(sfd,&image_type); + getint(sfd,&bpl); + getint(sfd,&clutlen); ++ if ( clutlen < 0 || clutlen > 256 ) { ++ LogError(_("Invalid clut length %d in sfd file, must be between 0 and 256"), clutlen); ++ return NULL; ++ } + gethex(sfd,&trans); + image = GImageCreate(image_type,width,height); + base = image->list_len==0?image->u.image:image->u.images[0]; diff --git a/5722.patch b/5722.patch new file mode 100644 index 0000000..ef5778e --- /dev/null +++ b/5722.patch @@ -0,0 +1,27 @@ +From f99b1c886c0d9324440517a7a4253c5432e284ad Mon Sep 17 00:00:00 2001 +From: Ahmet Furkan Kavraz +Date: Thu, 8 Jan 2026 15:38:57 +0000 +Subject: [PATCH] Fix CVE-2025-15269: Use-after-free in SFD ligature parsing + +Prevent circular linked list in LigaCreateFromOldStyleMultiple by clearing +the next pointer after shallow copy. The shallow copy propagates liga's +modified next pointer from previous iterations, creating a cycle that +causes double-free when the list is traversed and freed. + +Fixes: CVE-2025-15269 | ZDI-25-1195 | ZDI-CAN-28564 +--- + fontforge/sfd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fontforge/sfd.c b/fontforge/sfd.c +index 6b980a4785..48b2b5f651 100644 +--- a/fontforge/sfd.c ++++ b/fontforge/sfd.c +@@ -4711,6 +4711,7 @@ static PST1 *LigaCreateFromOldStyleMultiple(PST1 *liga) { + while ( (pt = strrchr(liga->pst.u.lig.components,';'))!=NULL ) { + new = chunkalloc(sizeof( PST1 )); + *new = *liga; ++ new->pst.next = NULL; + new->pst.u.lig.components = copy(pt+1); + last->pst.next = (PST *) new; + last = new; diff --git a/5723.patch b/5723.patch new file mode 100644 index 0000000..1ac73b5 --- /dev/null +++ b/5723.patch @@ -0,0 +1,35 @@ +From a0eedb850e1216cece0f9be61bfd45ddfc4a719d Mon Sep 17 00:00:00 2001 +From: Ahmet Furkan Kavraz +Date: Fri, 9 Jan 2026 13:39:17 +0000 +Subject: [PATCH] Fix CVE-2025-15279: Move bounds check inside cnt >= 3 block + +Move the bounds check to inside the 'if (cnt >= 3)' block. This fixes +the issue where cnt == 0, cnt == 1, and cnt == 2 require different ii +calculations (end-of-line, end-of-bitmap, delta) and the bounds check +before the conditional would incorrectly reject valid operations. + +CVE-2025-15279 +CVSS: 7.8 (High) +ZDI-CAN-27517 +--- + gutils/gimagereadbmp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c +index 133336787c..ad365158cc 100644 +--- a/gutils/gimagereadbmp.c ++++ b/gutils/gimagereadbmp.c +@@ -190,10 +190,10 @@ static int readpixels(FILE *file,struct bmpheader *head) { + head->byte_pixels[ii++] = ch; + } else { + cnt = getc(file); +- if (cnt < 0 || ii + cnt > head->height * head->width) { +- return 0; +- } + if ( cnt>= 3 ) { ++ if (ii + cnt > head->height * head->width) { ++ return 0; ++ } + int odd = cnt&1; + while ( --cnt>=0 ) + head->byte_pixels[ii++] = getc(file); diff --git a/SOURCES/Fix_Splinefont_shell_invocation.patch b/Fix_Splinefont_shell_invocation.patch similarity index 100% rename from SOURCES/Fix_Splinefont_shell_invocation.patch rename to Fix_Splinefont_shell_invocation.patch diff --git a/SOURCES/fontforge-20200314-Call-gdk_set_allowed_backends-before-gdk_init.patch b/SOURCES/fontforge-20200314-Call-gdk_set_allowed_backends-before-gdk_init.patch deleted file mode 100644 index 6c1e797..0000000 --- a/SOURCES/fontforge-20200314-Call-gdk_set_allowed_backends-before-gdk_init.patch +++ /dev/null @@ -1,27 +0,0 @@ -From ee14a6389d19e2f45219134058e07f10585fa6d3 Mon Sep 17 00:00:00 2001 -From: Jeremy Tan -Date: Thu, 2 Apr 2020 18:03:47 +0800 -Subject: [PATCH] Call gdk_set_allowed_backends before gdk_init - -Fixes #4247 ---- - fontforgeexe/startui.