[email protected] writes: > Hello oss-security, > > [...] > > == Upstream maintainer response == > We reported this downstream impact to FontForge upstream as > https://github.com/fontforge/fontforge/issues/5799 (2026-04-15). > The issue was closed within hours under "Community-guidelines #D1", > which states that the project does not accept security reports without > an accompanying fix PR. >
I'll note that the linked #D1 guidelines [0] say: > FontForge SHOULD NOT, EVER receive untrusted input. Most users only > use it to edit their own fonts and sometimes popular open-source > fonts. Even if we fix all the issues findable with automated tools, > there are many, many memory bugs in FontForge. Of course, there's the usual question of whether all users and possibly scripts invoking FontForge are aware of this, but I don't think this is an unreasonable position for a project to have by itself. [0] https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1 > Context: ZDI submitted 12 unrelated FontForge CVEs in 2025-12 and > received the same response > (https://github.com/fontforge/fontforge/issues/5706). > > We post here so distributors and downstream packagers have a public, > independent record of the FontForge -> FreeType linkage status, and > can verify their own builds. > [...] sam
signature.asc
Description: PGP signature
