On Wed, Mar 13, 2024 at 08:39:47PM +0100, Salvatore Bonaccorso wrote:
> Hi Adrian,
Hi Salvatore,
> On Fri, Mar 08, 2024 at 02:03:55AM +0200, Adrian Bunk wrote:
> > Control: tags 1064967 + patch
> > Control: tags 1064967 + pending
> >
> > Dear maintainer,
> >
> > I've prepared an NMU for fontforge (versioned as 1:20230101~dfsg-1.1) and
> > uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it.
> >
> > @Security team:
> > If wanted, I could afterwards also prepare (pu or DSA) updates for
> > bookworm and bullseye.
>
> We came to the conclusion that it warrants a DSA. Could you prepare
> debdiffs for bookworm-security and bulseye-security?
the debdiffs are attached.
Tested on both releases with the PoCs from [1] and that opening a normal
compressed font still works.
> Regards,
> Salvatore
cu
Adrian
[1]
https://www.canva.dev/blog/engineering/fonts-are-still-a-helvetica-of-a-problem/
diffstat for fontforge-20201107~dfsg fontforge-20201107~dfsg
changelog | 10
patches/0001-fix-splinefont-shell-command-injection-5367.patch | 181
++++++++++
patches/series | 1
3 files changed, 192 insertions(+)
diff -Nru fontforge-20201107~dfsg/debian/changelog
fontforge-20201107~dfsg/debian/changelog
--- fontforge-20201107~dfsg/debian/changelog 2021-01-15 17:55:46.000000000
+0200
+++ fontforge-20201107~dfsg/debian/changelog 2024-03-15 22:56:38.000000000
+0200
@@ -1,3 +1,13 @@
+fontforge (1:20201107~dfsg-4+deb11u1) bullseye-security; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2024-25081: Spline Font command injection via crafted filenames
+ * CVE-2024-25082: Spline Font command injection via crafted archives
+ or compressed files
+ * Closes: #1064967
+
+ -- Adrian Bunk <b...@debian.org> Fri, 15 Mar 2024 22:56:38 +0200
+
fontforge (1:20201107~dfsg-4) unstable; urgency=medium
* Rename extended to extendeddbl to avoid FTBFS on Hurd.
diff -Nru
fontforge-20201107~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch
fontforge-20201107~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch
---
fontforge-20201107~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch
1970-01-01 02:00:00.000000000 +0200
+++
fontforge-20201107~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch
2024-03-15 22:48:11.000000000 +0200
@@ -0,0 +1,181 @@
+From 216eb14b558df344b206bf82e2bdaf03a1f2f429 Mon Sep 17 00:00:00 2001
+From: Peter Kydas <p...@canva.com>
+Date: Tue, 6 Feb 2024 20:03:04 +1100
+Subject: fix splinefont shell command injection (#5367)
+
+---
+ fontforge/splinefont.c | 125 +++++++++++++++++++++++++++++------------
+ 1 file changed, 90 insertions(+), 35 deletions(-)
+
+diff --git a/fontforge/splinefont.c b/fontforge/splinefont.c
+index 239fdc035..647daee10 100644
+--- a/fontforge/splinefont.c
++++ b/fontforge/splinefont.c
+@@ -788,11 +788,14 @@ return( name );
+
+ char *Unarchive(char *name, char **_archivedir) {