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fontforgeexe/startui.c b/fontforgeexe/startui.c -index 06f5200a4..114bb7fb6 100644 ---- a/fontforgeexe/startui.c -+++ b/fontforgeexe/startui.c -@@ -1182,8 +1182,8 @@ int fontforge_main( int argc, char **argv ) { - #endif - } - #ifdef FONTFORGE_CAN_USE_GDK -- gdk_init(&argc, &argv); - gdk_set_allowed_backends("win32,quartz,x11"); -+ gdk_init(&argc, &argv); - #endif - ensureDotFontForgeIsSetup(); - #if defined(__MINGW32__) && !defined(_NO_LIBCAIRO) --- -2.26.0 - diff --git a/SOURCES/fontforge-20200314-minor-backward-compatible-sphinx-changes.patch b/SOURCES/fontforge-20200314-minor-backward-compatible-sphinx-changes.patch deleted file mode 100644 index e73412e..0000000 --- a/SOURCES/fontforge-20200314-minor-backward-compatible-sphinx-changes.patch +++ /dev/null @@ -1,161 +0,0 @@ -From 1a03ca2de0b4c99ee72b330b56e89cc90fe773ae Mon Sep 17 00:00:00 2001 -From: Jeremy Tan -Date: Sat, 4 Apr 2020 11:43:34 +1100 -Subject: [PATCH] Minor changes for backwards compatibility with older versions - of Sphinx - -Closes #4256 ---- - doc/sphinx/conf.py | 3 +++ - doc/sphinx/techref/splinefont.rst | 26 ++++++++++++------------- - doc/sphinx/ui/misc/fontforge-themes.rst | 2 +- - 3 files changed, 17 insertions(+), 14 deletions(-) - -diff --git a/doc/sphinx/conf.py b/doc/sphinx/conf.py -index 4b22e2eaf6..f2df68676e 100644 ---- a/doc/sphinx/conf.py -+++ b/doc/sphinx/conf.py -@@ -68,6 +68,9 @@ - # Don't copy source rst files into the output - html_copy_source = False - -+# Set the main page -+master_doc = 'index' -+ - # Custom roles must be in the prolog, not the epilog! - rst_prolog = ''' - .. role:: small -diff --git a/doc/sphinx/techref/splinefont.rst b/doc/sphinx/techref/splinefont.rst -index 98248f7a5e..60399d3912 100644 ---- a/doc/sphinx/techref/splinefont.rst -+++ b/doc/sphinx/techref/splinefont.rst -@@ -195,7 +195,7 @@ The bounding box of a :ref:`Spline `, - :ref:`SplineChar `, :ref:`RefChar `, - :ref:`Image `, or whatever else needs a bounding box. - --.. code-block:: -+.. code-block:: default - :name: splinefont.BDFFloat - - typedef struct bdffloat { -@@ -206,7 +206,7 @@ The bounding box of a :ref:`Spline `, - - The floating selection in a :ref:`BDFChar `. - --.. code-block:: -+.. code-block:: default - :name: splinefont.Undoes - - typedef struct undoes { -@@ -277,7 +277,7 @@ both the splines and the bitmaps of a character. - ut_mult is used when doing a copy from the FontView where you are copying more - than one character. - --.. code-block:: -+.. code-block:: default - :name: splinefont.BDFChar - - typedef struct bdfchar { -@@ -318,7 +318,7 @@ represented by a byte rather than a bit. There is a clut for this in the BDFFont - The last thing in the BDFChar is a (/an optional) floating selection. Only - present if the user has made a selection or done a paste or something like that. - --.. code-block:: -+.. code-block:: default - :name: splinefont.BDFFont - - typedef struct bdffont { -@@ -345,7 +345,7 @@ contains a count of the number of entries in the array, and then the array - itself. Currently the number of entries here is always 16, but that could - change. - --.. code-block:: -+.. code-block:: default - :name: splinefont.SplinePoint - - enum pointtype { pt_curve, pt_corner, pt_tangent }; -@@ -405,7 +405,7 @@ drawing it. They are cached so they don't need to be regenerated each time. - There's a different set of lines for every scale (as there is a different amount - of visible detail). They get freed and regenerated if the Spline