Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fontforge for openSUSE:Factory checked in at 2026-04-09 16:08:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fontforge (Old) and /work/SRC/openSUSE:Factory/.fontforge.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fontforge" Thu Apr 9 16:08:26 2026 rev:67 rq:1345117 version:20251009 Changes: -------- --- /work/SRC/openSUSE:Factory/fontforge/fontforge.changes 2026-02-05 18:01:38.194719022 +0100 +++ /work/SRC/openSUSE:Factory/.fontforge.new.21863/fontforge.changes 2026-04-09 16:10:18.742917259 +0200 @@ -1,0 +2,13 @@ +Fri Apr 3 12:12:43 UTC 2026 - Cliff Zhao <[email protected]> + +- Add fontforge-CVE-2025-15270.patch: + Backport d01333a5 from upstream, add validation to check for + negative kern class name length values before using them as + array indices. This fixes a heap buffer overflow where malicious + SFD files could supply negative length values (e.g., -1, -38, -139), + causing writes to memory before the allocated buffer through + kc->firsts[i][temp] = '\0' and kc->seconds[i][temp] = '\0' + operations. + (CVE-2025-15270, ZDI-CAN-28563, ZDI-25-1194, bsc#1256031) + +------------------------------------------------------------------- New: ---- fontforge-CVE-2025-15270.patch ----------(New B)---------- New: - Add fontforge-CVE-2025-15270.patch: Backport d01333a5 from upstream, add validation to check for ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fontforge.spec ++++++ --- /var/tmp/diff_new_pack.feui7Z/_old 2026-04-09 16:10:22.879087905 +0200 +++ /var/tmp/diff_new_pack.feui7Z/_new 2026-04-09 16:10:22.879087905 +0200 @@ -47,6 +47,8 @@ Patch10: fontforge-fix-crash-for-content-over-32767-characters-in-GDraw.patch # PATCH-FIX-UPSTREAM fontforge-fix-multiple-crashes-in-Multiple-Masters.patch [email protected] -- Fix multiple crashes in Multiple Masters (#5733). Patch11: fontforge-fix-multiple-crashes-in-Multiple-Masters.patch +# PATCH-FIX-UPSTREAM fontforge-CVE-2025-15270.patch CVE-2025-15270 ZDI-CAN-28563 ZDI-25-1194 bsc#1256031 -- Add validation to check for negative kern class name length values. +Patch12: fontforge-CVE-2025-15270.patch BuildRequires: cairo-devel BuildRequires: cmake BuildRequires: fdupes ++++++ fontforge-CVE-2025-15270.patch ++++++ commit d01333a5bfa2ac4ed698c24b323d02107deacad7 (HEAD, 20260131_CVE-2025-15270_bsc#1256031_tag_None_d01333a5bfa2ac4ed698c24b323d02107deacad7) Author: Ahmet Furkan Kavraz <[email protected]> Date: Sat Jan 31 21:23:41 2026 +0100 Fix CVE-2025-15270: Heap buffer overflow in SFD kern class parsing (#5743) Fixes: CVE-2025-15270 | ZDI-25-1194 | ZDI-CAN-28563 Co-authored-by: Ahmet Furkan Kavraz <[email protected]> diff a/fontforge/sfd.c b/fontforge/sfd.c --- a/fontforge/sfd.c +++ b/fontforge/sfd.c @@ -8147,6 +8147,10 @@ bool SFD_GetFontMetaData( FILE *sfd, for ( i=classstart; i<kc->first_cnt; ++i ) { if (kernclassversion < 3) { getint(sfd,&temp); + if (temp < 0) { + LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp); + return false; + } kc->firsts[i] = malloc(temp+1); kc->firsts[i][temp] = '\0'; nlgetc(sfd); /* skip space */ fread(kc->firsts[i],1,temp,sfd); @@ -8164,6 +8168,10 @@ bool SFD_GetFontMetaData( FILE *sfd, for ( i=1; i<kc->second_cnt; ++i ) { if (kernclassversion < 3) { getint(sfd,&temp); + if (temp < 0) { + LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp); + return false; + } kc->seconds[i] = malloc(temp+1); kc->seconds[i][temp] = '\0'; nlgetc(sfd); /* skip space */ fread(kc->seconds[i],1,temp,sfd);