+ char *dir = getenv("TMPDIR");
+- char *pt, *archivedir, *listfile, *listcommand, *unarchivecmd,
*desiredfile;
++ char *pt, *archivedir, *listfile, *desiredfile;
+ char *finalfile;
+ int i;
+ int doall=false;
+ static int cnt=0;
++ gchar *command[5];
++ gchar *stdoutresponse = NULL;
++ gchar *stderrresponse = NULL;
+
+ *_archivedir = NULL;
+
+@@ -827,18 +830,30 @@ return( NULL );
+ listfile = malloc(strlen(archivedir)+strlen("/" TOC_NAME)+1);
+ sprintf( listfile, "%s/" TOC_NAME, archivedir );
+
+- listcommand = malloc( strlen(archivers[i].unarchive) + 1 +
+- strlen( archivers[i].listargs) + 1 +
+- strlen( name ) + 3 +
+- strlen( listfile ) +4 );
+- sprintf( listcommand, "%s %s %s > %s", archivers[i].unarchive,
+- archivers[i].listargs, name, listfile );
+- if ( system(listcommand)!=0 ) {
+- free(listcommand); free(listfile);
+- ArchiveCleanup(archivedir);
+-return( NULL );
+- }
+- free(listcommand);
++ command[0] = archivers[i].unarchive;
++ command[1] = archivers[i].listargs;
++ command[2] = name;
++ command[3] = NULL; // command args need to be NULL-terminated
++
++ if ( g_spawn_sync(
++ NULL,
++ command,
++ NULL,
++ G_SPAWN_SEARCH_PATH,
++ NULL,
++ NULL,
++ &stdoutresponse,
++ &stderrresponse,
++ NULL,
++ NULL
++ ) == FALSE) { // did not successfully execute
++ ArchiveCleanup(archivedir);
++ return( NULL );
++ }
++ // Write out the listfile to be read in later
++ FILE *fp = fopen(listfile, "wb");
++ fwrite(stdoutresponse, strlen(stdoutresponse), 1, fp);
++ fclose(fp);
+
+ desiredfile = ArchiveParseTOC(listfile, archivers[i].ars, &doall);
+ free(listfile);
+@@ -847,22 +862,28 @@ return( NULL );
+ return( NULL );
+ }
+
+- /* I tried sending everything to stdout, but that doesn't work if the */
+- /* output is a directory file (ufo, sfdir) */
+- unarchivecmd = malloc( strlen(archivers[i].unarchive) + 1 +
+- strlen( archivers[i].listargs) + 1 +
+- strlen( name ) + 1 +
+- strlen( desiredfile ) + 3 +
+- strlen( archivedir ) + 30 );
+- sprintf( unarchivecmd, "( cd %s ; %s %s %s %s ) > /dev/null", archivedir,
+- archivers[i].unarchive,
+- archivers[i].extractargs, name, doall ? "" : desiredfile );
+- if ( system(unarchivecmd)!=0 ) {
+- free(unarchivecmd); free(desiredfile);
+- ArchiveCleanup(archivedir);
+-return( NULL );
++ command[0] = archivers[i].unarchive;
++ command[1] = archivers[i].extractargs;
++ command[2] = name;
++ command[3] = doall ? "" : desiredfile;
++ command[4] = NULL;
++
++ if ( g_spawn_sync(
++ (gchar*)archivedir,
++ command,
++ NULL,
++ G_SPAWN_SEARCH_PATH,
++ NULL,
++ NULL,
++ &stdoutresponse,
++ &stderrresponse,
++ NULL,
++ NULL
++ ) == FALSE) { // did not successfully execute
++ free(desiredfile);
++ ArchiveCleanup(archivedir);
++ return( NULL );
+ }
+- free(unarchivecmd);
+
+ finalfile = malloc( strlen(archivedir) + 1 + strlen(desiredfile) + 1);