changes. - --.. code-block:: -+.. code-block:: default - :name: splinefont.Spline - - typedef struct spline1d { -@@ -439,7 +439,7 @@ some are used in other places too. - The Spline1D structures give the equations for the x and y coordinates - respectively (splines[0] is for x, splines[1] is for y). - --.. code-block:: -+.. code-block:: default - :name: splinefont.SplinePointList - - typedef struct splinepointlist { -@@ -463,7 +463,7 @@ to). A SplinePointList is a connected path. There are three cases: - Generally a series of paths will make up a character, and they are linked - together on the next field. - --.. code-block:: -+.. code-block:: default - :name: splinefont.RefChar - - typedef struct refchar { -@@ -498,7 +498,7 @@ themselves). The selected field indicates that the reference is selected. The bb - field provides a transformed bounding box. And the sc field points to the - SplineChar we are referring to. - --.. code-block:: -+.. code-block:: default - :name: splinefont.KernPair - - typedef struct kernpair { -@@ -514,7 +514,7 @@ offset between them (or rather the difference from what their respective left - and right bearings would lead you to believe it should be). Next points to the - next kernpair. - --.. code-block:: -+.. code-block:: default - :name: splinefont.Hints - - typedef struct hints { -@@ -532,7 +532,7 @@ y space) of where the stem starts, and width is how long it is. Width may be - negative (in which case base is where the stem ends). Next points to the next - hint for the character. - --.. code-block:: -+.. code-block:: default - :name: splinefont.ImageList - - typedef struct imagelist { -@@ -551,7 +551,7 @@ not support any other transformations on images). The bounding box is after the - transformations have been applied. The next field points to the next image, and - selected indicates whether this one is selected or not. - --.. code-block:: -+.. code-block:: default - :name: splinefont.SplineChar - - typedef struct splinechar { -@@ -623,7 +623,7 @@ follow this one. For instance the combination "VA" might need kerning, then the - SplineChar representing "V" would have a pointer to a - :ref:`KernPair ` with data on "A". - --.. code-block:: -+.. code-block:: default - :name: splinefont.SplineFont - - typedef struct splinefont { -diff --git a/doc/sphinx/ui/misc/fontforge-themes.rst b/doc/sphinx/ui/misc/fontforge-themes.rst -index 8df505634f..5bf3f6edd5 100644 ---- a/doc/sphinx/ui/misc/fontforge-themes.rst -+++ b/doc/sphinx/ui/misc/fontforge-themes.rst -@@ -4,7 +4,7 @@ FontForge color schemes - The following are some suggestions for color schemes. You simply copy these into - your ~/.Xdefaults file and then run - --.. code-block:: -+.. code-block:: default - :name: fontforge-themes.shell - - $ xrdb ~/.Xdefaults diff --git a/SPECS/fontforge.spec b/fontforge.spec similarity index 71% rename from SPECS/fontforge.spec rename to fontforge.spec index aab9a81..d9fafef 100644 --- a/SPECS/fontforge.spec +++ b/fontforge.spec @@ -1,25 +1,33 @@ %global gettext_package FontForge -%global gittag0 20200314 Name: fontforge -Version: 20200314 -Release: 6%{?dist} +Version: 20230101 +Release: 14%{?dist} Summary: Outline and bitmap font editor -License: GPLv3+ +License: GPL-3.0-or-later URL: http://fontforge.github.io/ -Source0: https://github.com/fontforge/%{name}/archive/%{gittag0}.tar.gz#/%{name}-%{version}.tar.gz - -# https://github.com/fontforge/fontforge/pull/4253 -Patch0: fontforge-20200314-Call-gdk_set_allowed_backends-before-gdk_init.patch -# https://github.com/fontforge/fontforge/pull/4257 -Patch1: fontforge-20200314-minor-backward-compatible-sphinx-changes.patch +Source0: https://github.com/fontforge/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz +# Fix translations with gettext-0.22, https://github.com/fontforge/fontforge/pull/5257 +Patch0: 0001-Fix-errors-in-French-and-Italian-translations.patch # https://github.com/fontforge/fontforge/pull/5367 # Fixes CVE-2024-25081 and CVE-2024-25082 -Patch2: Fix_Splinefont_shell_invocation.patch +Patch1: https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5367.patch#/Fix_Splinefont_shell_invocation.patch +# CVE-2025-15279 https://github.com/fontforge/fontforge/pull/5720 +# https://sourceforge.net/p/fontforge/patches/32/ +Patch2: https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5720.patch +# CVE-2025-15275 https://github.com/fontforge/fontforge/pull/5721 +# https://sourceforge.net/p/fontforge/patches/37/ +Patch3: https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5721.patch +# CVE-2025-15269 https://github.com/fontforge/fontforge/pull/5722 +# https://sourceforge.net/p/fontforge/patches/40/ +Patch4: https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5722.patch +# CVE-2025-15279 https://github.com/fontforge/fontforge/pull/5723 +# https://sourceforge.net/p/fontforge/patches/32/ +Patch5: https://patch-diff.githubusercontent.com/raw/fontforge/fontforge/pull/5723.patch Requires: xdg-utils -Requires: autotrace +Requires: (autotrace or potrace) Requires: hicolor-icon-theme BuildRequires: gcc-c++ @@ -31,7 +39,6 @@ BuildRequires: giflib-devel BuildRequires: libxml2-devel BuildRequires: freetype-devel BuildRequires: desktop-file-utils -BuildRequires: libuninameslist-devel BuildRequires: libXt-devel BuildRequires: xorg-x11-proto-devel BuildRequires: gettext @@ -41,11 +48,16 @@ BuildRequires: libspiro-devel BuildRequires: python3-devel BuildRequires: readline-devel BuildRequires: libappstream-glib +BuildRequires: woff2-devel # F25 build is failing add following to fix BuildRequires: shared-mime-info # F33 onward need now BuildRequires: gtk3-devel BuildRequires: python3-sphinx +BuildRequires: make + +%py_provides python3-fontforge +%py_provides python3-psMat %description FontForge (former PfaEdit) is a font editor for outline and bitmap @@ -71,34 +83,19 @@ This package contains documentation files for %{name}. %prep -%setup -q -%patch -P 0 -p1 -%patch -P 1 -p1 -%patch -P 2 -p1 +%autosetup -p1 # Remove tests that requires Internet access -sed -i '45d;83d;101d;102d;114d;115d;125d' tests/CMakeLists.txt -rm tests/test003.pe tests/test130.pe tests/test0101.py tests/test929.py -# Remove tests for s390x -rm tests/test0004.py tests/test1009.py tests/test1010.py -# Remove desktop-file-validate warning -sed -i '5d' desktop/org.fontforge.FontForge.desktop +sed -i '45d;82d;101d;127d' tests/CMakeLists.txt %build -rm -rf build && mkdir build -pushd build export CFLAGS="%{optflags} -fno-strict-aliasing" - -%cmake .. -DCMAKE_BUILD_TYPE=Release - -%{make_build} -popd +%cmake -DCMAKE_BUILD_TYPE=Release \ + -DENABLE_WOFF2=ON +%cmake_build %install -pushd build -%{make_install} -popd - +%cmake_install desktop-file-install \ --dir $RPM_BUILD_ROOT%{_datadir}/applications \ @@ -116,7 +113,7 @@ appstream-util validate-relax --nonet %{buildroot}%{_metainfodir}/*.appdata.xml %find_lang %{gettext_package} %check -pushd build +pushd %{__cmake_builddir} make check popd @@ -129,7 +126,6 @@ popd %{_datadir}/fontforge %{_datadir}/icons/hicolor/*/apps/org.fontforge.FontForge* %{_mandir}/man1/*.1* -%{_datadir}/pixmaps/org.fontforge.FontForge* %{_datadir}/mime/packages/fontforge.xml %{_metainfodir}/org.fontforge.FontForge.appdata.xml %{python3_sitearch}/fontforge.so @@ -142,43 +138,172 @@ popd %doc %{_pkgdocdir} %changelog -* Thu Apr 04 2024 Parag Nemade - 20200314-6 -- Resolves: RHEL-26715 - fontforge: various flaws - (CVE-2024-25081 and CVE-2024-25082) +* Tue Jan 27 2026 Parag Nemade - 20230101-14 +- Resolves: RHEL-138159 + CVE-2025-15279 GUtils BMP File Parsing Heap-based Buffer Overflow +- Resolves: RHEL-138144 + CVE-2025-15275 SFD File Parsing Heap-based Buffer Overflow +- Resolves: RHEL-138126 + CVE-2025-15269 SFD File Parsing Use-After-Free -* Mon Dec 14 2020 Parag Nemade - 20200314-5 +* Tue Oct 29 2024 Troy Dawson - 20230101-13 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Mon Jun 24 2024 Troy Dawson - 20230101-12 +- Bump release for June 2024 mass rebuild + +* Tue Apr 16 2024 Parag Nemade - 20230101-11 +- Resolves: RHEL-31498 various flaws + CVE-2024-25081 and CVE-2024-25082 +- Add gating.yaml file + +* Wed Jan 24 2024 Fedora Release Engineering - 20230101-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 20230101-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Aug 10 2023 Yaakov Selkowitz - 20230101-8 +- Drop unused libuninameslist dependency + +* Tue Aug 08 2023 Yaakov Selkowitz - 20230101-7 +- Allow potrace as an alternative to autotrace + +* Wed Jul 19 2023 Fedora Release Engineering - 20230101-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Fri Jul 07 2023 Parag Nemade - 20230101-5 +- Fix fr.po and it.po translations issue + +* Wed Jun 14 2023 Python Maint - 20230101-4 +- Rebuilt for Python 3.12 + +* Thu Jan 19 2023 Fedora Release Engineering - 20230101-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Mon Jan 02 2023 Parag Nemade - 20230101-2 +- Update license tag to SPDX format +- Fix test failure + +* Mon Jan 02 2023 Parag Nemade - 20230101-1 +- Update to 20230101 version (#2157290) + +* Thu Jul 21 2022 Fedora Release Engineering - 20220308-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jun 13 2022 Python Maint - 20220308-2 +- Rebuilt for Python 3.11 + +* Thu Mar 10 2022 Parag Nemade - 20220308-1 +- Update to 20220308 version (#2062047) + +* Thu Jan 20 2022 Fedora Release Engineering - 20201107-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Wed Jul 21 2021 Fedora Release Engineering - 20201107-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri Jun 04 2021 Python Maint - 20201107-4 +- Rebuilt for Python 3.10 + +* Mon Feb 01 2021 Parag Nemade - 20201107-3 - The %%find_lang should run as part of %%install only -* Mon Dec 07 2020 Parag Nemade - 20200314-4 -- Minor changes for backwards compatibility with older versions of Sphinx - Resolves: rhbz#1646212 +* Tue Jan 26 2021 Fedora Release Engineering - 20201107-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild -* Wed Apr 08 2020 Parag Nemade - 20170731-15 -- Resolves:rh#1821664 - out-of-bounds write in sfd.c +* Wed Nov 25 2020 Parag Nemade - 20201107-1 +- Update to 20201107 version (#1895648) +- removed %%gittag0 macro, as it cause problem to automated package update script -* Thu Jan 16 2020 Parag Nemade - 20170731-14 -- Resolves:rh#1790974 - out-of-bounds write in sfd.c +* Sun Nov 22 2020 Benjamin A. Beasley - 20200314-10 +- Add py_provides macros to provide python3-fontforge, python3-psMat, etc. -* Sun Jun 02 2019 Parag Nemade - 20170731-13 -- Resolves:rh#1665940 - harden the missing splinerefigure.c file +* Wed Aug 05 2020 Parag Nemade - 20200314-9 +- Fix FTBFS bug by fixing glossary.rst and using new CMake macros -* Fri May 31 2019 Parag Nemade - 20170731-12 -- Resolves:rh#1665940 - Fixed covscan patch to fix some font packages build +* Sat Aug 01 2020 Fedora Release Engineering - 20200314-8 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild -* Mon May 20 2019 Parag Nemade - 20170731-11 -- Resolves:rh#1682233 - Fixed gating.yml rule +* Mon Jul 27 2020 Fedora Release Engineering - 20200314-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild -* Sat May 18 2019 Parag Nemade - 20170731-10 -- Resolves:rh#1682233 - fontforge changes blocked until gating tests are added +* Tue May 26 2020 Miro Hrončok - 20200314-6 +- Rebuilt for Python 3.9 -* Mon May 13 2019 Parag Nemade - 20170731-9 -- Resolves:rh#1665940 - fontforge: Use after free during dejavu-fonts build +* Sat May 02 2020 Parag Nemade - 20200314-5 +- Resolves:rhbz#1830502 - Add missing WOFF2 support -* Tue Oct 30 2018 Parag Nemade - 20170731-8 -- Resolves:rh#1644224 - fix some issues from covscan patch +* Wed Apr 15 2020 Parag Nemade - 20200314-4 +- Resolves:rhbz#1823525 - fontforge fails to build with Sphinx 3.0.0 -* Sat Sep 22 2018 Parag Nemade - 20170731-7 -- Resolves:rh#1602497 - Fix some covscan issues +* Thu Apr 02 2020 Parag Nemade - 20200314-3 +- Fix the GDK backend UI issues +- Move back to using GDK backend + +* Fri Mar 27 2020 Parag Nemade - 20200314-2 +- Enabled X11 and 2012 theme + +* Wed Mar 25 2020 Parag Nemade - 20200314-1 +- Update to 20200314 version (#1813578) + +* Sun Feb 16 2020 Parag Nemade - 20190801-6 +- another fix for rh#1790042 - CVE-2020-5395:out-of-bounds write in sfd.c + +* Tue Jan 28 2020 Fedora Release Engineering - 20190801-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Jan 16 2020 Parag Nemade - 20190801-4 +- Resolves:rh#1790042 - CVE-2020-5395:out-of-bounds write in sfd.c + +* Tue Aug 27 2019 Kevin Fenzi - 20190801-3 +- Rebuild for new libspiro + +* Mon Aug 19 2019 Miro Hrončok - 20190801-2 +- Rebuilt for Python 3.8 + +* Thu Aug 15 2019 Parag Nemade - 20190801-1 +- Update to 20190801 version (#1739819) +- Upstream moved to use Glib's GHashTable over uthash +- Upstream dropped requiring bundling copy of gnulib + +* Fri Aug 02 2019 Parag Nemade - 20190413-4 +- Fix the conditional for rh#1728058 + +* Thu Jul 25 2019 Fedora Release Engineering - 20190413-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Jul 23 2019 Parag Nemade - 20190413-2 +- make the code compatible with python-3.8 (rh#1728058) + +* Sat Apr 13 2019 Parag Nemade - 20190413-1 +- Update to 20190413 version (#1689629) + +* Mon Mar 25 2019 Parag Nemade - 20190317-1 +- Update to 20190317 release (#1689629) + +* Sun Feb 17 2019 Igor Gnatenko - 20170731-12 +- Rebuild for readline 8.0 + +* Thu Jan 31 2019 Fedora Release Engineering - 20170731-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jul 23 2018 Miro Hrončok - 20170731-10 +- Rebuilt for #1595421 + +* Fri Jul 13 2018 Fedora Release Engineering - 20170731-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jul 04 2018 Kevin Fenzi - -8 +- Update bundled gnulib. Fixes bug #1596037 + +* Thu Jun 28 2018 Miro Hrončok - 20170731-7 +- Rebuilt for Python 3.7.0 final (#1595421) + +* Tue Jun 19 2018 Miro Hrončok - 20170731-6 +- Rebuilt for Python 3.7 * Sun Feb 11 2018 Sandro Mani - 20170731-5 - Rebuild (giflib) diff --git a/sources b/sources new file mode 100644 index 0000000..b0ab3ee --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (fontforge-20230101.tar.gz) = 67c21f7e55a78097ef7d7d9abac3add2017400015a6a9dfd56674d933bdba963cb6c4e631ae066026fe1862298d60dd968dec61a9bbee7253dd2f7d105655178