Bug#1064967: marked as done (fontforge: CVE-2024-25081 CVE-2024-25082)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 11 Mar 2024 19:20:12 +0000
with message-id <E1rjlC0-00FtW0-Ip@fasolo.debian.org>
and subject line Bug#1064967: fixed in fontforge 1:20230101~dfsg-1.1
has caused the Debian Bug report #1064967,
regarding fontforge: CVE-2024-25081 CVE-2024-25082
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1064967: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064967
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: fontforge: CVE-2024-25081 CVE-2024-25082
• From: Moritz Mühlenhoff <jmm@inutil.org>
• Date: Wed, 28 Feb 2024 15:43:57 +0100
• Message-id: <Zd9GrUJW9o5qh0Y/@pisco.westfalen.local>

Source: fontforge
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for fontforge.

CVE-2024-25081[0]:
| Splinefont in FontForge through 20230101 allows command injection
| via crafted filenames.

CVE-2024-25082[1]:
| Splinefont in FontForge through 20230101 allows command injection
| via crafted archives or compressed files.

Fixed by:
https://github.com/fontforge/fontforge/pull/5367
https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-25081
    https://www.cve.org/CVERecord?id=CVE-2024-25081
[1] https://security-tracker.debian.org/tracker/CVE-2024-25082
    https://www.cve.org/CVERecord?id=CVE-2024-25082

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

• To: 1064967-close@bugs.debian.org
• Subject: Bug#1064967: fixed in fontforge 1:20230101~dfsg-1.1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Mon, 11 Mar 2024 19:20:12 +0000
• Message-id: <E1rjlC0-00FtW0-Ip@fasolo.debian.org>
• Reply-to: Adrian Bunk <bunk@debian.org>

Source: fontforge
Source-Version: 1:20230101~dfsg-1.1
Done: Adrian Bunk <bunk@debian.org>

We believe that the bug you reported is fixed in the latest version of
fontforge, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1064967@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated fontforge package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 08 Mar 2024 01:15:58 +0200
Source: fontforge
Architecture: source
Version: 1:20230101~dfsg-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian Fonts Task Force <debian-fonts@lists.debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1064967
Changes:
 fontforge (1:20230101~dfsg-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * CVE-2024-25081: Spline Font command injection via crafted filenames
   * CVE-2024-25082: Spline Font command injection via crafted archives
     or compressed files
   * Closes: #1064967
Checksums-Sha1:
 23883f13d140b2c0878c2f1ebf8069726418481a 2917 fontforge_20230101~dfsg-1.1.dsc
 7f5f4150a07609d4f7287ab796419a8a4ea62273 12024816 fontforge_20230101~dfsg.orig.tar.xz
 bca7239cd216ed5566a3933c5c31c93f966e1903 54264 fontforge_20230101~dfsg-1.1.debian.tar.xz
Checksums-Sha256:
 4473b29ac936f645315e0944868b35b27bafb20ea0d6190c27d31a80ec24bb63 2917 fontforge_20230101~dfsg-1.1.dsc
 b3bbdbbdd52638ad8dcbca15e80065e82ec6fa16cef7cc4c42954f47aae3c6b7 12024816 fontforge_20230101~dfsg.orig.tar.xz
 9c8998ad21649defd273694dcdb9b2a954956f25b96a67b10a6fb41ffad3f398 54264 fontforge_20230101~dfsg-1.1.debian.tar.xz
Files:
 60063cb203649f2a45baa07e2e6fb7d3 2917 fonts optional fontforge_20230101~dfsg-1.1.dsc
 4bada2cb3191d3383ffe9ccb6d1b73b6 12024816 fonts optional fontforge_20230101~dfsg.orig.tar.xz
 d1d2de8806557ef46f339e482fe5a3e5 54264 fonts optional fontforge_20230101~dfsg-1.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmXqTtoACgkQiNJCh6LY
mLHU5BAAgkjGPuy+gPdc8dFAk1t1Gc+RBMi660qa4ZcUwHpocQM4FJtBEHu5qTUi
a3H6vlMxJA6E9llHKp3fy1QcoeyJTotfHF0fAdQaqD+/kwdOq+MCymdMUm+1C1oD
xHWZIXLvm4hALZcGfyX72LI4keQKXZgZ38kN0nI3sow3wTlgiu7v51FaXt0OVp0q
er/jC/qVMAq5r08nC/NmsPAwhfbOrhHZE+D6Br+yYZvhtBiwM0YCzq7eQHSgTJfl
zEgxviHJbSKNxforqMwB4qJhRvJ9UUaPipnkx76TamKncMYZg+XThRBACJ4XbRMh
y4co+Bo1oQEhCwmNPq882k+JEkDppHaHghmsvcEbEy2VRTqHzRdFSHceQjb6t8cn
4HExnEsC8a4kP7WDlad9ayZwQUIjVHfChhJWTjMYNxj2RQKE3w1tSAMv9T1jwqeW
x1gIUL3ZikEE8DL06qmQKDT3dMosat9Lhk1txRrHPICGvzScjp6s1nt8iyqlYEoi
U2NpKAbYqmUizmP+QQjm76Q6dQG1pXx5yuIGvYrXfE/MmMsJodfpA8PUiKwEpMJY
F0wzJBUcVoFiwKYVch2brK5DIejGOlvmdTLDM9g/ZFlvL7Tj5OfnAD238SCkqcJ4
aQoCu5wcARyv6wnQvvs8SVdeNVirYgBs6BOVvF4wsEwXPslVEa4=
=/GlA
-----END PGP SIGNATURE-----

Attachment: pgpzp9z8axir1.pgp
Description: PGP signature

--- End Message ---