+ sprintf( finalfile, "%s/%s", archivedir, desiredfile );
+@@ -885,20 +906,54 @@ struct compressors compressors[] = {
+
+ char *Decompress(char *name, int compression) {
+ char *dir = getenv("TMPDIR");
+- char buf[1500];
+ char *tmpfn;
+-
++ gchar *command[4];
++ gint stdout_pipe;
++ gchar buffer[4096];
++ gssize bytes_read;
++ GByteArray *binary_data = g_byte_array_new();
++
+ if ( dir==NULL ) dir = P_tmpdir;
+ tmpfn = malloc(strlen(dir)+strlen(GFileNameTail(name))+2);
+ strcpy(tmpfn,dir);
+ strcat(tmpfn,"/");
+ strcat(tmpfn,GFileNameTail(name));
+ *strrchr(tmpfn,'.') = '\0';
+- snprintf( buf, sizeof(buf), "%s < %s > %s",
compressors[compression].decomp, name, tmpfn );
+- if ( system(buf)==0 )
+-return( tmpfn );
+- free(tmpfn);
+-return( NULL );
++
++ command[0] = compressors[compression].decomp;
++ command[1] = "-c";
++ command[2] = name;
++ command[3] = NULL;
++
++ // Have to use async because g_spawn_sync doesn't handle nul-bytes in the
output (which happens with binary data)
++ if (g_spawn_async_with_pipes(
++ NULL,
++ command,
++ NULL,
++ G_SPAWN_DO_NOT_REAP_CHILD | G_SPAWN_SEARCH_PATH,
++ NULL,
++ NULL,
++ NULL,
++ NULL,
++ &stdout_pipe,
++ NULL,
++ NULL) == FALSE) {
++ //command has failed
++ return( NULL );
++ }
++
++ // Read binary data from pipe and output to file
++ while ((bytes_read = read(stdout_pipe, buffer, sizeof(buffer))) > 0) {
++ g_byte_array_append(binary_data, (guint8 *)buffer, bytes_read);
++ }
++ close(stdout_pipe);
++
++ FILE *fp = fopen(tmpfn, "wb");
++ fwrite(binary_data->data, sizeof(gchar), binary_data->len, fp);
++ fclose(fp);
++ g_byte_array_free(binary_data, TRUE);
++
++ return(tmpfn);
+ }
+
+ static char *ForceFileToHaveName(FILE *file, char *exten) {
+--
+2.30.2
+
diff -Nru fontforge-20201107~dfsg/debian/patches/series
fontforge-20201107~dfsg/debian/patches/series
--- fontforge-20201107~dfsg/debian/patches/series 2021-01-15
17:16:27.000000000 +0200
+++ fontforge-20201107~dfsg/debian/patches/series 2024-03-15
22:48:25.000000000 +0200
@@ -5,3 +5,4 @@
0005-hurd-rename-extended-to-avoid-conflict-with-gnumach-dev.patch
2003_avoid_privacy_breach.patch
2004-fix-privacy-breach-logo.patch
+0001-fix-splinefont-shell-command-injection-5367.patch
diffstat for fontforge-20230101~dfsg fontforge-20230101~dfsg
changelog | 17
patches/0001-fix-splinefont-shell-command-injection-5367.patch | 181
++++++++++
patches/series | 1
3 files changed, 199 insertions(+)
diff -Nru fontforge-20230101~dfsg/debian/changelog
fontforge-20230101~dfsg/debian/changelog
--- fontforge-20230101~dfsg/debian/changelog 2023-01-18 20:05:41.000000000
+0200
+++ fontforge-20230101~dfsg/debian/changelog 2024-03-15 22:41:07.000000000
+0200
@@ -1,3 +1,20 @@
+fontforge (1:20230101~dfsg-1.1~deb12u1) bookworm-security; urgency=medium
+
+ * Non-maintainer upload.
+ * Rebuild for bookworm-security.
