fontforge: patch CVE-2025-15270

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15270 Pick the patch that mentions this vulnerbaility explicitly in its description. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-02-02 14:50:44 +0100
committer: Khem Raj <raj.khem@gmail.com> 2026-02-02 19:54:39 -0800
commit: 713739da294f1545829e7551f2b63c237c4b4d87 (patch)
tree: 505c79109d439046066639cae6b8e21b03f40047
parent: dd81ffdb685bd9c2ce1b27d0e5ff3f8e5551e3ad (diff)
download: meta-openembedded-713739da294f1545829e7551f2b63c237c4b4d87.tar.gz
2 files changed, 46 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch
new file mode 100644
index 0000000000..2ff0fd0b08
--- /dev/null
+++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch
@@ -0,0 +1,45 @@
+From 99067ccd695619686646905e637993f0654abb41 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sat, 31 Jan 2026 21:23:41 +0100
+Subject: [PATCH] Fix CVE-2025-15270: Heap buffer overflow in SFD kern class
+ parsing (#5743)
+From: Ahmet Furkan Kavraz <55850855+ahmetfurkankavraz@users.noreply.github.com>
+Fixes: CVE-2025-15270 | ZDI-25-1194 | ZDI-CAN-28563
+Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
+CVE: CVE-2025-15270
+Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/d01333a5bfa2ac4ed698c24b323d02107deacad7]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ fontforge/sfd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index be4220515..d550f02fb 100644
+--- a/fontforge/sfd.c
+++ b/fontforge/sfd.c
+@@ -8147,6 +8147,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
+        for ( i=classstart; i<kc->first_cnt; ++i ) {
+          if (kernclassversion < 3) {
+            getint(sfd,&temp);
+           if (temp < 0) {
+             LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
+             return false;
+           }
+            kc->firsts[i] = malloc(temp+1); kc->firsts[i][temp] = '\0';
+            nlgetc(sfd);        /* skip space */
+            fread(kc->firsts[i],1,temp,sfd);
+@@ -8164,6 +8168,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
+        for ( i=1; i<kc->second_cnt; ++i ) {
+          if (kernclassversion < 3) {
+            getint(sfd,&temp);
+           if (temp < 0) {
+             LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
+             return false;
+           }
+            kc->seconds[i] = malloc(temp+1); kc->seconds[i][temp] = '\0';
+            nlgetc(sfd);        /* skip space */
+            fread(kc->seconds[i],1,temp,sfd);
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb
index cc45740153..8d65f69354 100644
--- a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb
+++ b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb
@@ -22,6 +22,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https;tag=$
           file://CVE-2025-15279-2.patch \
           file://CVE-2025-15275.patch \
           file://CVE-2025-15269.patch \
+           file://CVE-2025-15270.patch \
           "
 EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-02-02 14:50:44 +0100
committer	Khem Raj <raj.khem@gmail.com>	2026-02-02 19:54:39 -0800
commit	713739da294f1545829e7551f2b63c237c4b4d87 (patch)
tree	505c79109d439046066639cae6b8e21b03f40047
parent	dd81ffdb685bd9c2ce1b27d0e5ff3f8e5551e3ad (diff)
download	meta-openembedded-713739da294f1545829e7551f2b63c237c4b4d87.tar.gz

diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch new file mode 100644 index 0000000000..2ff0fd0b08 --- /dev/null +++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch
@@ -0,0 +1,45 @@
		1	From 99067ccd695619686646905e637993f0654abb41 Mon Sep 17 00:00:00 2001
		2	From: Gyorgy Sarvari <skandigraun@gmail.com>
		3	Date: Sat, 31 Jan 2026 21:23:41 +0100
		4	Subject: [PATCH] Fix CVE-2025-15270: Heap buffer overflow in SFD kern class
		5	parsing (#5743)
		6
		7	From: Ahmet Furkan Kavraz <55850855+ahmetfurkankavraz@users.noreply.github.com>
		8
		9	Fixes: CVE-2025-15270 \| ZDI-25-1194 \| ZDI-CAN-28563
		10
		11	Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
		12
		13	CVE: CVE-2025-15270
		14	Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/d01333a5bfa2ac4ed698c24b323d02107deacad7]
		15	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		16	---
		17	fontforge/sfd.c \| 8 ++++++++
		18	1 file changed, 8 insertions(+)
		19
		20	diff --git a/fontforge/sfd.c b/fontforge/sfd.c
		21	index be4220515..d550f02fb 100644
		22	--- a/fontforge/sfd.c
		23	+++ b/fontforge/sfd.c
		24	@@ -8147,6 +8147,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
		25	for ( i=classstart; i<kc->first_cnt; ++i ) {
		26	if (kernclassversion < 3) {
		27	getint(sfd,&temp);
		28	+ if (temp < 0) {
		29	+ LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
		30	+ return false;
		31	+ }
		32	kc->firsts[i] = malloc(temp+1); kc->firsts[i][temp] = '\0';
		33	nlgetc(sfd); /* skip space */
		34	fread(kc->firsts[i],1,temp,sfd);
		35	@@ -8164,6 +8168,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
		36	for ( i=1; i<kc->second_cnt; ++i ) {
		37	if (kernclassversion < 3) {
		38	getint(sfd,&temp);
		39	+ if (temp < 0) {
		40	+ LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
		41	+ return false;
		42	+ }
		43	kc->seconds[i] = malloc(temp+1); kc->seconds[i][temp] = '\0';
		44	nlgetc(sfd); /* skip space */
		45	fread(kc->seconds[i],1,temp,sfd);


diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb index cc45740153..8d65f69354 100644 --- a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb +++ b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb
@@ -22,6 +22,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https;tag=$
22	file://CVE-2025-15279-2.patch \	22	file://CVE-2025-15279-2.patch \
23	file://CVE-2025-15275.patch \	23	file://CVE-2025-15275.patch \
24	file://CVE-2025-15269.patch \	24	file://CVE-2025-15269.patch \
		25	file://CVE-2025-15270.patch \
25	"	26	"
26		27
27	EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"	28	EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"