Bug#1064967: fontforge DSA (was: Re: Bug#1064967: fontforge: diff for NMU version 1:20230101~dfsg-1.1)

2024-03-19 Thread Salvatore Bonaccorso 
Hi Adrian,

On Sat, Mar 16, 2024 at 12:12:01AM +0200, Adrian Bunk wrote:
> On Wed, Mar 13, 2024 at 08:39:47PM +0100, Salvatore Bonaccorso wrote:
> > Hi Adrian,
> 
> Hi Salvatore,
> 
> > On Fri, Mar 08, 2024 at 02:03:55AM +0200, Adrian Bunk wrote:
> > > Control: tags 1064967 + patch
> > > Control: tags 1064967 + pending
> > > 
> > > Dear maintainer,
> > > 
> > > I've prepared an NMU for fontforge (versioned as 1:20230101~dfsg-1.1) and
> > > uploaded it to DELAYED/2. Please feel free to tell me if I should cancel 
> > > it.
> > > 
> > > @Security team:
> > > If wanted, I could afterwards also prepare (pu or DSA) updates for 
> > > bookworm and bullseye.
> > 
> > We came to the conclusion that it warrants a DSA. Could you prepare
> > debdiffs for bookworm-security and bulseye-security?
> 
> the debdiffs are attached.
> 
> Tested on both releases with the PoCs from [1] and that opening a normal 
> compressed font still works.

DSA for your work released.

Thanks for your contribution!

Regards,
Salvatore

Bug#1064967: fontforge DSA (was: Re: Bug#1064967: fontforge: diff for NMU version 1:20230101~dfsg-1.1)

2024-03-16 Thread Salvatore Bonaccorso 
Hi Adrian,

On Sat, Mar 16, 2024 at 12:12:01AM +0200, Adrian Bunk wrote:
> On Wed, Mar 13, 2024 at 08:39:47PM +0100, Salvatore Bonaccorso wrote:
> > Hi Adrian,
> 
> Hi Salvatore,
> 
> > On Fri, Mar 08, 2024 at 02:03:55AM +0200, Adrian Bunk wrote:
> > > Control: tags 1064967 + patch
> > > Control: tags 1064967 + pending
> > > 
> > > Dear maintainer,
> > > 
> > > I've prepared an NMU for fontforge (versioned as 1:20230101~dfsg-1.1) and
> > > uploaded it to DELAYED/2. Please feel free to tell me if I should cancel 
> > > it.
> > > 
> > > @Security team:
> > > If wanted, I could afterwards also prepare (pu or DSA) updates for 
> > > bookworm and bullseye.
> > 
> > We came to the conclusion that it warrants a DSA. Could you prepare
> > debdiffs for bookworm-security and bulseye-security?
> 
> the debdiffs are attached.
> 
> Tested on both releases with the PoCs from [1] and that opening a normal 
> compressed font still works.

Thanks for the debdiffs and providing as well the done testing
background.

Please do upload to security-master (both will need to be built with
-sa).

Regards,
Salvatore

Bug#1064967: fontforge DSA (was: Re: Bug#1064967: fontforge: diff for NMU version 1:20230101~dfsg-1.1)

2024-03-15 Thread Adrian Bunk 
On Wed, Mar 13, 2024 at 08:39:47PM +0100, Salvatore Bonaccorso wrote:
> Hi Adrian,

Hi Salvatore,

> On Fri, Mar 08, 2024 at 02:03:55AM +0200, Adrian Bunk wrote:
> > Control: tags 1064967 + patch
> > Control: tags 1064967 + pending
> > 
> > Dear maintainer,
> > 
> > I've prepared an NMU for fontforge (versioned as 1:20230101~dfsg-1.1) and
> > uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it.
> > 
> > @Security team:
> > If wanted, I could afterwards also prepare (pu or DSA) updates for 
> > bookworm and bullseye.
> 
> We came to the conclusion that it warrants a DSA. Could you prepare
> debdiffs for bookworm-security and bulseye-security?

the debdiffs are attached.

Tested on both releases with the PoCs from [1] and that opening a normal 
compressed font still works.

