fontforge: patch CVE-2025-15269

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15269 Pick the patch that refers to this vulnerability ID explicitly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-01-27 07:50:18 +0100
committer: Khem Raj <raj.khem@gmail.com> 2026-01-30 23:59:10 -0800
commit: 049c89877cc8a8590554c63508d2c78aae0989f7 (patch)
tree: 08cd5183c98099c807a15ae3a27c1455ea650817 /meta-oe
parent: 5dddc4f5200f512ec44cc12596358a825a31149e (diff)
download: meta-openembedded-049c89877cc8a8590554c63508d2c78aae0989f7.tar.gz
2 files changed, 37 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch
new file mode 100644
index 0000000000..a3e26d407a
--- /dev/null
+++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch
@@ -0,0 +1,36 @@
+From 6a23476bc5eea880f3f24496710a6133c92a198b Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sat, 10 Jan 2026 20:06:53 +0100
+Subject: [PATCH] Fix CVE-2025-15269: Use-after-free in SFD ligature parsing
+ (#5722)
+From: Ahmet Furkan Kavraz <55850855+ahmetfurkankavraz@users.noreply.github.com>
+Prevent circular linked list in LigaCreateFromOldStyleMultiple by clearing
+the next pointer after shallow copy. The shallow copy propagates liga's
+modified next pointer from previous iterations, creating a cycle that
+causes double-free when the list is traversed and freed.
+Fixes: CVE-2025-15269 | ZDI-25-1195 | ZDI-CAN-28564
+Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
+CVE: CVE-2025-15269
+Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/6aea6db5da332d8ac94e3501bb83c1b21f52074d]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ fontforge/sfd.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index e19d3a30f..be4220515 100644
+--- a/fontforge/sfd.c
+++ b/fontforge/sfd.c
+@@ -4647,6 +4647,7 @@ static PST1 *LigaCreateFromOldStyleMultiple(PST1 *liga) {
+     while ( (pt = strrchr(liga->pst.u.lig.components,';'))!=NULL ) {
+        new = chunkalloc(sizeof( PST1 ));
+        *new = *liga;
+       new->pst.next = NULL;
+        new->pst.u.lig.components = copy(pt+1);
+        last->pst.next = (PST *) new;
+        last = new;
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb
index 4203c1ef58..cc45740153 100644
--- a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb
+++ b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb
@@ -21,6 +21,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https;tag=$
           file://CVE-2025-15279-1.patch \
           file://CVE-2025-15279-2.patch \
           file://CVE-2025-15275.patch \
+           file://CVE-2025-15269.patch \
           "
 EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-01-27 07:50:18 +0100
committer	Khem Raj <raj.khem@gmail.com>	2026-01-30 23:59:10 -0800
commit	049c89877cc8a8590554c63508d2c78aae0989f7 (patch)
tree	08cd5183c98099c807a15ae3a27c1455ea650817 /meta-oe
parent	5dddc4f5200f512ec44cc12596358a825a31149e (diff)
download	meta-openembedded-049c89877cc8a8590554c63508d2c78aae0989f7.tar.gz

diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch new file mode 100644 index 0000000000..a3e26d407a --- /dev/null +++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch
@@ -0,0 +1,36 @@
		1	From 6a23476bc5eea880f3f24496710a6133c92a198b Mon Sep 17 00:00:00 2001
		2	From: Gyorgy Sarvari <skandigraun@gmail.com>
		3	Date: Sat, 10 Jan 2026 20:06:53 +0100
		4	Subject: [PATCH] Fix CVE-2025-15269: Use-after-free in SFD ligature parsing
		5	(#5722)
		6
		7	From: Ahmet Furkan Kavraz <55850855+ahmetfurkankavraz@users.noreply.github.com>
		8
		9	Prevent circular linked list in LigaCreateFromOldStyleMultiple by clearing
		10	the next pointer after shallow copy. The shallow copy propagates liga's
		11	modified next pointer from previous iterations, creating a cycle that
		12	causes double-free when the list is traversed and freed.
		13
		14	Fixes: CVE-2025-15269 \| ZDI-25-1195 \| ZDI-CAN-28564
		15
		16	Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
		17
		18	CVE: CVE-2025-15269
		19	Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/6aea6db5da332d8ac94e3501bb83c1b21f52074d]
		20	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		21	---
		22	fontforge/sfd.c \| 1 +
		23	1 file changed, 1 insertion(+)
		24
		25	diff --git a/fontforge/sfd.c b/fontforge/sfd.c
		26	index e19d3a30f..be4220515 100644
		27	--- a/fontforge/sfd.c
		28	+++ b/fontforge/sfd.c
		29	@@ -4647,6 +4647,7 @@ static PST1 LigaCreateFromOldStyleMultiple(PST1 liga) {
		30	while ( (pt = strrchr(liga->pst.u.lig.components,';'))!=NULL ) {
		31	new = chunkalloc(sizeof( PST1 ));
		32	new = liga;
		33	+ new->pst.next = NULL;
		34	new->pst.u.lig.components = copy(pt+1);
		35	last->pst.next = (PST *) new;
		36	last = new;


diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb index 4203c1ef58..cc45740153 100644 --- a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb +++ b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb
@@ -21,6 +21,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https;tag=$
21	file://CVE-2025-15279-1.patch \	21	file://CVE-2025-15279-1.patch \
22	file://CVE-2025-15279-2.patch \	22	file://CVE-2025-15279-2.patch \
23	file://CVE-2025-15275.patch \	23	file://CVE-2025-15275.patch \
		24	file://CVE-2025-15269.patch \
24	"	25	"
25		26
26	EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"	27	EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"