diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2025-11-30 20:44:13 +0100 |
|---|---|---|
| committer | Gyorgy Sarvari <skandigraun@gmail.com> | 2025-11-30 20:48:07 +0100 |
| commit | 2491ea2ffb7d1b8f5025b41b949b7d7bce02ab81 (patch) | |
| tree | 821bf9ab68a54db27f65b07bf59d2d8486a71997 | |
| parent | 48d2305f488b9613707ef830beca9d1760a394e5 (diff) | |
| download | meta-openembedded-2491ea2ffb7d1b8f5025b41b949b7d7bce02ab81.tar.gz | |
fontforge: patch CVE-2020-5395, CVE-2020-25690 and CVE-2020-5496
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-5395
https://nvd.nist.gov/vuln/detail/CVE-2020-25690
https://nvd.nist.gov/vuln/detail/CVE-2020-5496
The same patch fixes all three.
The patch for CVE-2020-25690 is mentioned in the RedHat bug, which is
referenced in the nvd report.
The patch for CVE-2020-5395 is mentioned in the Github issue that
is referenced in the nvd report.
The patch for CVE-2020-5496 is mentioned in the comments of the issue
that is linked in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
3 files changed, 116 insertions, 1 deletions
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-1.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-1.patch new file mode 100644 index 0000000000..b41bc1088a --- /dev/null +++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-1.patch | |||
| @@ -0,0 +1,81 @@ | |||
| 1 | From 169bfc28246c10493ac085c9e9ed5b0ab58ac979 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Skef Iterum <unknown> | ||
| 3 | Date: Mon, 6 Jan 2020 03:05:06 -0800 | ||
| 4 | Subject: [PATCH] Fix for #4084 Use-after-free (heap) in the | ||
| 5 | SFD_GetFontMetaData() function Fix for #4086 NULL pointer dereference in the | ||
| 6 | SFDGetSpiros() function Fix for #4088 NULL pointer dereference in the | ||
| 7 | SFD_AssignLookups() function Add empty sf->fontname string if it isn't set, | ||
| 8 | fixing #4089 #4090 and many other potential issues (many downstream calls to | ||
| 9 | strlen() on the value). | ||
| 10 | |||
| 11 | CVE: CVE-2020-25690 CVE-2020-5395 CVE-2020-5496 | ||
| 12 | Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/048a91e2682c1a8936ae34dbc7bd70291ec05410] | ||
| 13 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 14 | --- | ||
| 15 | fontforge/sfd.c | 19 ++++++++++++++----- | ||
| 16 | fontforge/sfd1.c | 2 +- | ||
| 17 | 2 files changed, 15 insertions(+), 6 deletions(-) | ||
| 18 | |||
| 19 | diff --git a/fontforge/sfd.c b/fontforge/sfd.c | ||
| 20 | index 214163343..cdce0b08a 100644 | ||
| 21 | --- a/fontforge/sfd.c | ||
| 22 | +++ b/fontforge/sfd.c | ||
| 23 | @@ -4032,13 +4032,16 @@ static void SFDGetSpiros(FILE *sfd,SplineSet *cur) { | ||
| 24 | while ( fscanf(sfd,"%lg %lg %c", &cp.x, &cp.y, &cp.ty )==3 ) { | ||
| 25 | if ( cur!=NULL ) { | ||
| 26 | if ( cur->spiro_cnt>=cur->spiro_max ) | ||
| 27 | - cur->spiros = realloc(cur->spiros,(cur->spiro_max+=10)*sizeof(spiro_cp)); | ||
| 28 | + cur->spiros = realloc(cur->spiros, | ||
| 29 | + (cur->spiro_max+=10)*sizeof(spiro_cp)); | ||
| 30 | cur->spiros[cur->spiro_cnt++] = cp; | ||
| 31 | } | ||
| 32 | } | ||
| 33 | - if ( cur!=NULL && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) { | ||
| 34 | + if ( cur!=NULL && cur->spiro_cnt>0 | ||
| 35 | + && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) { | ||
| 36 | if ( cur->spiro_cnt>=cur->spiro_max ) | ||
| 37 | - cur->spiros = realloc(cur->spiros,(cur->spiro_max+=1)*sizeof(spiro_cp)); | ||
| 38 | + cur->spiros = realloc(cur->spiros, | ||
| 39 | + (cur->spiro_max+=1)*sizeof(spiro_cp)); | ||
| 40 | memset(&cur->spiros[cur->spiro_cnt],0,sizeof(spiro_cp)); | ||
| 41 | cur->spiros[cur->spiro_cnt++].ty = SPIRO_END; | ||
| 42 | } | ||
| 43 | @@ -7992,10 +7995,12 @@ bool SFD_GetFontMetaData( FILE *sfd, | ||
| 44 | else if ( strmatch(tok,"LayerCount:")==0 ) | ||
| 45 | { | ||
| 46 | d->had_layer_cnt = true; | ||
| 47 | - getint(sfd,&sf->layer_cnt); | ||
| 48 | - if ( sf->layer_cnt>2 ) { | ||
| 49 | + int layer_cnt_tmp; | ||
| 50 | + getint(sfd,&layer_cnt_tmp); | ||
| 51 | + if ( layer_cnt_tmp>2 ) { | ||
| 52 | sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo)); | ||