> Regards,
> Salvatore

cu
Adrian

[1] 
https://www.canva.dev/blog/engineering/fonts-are-still-a-helvetica-of-a-problem/
diffstat for fontforge-20201107~dfsg fontforge-20201107~dfsg

 changelog  |   10 
 patches/0001-fix-splinefont-shell-command-injection-5367.patch |  181 
++
 patches/series |1 
 3 files changed, 192 insertions(+)

diff -Nru fontforge-20201107~dfsg/debian/changelog 
fontforge-20201107~dfsg/debian/changelog
--- fontforge-20201107~dfsg/debian/changelog2021-01-15 17:55:46.0 
+0200
+++ fontforge-20201107~dfsg/debian/changelog2024-03-15 22:56:38.0 
+0200
@@ -1,3 +1,13 @@
+fontforge (1:20201107~dfsg-4+deb11u1) bullseye-security; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2024-25081: Spline Font command injection via crafted filenames
+  * CVE-2024-25082: Spline Font command injection via crafted archives
+or compressed files
+  * Closes: #1064967
+
+ -- Adrian Bunk   Fri, 15 Mar 2024 22:56:38 +0200
+
 fontforge (1:20201107~dfsg-4) unstable; urgency=medium
 
   * Rename extended to extendeddbl to avoid FTBFS on Hurd.
diff -Nru 
fontforge-20201107~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch
 
fontforge-20201107~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch
--- 
fontforge-20201107~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch
   1970-01-01 02:00:00.0 +0200
+++ 
fontforge-20201107~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch
   2024-03-15 22:48:11.0 +0200
@@ -0,0 +1,181 @@
+From 216eb14b558df344b206bf82e2bdaf03a1f2f429 Mon Sep 17 00:00:00 2001
+From: Peter Kydas 
+Date: Tue, 6 Feb 2024 20:03:04 +1100
+Subject: fix splinefont shell command injection (#5367)
+
+---
+ fontforge/splinefont.c | 125 +
+ 1 file changed, 90 insertions(+), 35 deletions(-)
+
+diff --git a/fontforge/splinefont.c b/fontforge/splinefont.c
+index 239fdc035..647daee10 100644
+--- a/fontforge/splinefont.c
 b/fontforge/splinefont.c
+@@ -788,11 +788,14 @@ return( name );
+ 
+ char *Unarchive(char *name, char **_archivedir) {
+ char *dir = getenv("TMPDIR");
+-char *pt, *archivedir, *listfile, *listcommand, *unarchivecmd, 
*desiredfile;
++char *pt, *archivedir, *listfile, *desiredfile;
+ char *finalfile;
+ int i;
+ int doall=false;
+ static int cnt=0;
++gchar *command[5];
++gchar *stdoutresponse = NULL;
++gchar *stderrresponse = NULL;
+ 
+ *_archivedir = NULL;
+ 
+@@ -827,18 +830,30 @@ return( NULL );
+ listfile = malloc(strlen(archivedir)+strlen("/" TOC_NAME)+1);
+ sprintf( listfile, "%s/" TOC_NAME, archivedir );
+ 
+-listcommand = malloc( strlen(archivers[i].unarchive) + 1 +
+-  strlen( archivers[i].listargs) + 1 +
+-  strlen( name ) + 3 +
+-  strlen( listfile ) +4 );
+-sprintf( listcommand, "%s %s %s > %s", archivers[i].unarchive,
+-  archivers[i].listargs, name, listfile );
+-if ( system(listcommand)!=0 ) {
+-  free(listcommand); free(listfile);
+-  ArchiveCleanup(archivedir);
+-return( NULL );
+-}
+-free(listcommand);
++command[0] = archivers[i].unarchive;
++command[1] = archivers[i].listargs;
++command[2] = name;
++command[3] = NULL; // command args need to be NULL-terminated
++
++if ( g_spawn_sync(
++  NULL,
++  command,
++  NULL,
++  G_SPAWN_SEARCH_PATH, 
++  NULL, 
++  NULL, 
++  , 
++  , 
++  NULL, 
++  NULL
++  ) == FALSE) { // did not successfully execute
++  ArchiveCleanup(archivedir);
++  return( NULL );
++}
++// Write out the listfile to be read in later
++FILE *fp = fopen(listfile, "wb");
++fwrite(stdoutresponse, strlen(stdoutresponse), 1, fp);
++fclose(fp);
+ 
+ desiredfile =

Bug#1064967: fontforge DSA (was: Re: Bug#1064967: fontforge: diff for NMU version 1:20230101~dfsg-1.1)

2024-03-13 Thread Salvatore Bonaccorso 
Hi Adrian,

On Fri, Mar 08, 2024 at 02:03:55AM +0200, Adrian Bunk wrote:
> Control: tags 1064967 + patch
> Control: tags 1064967 + pending
> 
> Dear maintainer,
> 
> I've prepared an NMU for fontforge (versioned as 1:20230101~dfsg-1.1) and
> uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it.
> 
> @Security team:
> If wanted, I could afterwards also prepare (pu or DSA) updates for 
> bookworm and bullseye.

We came to the conclusion that it warrants a DSA. Could you prepare
debdiffs for bookworm-security and bulseye-security?

Regards,
Salvatore