Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15269
Pick the patch that refers to this vulnerability ID explicitly. Signed-off-by: Gyorgy Sarvari <[email protected]> --- v2: no change v1: https://lists.openembedded.org/g/openembedded-devel/message/123872 .../fontforge/fontforge/CVE-2025-15269.patch | 36 +++++++++++++++++++ .../fontforge/fontforge_20251009.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch new file mode 100644 index 0000000000..a3e26d407a --- /dev/null +++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch @@ -0,0 +1,36 @@ +From 6a23476bc5eea880f3f24496710a6133c92a198b Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari <[email protected]> +Date: Sat, 10 Jan 2026 20:06:53 +0100 +Subject: [PATCH] Fix CVE-2025-15269: Use-after-free in SFD ligature parsing + (#5722) + +From: Ahmet Furkan Kavraz <[email protected]> + +Prevent circular linked list in LigaCreateFromOldStyleMultiple by clearing +the next pointer after shallow copy. The shallow copy propagates liga's +modified next pointer from previous iterations, creating a cycle that +causes double-free when the list is traversed and freed. + +Fixes: CVE-2025-15269 | ZDI-25-1195 | ZDI-CAN-28564 + +Co-authored-by: Ahmet Furkan Kavraz <[email protected]> + +CVE: CVE-2025-15269 +Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/6aea6db5da332d8ac94e3501bb83c1b21f52074d] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + fontforge/sfd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fontforge/sfd.c b/fontforge/sfd.c +index e19d3a30f..be4220515 100644 +--- a/fontforge/sfd.c ++++ b/fontforge/sfd.c +@@ -4647,6 +4647,7 @@ static PST1 *LigaCreateFromOldStyleMultiple(PST1 *liga) { + while ( (pt = strrchr(liga->pst.u.lig.components,';'))!=NULL ) { + new = chunkalloc(sizeof( PST1 )); + *new = *liga; ++ new->pst.next = NULL; + new->pst.u.lig.components = copy(pt+1); + last->pst.next = (PST *) new; + last = new; diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb index 4203c1ef58..cc45740153 100644 --- a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb +++ b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb @@ -21,6 +21,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https;tag=$ file://CVE-2025-15279-1.patch \ file://CVE-2025-15279-2.patch \ file://CVE-2025-15275.patch \ + file://CVE-2025-15269.patch \ " EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123911): https://lists.openembedded.org/g/openembedded-devel/message/123911 Mute This Topic: https://lists.openembedded.org/mt/117484707/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