+
+ -- Adrian Bunk <b...@debian.org> Fri, 15 Mar 2024 22:41:07 +0200
+
+fontforge (1:20230101~dfsg-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * CVE-2024-25081: Spline Font command injection via crafted filenames
+ * CVE-2024-25082: Spline Font command injection via crafted archives
+ or compressed files
+ * Closes: #1064967
+
+ -- Adrian Bunk <b...@debian.org> Fri, 08 Mar 2024 01:15:58 +0200
+
fontforge (1:20230101~dfsg-1) unstable; urgency=medium
* New upstream version 20230101~dfsg
diff -Nru
fontforge-20230101~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch
fontforge-20230101~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch
---
fontforge-20230101~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch
1970-01-01 02:00:00.000000000 +0200
+++
fontforge-20230101~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch
2024-03-07 23:25:36.000000000 +0200
@@ -0,0 +1,181 @@
+From 216eb14b558df344b206bf82e2bdaf03a1f2f429 Mon Sep 17 00:00:00 2001
+From: Peter Kydas <p...@canva.com>
+Date: Tue, 6 Feb 2024 20:03:04 +1100
+Subject: fix splinefont shell command injection (#5367)
+
+---
+ fontforge/splinefont.c | 125 +++++++++++++++++++++++++++++------------
+ 1 file changed, 90 insertions(+), 35 deletions(-)
+
+diff --git a/fontforge/splinefont.c b/fontforge/splinefont.c
+index 239fdc035..647daee10 100644
+--- a/fontforge/splinefont.c
++++ b/fontforge/splinefont.c
+@@ -788,11 +788,14 @@ return( name );
+
+ char *Unarchive(char *name, char **_archivedir) {
+ char *dir = getenv("TMPDIR");
+- char *pt, *archivedir, *listfile, *listcommand, *unarchivecmd,
*desiredfile;
++ char *pt, *archivedir, *listfile, *desiredfile;
+ char *finalfile;
+ int i;
+ int doall=false;
+ static int cnt=0;
++ gchar *command[5];
++ gchar *stdoutresponse = NULL;
++ gchar *stderrresponse = NULL;
+
+ *_archivedir = NULL;
+
+@@ -827,18 +830,30 @@ return( NULL );
+ listfile = malloc(strlen(archivedir)+strlen("/" TOC_NAME)+1);
+ sprintf( listfile, "%s/" TOC_NAME, archivedir );
+
+- listcommand = malloc( strlen(archivers[i].unarchive) + 1 +
+- strlen( archivers[i].listargs) + 1 +
+- strlen( name ) + 3 +
+- strlen( listfile ) +4 );
+- sprintf( listcommand, "%s %s %s > %s", archivers[i].unarchive,
+- archivers[i].listargs, name, listfile );
+- if ( system(listcommand)!=0 ) {
+- free(listcommand); free(listfile);
+- ArchiveCleanup(archivedir);
+-return( NULL );
+- }
+- free(listcommand);
++ command[0] = archivers[i].unarchive;
++ command[1] = archivers[i].listargs;
++ command[2] = name;
++ command[3] = NULL; // command args need to be NULL-terminated
++
++ if ( g_spawn_sync(
++ NULL,
++ command,
++ NULL,
++ G_SPAWN_SEARCH_PATH,
++ NULL,
++ NULL,
++ &stdoutresponse,
++ &stderrresponse,
++ NULL,
++ NULL
++ ) == FALSE) { // did not successfully execute
++ ArchiveCleanup(archivedir);
++ return( NULL );
++ }
++ // Write out the listfile to be read in later
++ FILE *fp = fopen(listfile, "wb");
++ fwrite(stdoutresponse, strlen(stdoutresponse), 1, fp);
++ fclose(fp);
+
+ desiredfile = ArchiveParseTOC(listfile, archivers[i].ars, &doall);
+ free(listfile);
+@@ -847,22 +862,28 @@ return( NULL );
+ return( NULL );
+ }
+
+- /* I tried sending everything to stdout, but that doesn't work if the */