| 53 | memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo)); | ||
| 54 | + sf->layer_cnt = layer_cnt_tmp; | ||
| 55 | } | ||
| 56 | } | ||
| 57 | else if ( strmatch(tok,"Layer:")==0 ) | ||
| 58 | @@ -8948,6 +8953,10 @@ exit( 1 ); | ||
| 59 | } | ||
| 60 | } | ||
| 61 | |||
| 62 | + // Many downstream functions assume this isn't NULL (use strlen, etc.) | ||
| 63 | + if ( sf->fontname==NULL) | ||
| 64 | + sf->fontname = copy(""); | ||
| 65 | + | ||
| 66 | if ( fromdir ) | ||
| 67 | sf = SFD_FigureDirType(sf,tok,dirname,enc,remap,had_layer_cnt); | ||
| 68 | else if ( sf->subfontcnt!=0 ) { | ||
| 69 | diff --git a/fontforge/sfd1.c b/fontforge/sfd1.c | ||
| 70 | index cf931059d..b42f83267 100644 | ||
| 71 | --- a/fontforge/sfd1.c | ||
| 72 | +++ b/fontforge/sfd1.c | ||
| 73 | @@ -674,7 +674,7 @@ void SFD_AssignLookups(SplineFont1 *sf) { | ||
| 74 | |||
| 75 | /* Fix up some gunk from really old versions of the sfd format */ | ||
| 76 | SFDCleanupAnchorClasses(&sf->sf); | ||
| 77 | - if ( sf->sf.uni_interp==ui_unset ) | ||
| 78 | + if ( sf->sf.uni_interp==ui_unset && sf->sf.map!=NULL ) | ||
| 79 | sf->sf.uni_interp = interp_from_encoding(sf->sf.map->enc,ui_none); | ||
| 80 | |||
| 81 | /* Fixup for an old bug */ | ||
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-2.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-2.patch new file mode 100644 index 0000000000..bbd3854eee --- /dev/null +++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-2.patch | |||
| @@ -0,0 +1,32 @@ | |||
| 1 | From c169022972d82ee0da4812e77aa8f560d173fcd7 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Fredrick Brennan <copypaste@kittens.ph> | ||
| 3 | Date: Tue, 21 Jan 2020 15:16:00 +0800 | ||
| 4 | Subject: [PATCH] Fix crash on exit introduced in previous commit | ||
| 5 | |||
| 6 | When the number of layers is greater than 2, as in Chomsky.sfd and most | ||
| 7 | of my other fonts, FontForge will crash on exiting. | ||
| 8 | |||
| 9 | This is just a simple mistake @skef made. | ||
| 10 | |||
| 11 | CVE: CVE-2020-25690 CVE-2020-5395 CVE-2020-5496 | ||
| 12 | Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/b96273acc691ac8a36c6a8dd4de8e6edd7eaae59] | ||
| 13 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 14 | --- | ||
| 15 | fontforge/sfd.c | 2 +- | ||
| 16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 17 | |||
| 18 | diff --git a/fontforge/sfd.c b/fontforge/sfd.c | ||
| 19 | index cdce0b08a..132f9fa0c 100644 | ||
| 20 | --- a/fontforge/sfd.c | ||
| 21 | +++ b/fontforge/sfd.c | ||
| 22 | @@ -7998,9 +7998,9 @@ bool SFD_GetFontMetaData( FILE *sfd, | ||
| 23 | int layer_cnt_tmp; | ||
| 24 | getint(sfd,&layer_cnt_tmp); | ||
| 25 | if ( layer_cnt_tmp>2 ) { | ||
| 26 | + sf->layer_cnt = layer_cnt_tmp; | ||
| 27 | sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo)); | ||
| 28 | memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo)); | ||
| 29 | - sf->layer_cnt = layer_cnt_tmp; | ||
| 30 | } | ||
| 31 | } | ||
| 32 | else if ( strmatch(tok,"Layer:")==0 ) | ||
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb index 84644f2560..7686b04fb3 100644 --- a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb +++ b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb | |||
| @@ -17,7 +17,9 @@ REQUIRED_DISTRO_FEATURES:append:class-target = " x11" | |||
| 17 | SRCREV = "ac635b818e38ddb8e7e2e1057330a32b4e25476e" | 17 | SRCREV = "ac635b818e38ddb8e7e2e1057330a32b4e25476e" |
| 18 | SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \ | 18 | SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \ |
| 19 | file://0001-include-sys-select-on-non-glibc-platforms.patch \ | 19 | file://0001-include-sys-select-on-non-glibc-platforms.patch \ |
| 20 | " | 20 | file://CVE-2020-25690-1.patch \ |
| 21 | file://CVE-2020-25690-2.patch \ | ||
| 22 | " | ||
| 21 | S = "${WORKDIR}/git" | 23 | S = "${WORKDIR}/git" |
| 22 | 24 | ||
| 23 | EXTRA_OECONF += "--without-libuninameslist --enable-python-scripting --enable-python-extension" | 25 | EXTRA_OECONF += "--without-libuninameslist --enable-python-scripting --enable-python-extension" |
