On Wed, Mar 13, 2024 at 08:39:47PM +0100, Salvatore Bonaccorso wrote:
> Hi Adrian,
Hi Salvatore,
> On Fri, Mar 08, 2024 at 02:03:55AM +0200, Adrian Bunk wrote:
> > Control: tags 1064967 + patch
> > Control: tags 1064967 + pending
> >
> > Dear maintainer,
> >
> > I've prepared an NMU for fontforge (versioned as 1:20230101~dfsg-1.1) and
> > uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it.
> >
> > @Security team:
> > If wanted, I could afterwards also prepare (pu or DSA) updates for
> > bookworm and bullseye.
>
> We came to the conclusion that it warrants a DSA. Could you prepare
> debdiffs for bookworm-security and bulseye-security?
the debdiffs are attached.
Tested on both releases with the PoCs from [1] and that opening a normal
compressed font still works.
> Regards,
> Salvatore
cu
Adrian
[1]
https://www.canva.dev/blog/engineering/fonts-are-still-a-helvetica-of-a-problem/
diffstat for fontforge-20201107~dfsg fontforge-20201107~dfsg
changelog | 10
patches/0001-fix-splinefont-shell-command-injection-5367.patch | 181
++
patches/series |1
3 files changed, 192 insertions(+)
diff -Nru fontforge-20201107~dfsg/debian/changelog
fontforge-20201107~dfsg/debian/changelog
--- fontforge-20201107~dfsg/debian/changelog2021-01-15 17:55:46.0
+0200
+++ fontforge-20201107~dfsg/debian/changelog2024-03-15 22:56:38.0
+0200
@@ -1,3 +1,13 @@
+fontforge (1:20201107~dfsg-4+deb11u1) bullseye-security; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2024-25081: Spline Font command injection via crafted filenames
+ * CVE-2024-25082: Spline Font command injection via crafted archives
+or compressed files
+ * Closes: #1064967
+
+ -- Adrian Bunk Fri, 15 Mar 2024 22:56:38 +0200
+
fontforge (1:20201107~dfsg-4) unstable; urgency=medium
* Rename extended to extendeddbl to avoid FTBFS on Hurd.
diff -Nru
fontforge-20201107~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch
fontforge-20201107~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch
---
fontforge-20201107~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch
1970-01-01 02:00:00.0 +0200
+++
fontforge-20201107~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch
2024-03-15 22:48:11.0 +0200
@@ -0,0 +1,181 @@
+From 216eb14b558df344b206bf82e2bdaf03a1f2f429 Mon Sep 17 00:00:00 2001
+From: Peter Kydas
+Date: Tue, 6 Feb 2024 20:03:04 +1100
+Subject: fix splinefont shell command injection (#5367)
+
+---
+ fontforge/splinefont.c | 125 +
+ 1 file changed, 90 insertions(+), 35 deletions(-)
+
+diff --git a/fontforge/splinefont.c b/fontforge/splinefont.c
+index 239fdc035..647daee10 100644
+--- a/fontforge/splinefont.c
b/fontforge/splinefont.c
+@@ -788,11 +788,14 @@ return( name );
+
+ char *Unarchive(char *name, char **_archivedir) {
+ char *dir = getenv("TMPDIR");
+-char *pt, *archivedir, *listfile, *listcommand, *unarchivecmd,
*desiredfile;
++char *pt, *archivedir, *listfile, *desiredfile;
+ char *finalfile;
+ int i;
+ int doall=false;
+ static int cnt=0;
++gchar *command[5];
++gchar *stdoutresponse = NULL;
++gchar *stderrresponse = NULL;
+
+ *_archivedir = NULL;
+
+@@ -827,18 +830,30 @@ return( NULL );
+ listfile = malloc(strlen(archivedir)+strlen("/" TOC_NAME)+1);
+ sprintf( listfile, "%s/" TOC_NAME, archivedir );
+
+-listcommand = malloc( strlen(archivers[i].unarchive) + 1 +
+- strlen( archivers[i].listargs) + 1 +
+- strlen( name ) + 3 +
+- strlen( listfile ) +4 );
+-sprintf( listcommand, "%s %s %s > %s", archivers[i].unarchive,
+- archivers[i].listargs, name, listfile );
+-if ( system(listcommand)!=0 ) {
+- free(listcommand); free(listfile);
+- ArchiveCleanup(archivedir);
+-return( NULL );
+-}
+-free(listcommand);
++command[0] = archivers[i].unarchive;
++command[1] = archivers[i].listargs;
++command[2] = name;
++command[3] = NULL; // command args need to be NULL-terminated
++
++if ( g_spawn_sync(
++ NULL,
++ command,
++ NULL,
++ G_SPAWN_SEARCH_PATH,
++ NULL,
++ NULL,
++ ,
++ ,
++ NULL,
++ NULL
++ ) == FALSE) { // did not successfully execute
++ ArchiveCleanup(archivedir);
++ return( NULL );
++}
++// Write out the listfile to be read in later
++FILE *fp = fopen(listfile, "wb");
++fwrite(stdoutresponse, strlen(stdoutresponse), 1, fp);
++fclose(fp);
+
+ desiredfile =