[oe] [meta-oe][PATCH 2/4] fontforge: patch CVE-2025-15279

Mon, 26 Jan 2026 03:45:18 -0800 

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15279

Pick the patch that mentions this vulnerability ID explicitly.
Also, this patch has caused some regression - pick the patch also
that fixed that regression.

Signed-off-by: Gyorgy Sarvari <[email protected]>
---
 .../fontforge/CVE-2025-15279-1.patch          | 42 +++++++++++++++++++
 .../fontforge/CVE-2025-15279-2.patch          | 35 ++++++++++++++++
 .../fontforge/fontforge_20251009.bb           |  4 +-
 3 files changed, 80 insertions(+), 1 deletion(-)
 create mode 100644 
meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-1.patch
 create mode 100644 
meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-2.patch

diff --git 
a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-1.patch 
b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-1.patch
new file mode 100644
index 0000000000..17f33f41ff
--- /dev/null
+++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-1.patch
@@ -0,0 +1,42 @@
+From ce71f0cdce556f56c5207a33a1be3830a73cc04f Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <[email protected]>
+Date: Thu, 8 Jan 2026 15:47:43 +0100
+Subject: [PATCH] Fix CVE-2025-15279: Heap buffer overflow in BMP RLE
+ decompression (#5720)
+
+From: Ahmet Furkan Kavraz <[email protected]>
+
+CVSS: 7.8 (High)
+ZDI-CAN-27517
+Co-authored-by: Ahmet Furkan Kavraz <[email protected]>
+
+CVE: CVE-2025-15279
+Upstream-Status: Backport 
[https://github.com/fontforge/fontforge/commit/7d67700cf8888e0bb37b453ad54ed932c8587073]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ gutils/gimagereadbmp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c
+index 5a137e28a..133336787 100644
+--- a/gutils/gimagereadbmp.c
++++ b/gutils/gimagereadbmp.c
+@@ -181,12 +181,18 @@ static int readpixels(FILE *file,struct bmpheader *head) 
{
+       int ii = 0;
+       while ( ii<head->height*head->width ) {
+           int cnt = getc(file);
++          if (cnt < 0 || ii + cnt > head->height * head->width) {
++              return 0;
++          }
+           if ( cnt!=0 ) {
+               int ch = getc(file);
+               while ( --cnt>=0 )
+                   head->byte_pixels[ii++] = ch;
+           } else {
+               cnt = getc(file);
++              if (cnt < 0 || ii + cnt > head->height * head->width) {
++                  return 0;
++              }
+               if ( cnt>= 3 ) {
+                   int odd = cnt&1;
+                   while ( --cnt>=0 )
diff --git 
a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-2.patch 
b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-2.patch
new file mode 100644
index 0000000000..840a37a8a9
--- /dev/null
+++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-2.patch
@@ -0,0 +1,35 @@
+From 4cd078071e2487f052ec997ee13bb910d796587b Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <[email protected]>
+Date: Mon, 12 Jan 2026 22:45:16 +0100
+Subject: [PATCH] Fix CVE-2025-15279: Move bounds check inside cnt >= 3 block
+ (#5723)
+
+From: Ahmet Furkan Kavraz <[email protected]>
+
+Co-authored-by: Ahmet Furkan Kavraz <[email protected]>
+
+CVE: CVE-2025-15279
+Upstream-Status: Backport 
[https://github.com/fontforge/fontforge/commit/720ea95020c964202928afd2e93b0f5fac11027e]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ gutils/gimagereadbmp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c
+index 133336787..ad365158c 100644
+--- a/gutils/gimagereadbmp.c
++++ b/gutils/gimagereadbmp.c
+@@ -190,10 +190,10 @@ static int readpixels(FILE *file,struct bmpheader *head) 
{
+                   head->byte_pixels[ii++] = ch;
+           } else {
+               cnt = getc(file);
+-              if (cnt < 0 || ii + cnt > head->height * head->width) {
+-                  return 0;
+-              }
+               if ( cnt>= 3 ) {
++                  if (ii + cnt > head->height * head->width) {
++                      return 0;
++                  }
+                   int odd = cnt&1;
+                   while ( --cnt>=0 )
+                       head->byte_pixels[ii++] = getc(file);
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb 
b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb
index 2d08ee2e57..58f15ab396 100644
--- a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb
+++ b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb
@@ -17,7 +17,9 @@ SRC_URI = 
"git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https;tag=$
            file://0001-include-sys-select-on-non-glibc-platforms.patch \
            file://0001-fontforgeexe-Use-env-to-find-fontforge.patch \
            file://0001-cmake-Use-alternate-way-to-detect-libm.patch \
-"
+           file://CVE-2025-15279-1.patch \
+           file://CVE-2025-15279-2.patch \
+           "
 
 EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"
 PACKAGECONFIG = "readline"

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#123871): 
https://lists.openembedded.org/g/openembedded-devel/message/123871
Mute This Topic: https://lists.openembedded.org/mt/117466636/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to