+- /* output is a directory file (ufo, sfdir) */
+- unarchivecmd = malloc( strlen(archivers[i].unarchive) + 1 +
+- strlen( archivers[i].listargs) + 1 +
+- strlen( name ) + 1 +
+- strlen( desiredfile ) + 3 +
+- strlen( archivedir ) + 30 );
+- sprintf( unarchivecmd, "( cd %s ; %s %s %s %s ) > /dev/null", archivedir,
+- archivers[i].unarchive,
+- archivers[i].extractargs, name, doall ? "" : desiredfile );
+- if ( system(unarchivecmd)!=0 ) {
+- free(unarchivecmd); free(desiredfile);
+- ArchiveCleanup(archivedir);
+-return( NULL );
++ command[0] = archivers[i].unarchive;
++ command[1] = archivers[i].extractargs;
++ command[2] = name;
++ command[3] = doall ? "" : desiredfile;
++ command[4] = NULL;
++
++ if ( g_spawn_sync(
++ (gchar*)archivedir,
++ command,
++ NULL,
++ G_SPAWN_SEARCH_PATH,
++ NULL,
++ NULL,
++ &stdoutresponse,
++ &stderrresponse,
++ NULL,
++ NULL
++ ) == FALSE) { // did not successfully execute
++ free(desiredfile);
++ ArchiveCleanup(archivedir);
++ return( NULL );
+ }
+- free(unarchivecmd);
+
+ finalfile = malloc( strlen(archivedir) + 1 + strlen(desiredfile) + 1);
+ sprintf( finalfile, "%s/%s", archivedir, desiredfile );
+@@ -885,20 +906,54 @@ struct compressors compressors[] = {
+
+ char *Decompress(char *name, int compression) {
+ char *dir = getenv("TMPDIR");
+- char buf[1500];
+ char *tmpfn;
+-
++ gchar *command[4];
++ gint stdout_pipe;
++ gchar buffer[4096];
++ gssize bytes_read;
++ GByteArray *binary_data = g_byte_array_new();
++
+ if ( dir==NULL ) dir = P_tmpdir;
+ tmpfn = malloc(strlen(dir)+strlen(GFileNameTail(name))+2);
+ strcpy(tmpfn,dir);
+ strcat(tmpfn,"/");
+ strcat(tmpfn,GFileNameTail(name));
+ *strrchr(tmpfn,'.') = '\0';
+- snprintf( buf, sizeof(buf), "%s < %s > %s",
compressors[compression].decomp, name, tmpfn );
+- if ( system(buf)==0 )
+-return( tmpfn );
+- free(tmpfn);
+-return( NULL );
++
++ command[0] = compressors[compression].decomp;
++ command[1] = "-c";
++ command[2] = name;
++ command[3] = NULL;
++
++ // Have to use async because g_spawn_sync doesn't handle nul-bytes in the
output (which happens with binary data)
++ if (g_spawn_async_with_pipes(
++ NULL,
++ command,
++ NULL,
++ G_SPAWN_DO_NOT_REAP_CHILD | G_SPAWN_SEARCH_PATH,
++ NULL,
++ NULL,
++ NULL,
++ NULL,
++ &stdout_pipe,
++ NULL,
++ NULL) == FALSE) {
++ //command has failed
++ return( NULL );
++ }
++
++ // Read binary data from pipe and output to file
++ while ((bytes_read = read(stdout_pipe, buffer, sizeof(buffer))) > 0) {
++ g_byte_array_append(binary_data, (guint8 *)buffer, bytes_read);
++ }
++ close(stdout_pipe);
++
++ FILE *fp = fopen(tmpfn, "wb");
++ fwrite(binary_data->data, sizeof(gchar), binary_data->len, fp);
++ fclose(fp);
++ g_byte_array_free(binary_data, TRUE);
++
++ return(tmpfn);
+ }
+
+ static char *ForceFileToHaveName(FILE *file, char *exten) {
+--
+2.30.2
+
diff -Nru fontforge-20230101~dfsg/debian/patches/series
fontforge-20230101~dfsg/debian/patches/series
--- fontforge-20230101~dfsg/debian/patches/series 2023-01-18
17:41:43.000000000 +0200
+++ fontforge-20230101~dfsg/debian/patches/series 2024-03-08
01:15:58.000000000 +0200
@@ -2,3 +2,4 @@
0003-use-local-libjs-mathjax.patch
2003_avoid_privacy_breach.patch
2004-fix-privacy-breach-logo.patch
+0001-fix-splinefont-shell-command-injection-5367.patch
