diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2026-01-27 07:50:18 +0100 |
|---|---|---|
| committer | Khem Raj <raj.khem@gmail.com> | 2026-01-30 23:59:10 -0800 |
| commit | 049c89877cc8a8590554c63508d2c78aae0989f7 (patch) | |
| tree | 08cd5183c98099c807a15ae3a27c1455ea650817 /meta-oe | |
| parent | 5dddc4f5200f512ec44cc12596358a825a31149e (diff) | |
| download | meta-openembedded-049c89877cc8a8590554c63508d2c78aae0989f7.tar.gz | |
fontforge: patch CVE-2025-15269
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15269
Pick the patch that refers to this vulnerability ID explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-oe')
| -rw-r--r-- | meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch | 36 | ||||
| -rw-r--r-- | meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb | 1 |
2 files changed, 37 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch new file mode 100644 index 0000000000..a3e26d407a --- /dev/null +++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch | |||
| @@ -0,0 +1,36 @@ | |||
| 1 | From 6a23476bc5eea880f3f24496710a6133c92a198b Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 3 | Date: Sat, 10 Jan 2026 20:06:53 +0100 | ||
| 4 | Subject: [PATCH] Fix CVE-2025-15269: Use-after-free in SFD ligature parsing | ||
| 5 | (#5722) | ||
| 6 | |||
| 7 | From: Ahmet Furkan Kavraz <55850855+ahmetfurkankavraz@users.noreply.github.com> | ||
| 8 | |||
| 9 | Prevent circular linked list in LigaCreateFromOldStyleMultiple by clearing | ||
| 10 | the next pointer after shallow copy. The shallow copy propagates liga's | ||
| 11 | modified next pointer from previous iterations, creating a cycle that | ||
| 12 | causes double-free when the list is traversed and freed. | ||
| 13 | |||
| 14 | Fixes: CVE-2025-15269 | ZDI-25-1195 | ZDI-CAN-28564 | ||
| 15 | |||
| 16 | Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com> | ||
| 17 | |||
| 18 | CVE: CVE-2025-15269 | ||
| 19 | Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/6aea6db5da332d8ac94e3501bb83c1b21f52074d] | ||
| 20 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 21 | --- | ||
| 22 | fontforge/sfd.c | 1 + | ||
| 23 | 1 file changed, 1 insertion(+) | ||
| 24 | |||
| 25 | diff --git a/fontforge/sfd.c b/fontforge/sfd.c | ||
| 26 | index e19d3a30f..be4220515 100644 | ||
| 27 | --- a/fontforge/sfd.c | ||
| 28 | +++ b/fontforge/sfd.c | ||
| 29 | @@ -4647,6 +4647,7 @@ static PST1 *LigaCreateFromOldStyleMultiple(PST1 *liga) { | ||
| 30 | while ( (pt = strrchr(liga->pst.u.lig.components,';'))!=NULL ) { | ||
| 31 | new = chunkalloc(sizeof( PST1 )); | ||
| 32 | *new = *liga; | ||
| 33 | + new->pst.next = NULL; | ||
| 34 | new->pst.u.lig.components = copy(pt+1); | ||
| 35 | last->pst.next = (PST *) new; | ||
| 36 | last = new; | ||
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb index 4203c1ef58..cc45740153 100644 --- a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb +++ b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb | |||
| @@ -21,6 +21,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https;tag=$ | |||
| 21 | file://CVE-2025-15279-1.patch \ | 21 | file://CVE-2025-15279-1.patch \ |
| 22 | file://CVE-2025-15279-2.patch \ | 22 | file://CVE-2025-15279-2.patch \ |
| 23 | file://CVE-2025-15275.patch \ | 23 | file://CVE-2025-15275.patch \ |
| 24 | file://CVE-2025-15269.patch \ | ||
| 24 | " | 25 | " |
| 25 | 26 | ||
| 26 | EXTRA_OECMAKE = "-DENABLE_DOCS=OFF" | 27 | EXTRA_OECMAKE = "-DENABLE_DOCS=OFF" |
