Security update for fontforge SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:2111-1 Final 1 1 2020-11-29T15:22:25Z current 2020-11-29T15:22:25Z 2020-11-29T15:22:25Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for fontforge This update for fontforge fixes the following issues: - fix for Use-after-free (heap) in the SFD_GetFontMetaData() function and the crash (bsc#1178308 CVE-2020-25690). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-2111 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZUXEDXI4LMNYPGQ23AHUPAFPEN5QAEZM/ E-Mail link for openSUSE-SU-2020:2111-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1160220 SUSE Bug 1160220 https://bugzilla.suse.com/1178308 SUSE Bug 1178308 https://www.suse.com/security/cve/CVE-2020-25690/ SUSE CVE CVE-2020-25690 page https://www.suse.com/security/cve/CVE-2020-5395/ SUSE CVE CVE-2020-5395 page openSUSE Leap 15.1 fontforge-20170731-lp151.4.6.1 fontforge-devel-20170731-lp151.4.6.1 fontforge-doc-20170731-lp151.4.6.1 fontforge-20170731-lp151.4.6.1 as a component of openSUSE Leap 15.1 fontforge-devel-20170731-lp151.4.6.1 as a component of openSUSE Leap 15.1 fontforge-doc-20170731-lp151.4.6.1 as a component of openSUSE Leap 15.1 An out-of-bounds write flaw was found in FontForge in versions before 20200314 while parsing SFD files containing certain LayerCount tokens. This flaw allows an attacker to manipulate the memory allocated on the heap, causing the application to crash or execute arbitrary code. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVE-2020-25690 openSUSE Leap 15.1:fontforge-20170731-lp151.4.6.1 openSUSE Leap 15.1:fontforge-devel-20170731-lp151.4.6.1 openSUSE Leap 15.1:fontforge-doc-20170731-lp151.4.6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZUXEDXI4LMNYPGQ23AHUPAFPEN5QAEZM/ https://www.suse.com/security/cve/CVE-2020-25690.html CVE-2020-25690 https://bugzilla.suse.com/1178308 SUSE Bug 1178308 FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd.c. CVE-2020-5395 openSUSE Leap 15.1:fontforge-20170731-lp151.4.6.1 openSUSE Leap 15.1:fontforge-devel-20170731-lp151.4.6.1 openSUSE Leap 15.1:fontforge-doc-20170731-lp151.4.6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZUXEDXI4LMNYPGQ23AHUPAFPEN5QAEZM/ https://www.suse.com/security/cve/CVE-2020-5395.html CVE-2020-5395 https://bugzilla.suse.com/1160220 SUSE Bug 1160220 https://bugzilla.suse.com/1178308 SUSE Bug 1178308