Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15270
Pick the patch that mentions this vulnerbaility explicitly in its description. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../fontforge/fontforge/CVE-2025-15270.patch | 45 +++++++++++++++++++ .../fontforge/fontforge_20251009.bb | 1 + 2 files changed, 46 insertions(+) create mode 100644 meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch new file mode 100644 index 0000000000..2ff0fd0b08 --- /dev/null +++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch @@ -0,0 +1,45 @@ +From 99067ccd695619686646905e637993f0654abb41 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari <[email protected]> +Date: Sat, 31 Jan 2026 21:23:41 +0100 +Subject: [PATCH] Fix CVE-2025-15270: Heap buffer overflow in SFD kern class + parsing (#5743) + +From: Ahmet Furkan Kavraz <[email protected]> + +Fixes: CVE-2025-15270 | ZDI-25-1194 | ZDI-CAN-28563 + +Co-authored-by: Ahmet Furkan Kavraz <[email protected]> + +CVE: CVE-2025-15270 +Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/d01333a5bfa2ac4ed698c24b323d02107deacad7] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + fontforge/sfd.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fontforge/sfd.c b/fontforge/sfd.c +index be4220515..d550f02fb 100644 +--- a/fontforge/sfd.c ++++ b/fontforge/sfd.c +@@ -8147,6 +8147,10 @@ bool SFD_GetFontMetaData( FILE *sfd, + for ( i=classstart; i<kc->first_cnt; ++i ) { + if (kernclassversion < 3) { + getint(sfd,&temp); ++ if (temp < 0) { ++ LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp); ++ return false; ++ } + kc->firsts[i] = malloc(temp+1); kc->firsts[i][temp] = '\0'; + nlgetc(sfd); /* skip space */ + fread(kc->firsts[i],1,temp,sfd); +@@ -8164,6 +8168,10 @@ bool SFD_GetFontMetaData( FILE *sfd, + for ( i=1; i<kc->second_cnt; ++i ) { + if (kernclassversion < 3) { + getint(sfd,&temp); ++ if (temp < 0) { ++ LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp); ++ return false; ++ } + kc->seconds[i] = malloc(temp+1); kc->seconds[i][temp] = '\0'; + nlgetc(sfd); /* skip space */ + fread(kc->seconds[i],1,temp,sfd); diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb index cc45740153..8d65f69354 100644 --- a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb +++ b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb @@ -22,6 +22,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https;tag=$ file://CVE-2025-15279-2.patch \ file://CVE-2025-15275.patch \ file://CVE-2025-15269.patch \ + file://CVE-2025-15270.patch \ " EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124060): https://lists.openembedded.org/g/openembedded-devel/message/124060 Mute This Topic: https://lists.openembedded.org/mt/117595802/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
