Your message dated Mon, 11 Mar 2024 19:20:12 +0000 with message-id <E1rjlC0-00FtW0-Ip@fasolo.debian.org> and subject line Bug#1064967: fixed in fontforge 1:20230101~dfsg-1.1 has caused the Debian Bug report #1064967, regarding fontforge: CVE-2024-25081 CVE-2024-25082 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1064967: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064967 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: fontforge: CVE-2024-25081 CVE-2024-25082
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Wed, 28 Feb 2024 15:43:57 +0100
- Message-id: <Zd9GrUJW9o5qh0Y/@pisco.westfalen.local>
Source: fontforge X-Debbugs-CC: team@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for fontforge. CVE-2024-25081[0]: | Splinefont in FontForge through 20230101 allows command injection | via crafted filenames. CVE-2024-25082[1]: | Splinefont in FontForge through 20230101 allows command injection | via crafted archives or compressed files. Fixed by: https://github.com/fontforge/fontforge/pull/5367 https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25081 https://www.cve.org/CVERecord?id=CVE-2024-25081 [1] https://security-tracker.debian.org/tracker/CVE-2024-25082 https://www.cve.org/CVERecord?id=CVE-2024-25082 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
- To: 1064967-close@bugs.debian.org
- Subject: Bug#1064967: fixed in fontforge 1:20230101~dfsg-1.1
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Mon, 11 Mar 2024 19:20:12 +0000
- Message-id: <E1rjlC0-00FtW0-Ip@fasolo.debian.org>
- Reply-to: Adrian Bunk <bunk@debian.org>
Source: fontforge Source-Version: 1:20230101~dfsg-1.1 Done: Adrian Bunk <bunk@debian.org> We believe that the bug you reported is fixed in the latest version of fontforge, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1064967@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk <bunk@debian.org> (supplier of updated fontforge package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 08 Mar 2024 01:15:58 +0200 Source: fontforge Architecture: source Version: 1:20230101~dfsg-1.1 Distribution: unstable Urgency: high Maintainer: Debian Fonts Task Force <debian-fonts@lists.debian.org> Changed-By: Adrian Bunk <bunk@debian.org> Closes: 1064967 Changes: fontforge (1:20230101~dfsg-1.1) unstable; urgency=high . * Non-maintainer upload. * CVE-2024-25081: Spline Font command injection via crafted filenames * CVE-2024-25082: Spline Font command injection via crafted archives or compressed files * Closes: #1064967 Checksums-Sha1: 23883f13d140b2c0878c2f1ebf8069726418481a 2917 fontforge_20230101~dfsg-1.1.dsc 7f5f4150a07609d4f7287ab796419a8a4ea62273 12024816 fontforge_20230101~dfsg.orig.tar.xz bca7239cd216ed5566a3933c5c31c93f966e1903 54264 fontforge_20230101~dfsg-1.1.debian.tar.xz Checksums-Sha256: 4473b29ac936f645315e0944868b35b27bafb20ea0d6190c27d31a80ec24bb63 2917 fontforge_20230101~dfsg-1.1.dsc b3bbdbbdd52638ad8dcbca15e80065e82ec6fa16cef7cc4c42954f47aae3c6b7 12024816 fontforge_20230101~dfsg.orig.tar.xz 9c8998ad21649defd273694dcdb9b2a954956f25b96a67b10a6fb41ffad3f398 54264 fontforge_20230101~dfsg-1.1.debian.tar.xz Files: 60063cb203649f2a45baa07e2e6fb7d3 2917 fonts optional fontforge_20230101~dfsg-1.1.dsc 4bada2cb3191d3383ffe9ccb6d1b73b6 12024816 fonts optional fontforge_20230101~dfsg.orig.tar.xz d1d2de8806557ef46f339e482fe5a3e5 54264 fonts optional fontforge_20230101~dfsg-1.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmXqTtoACgkQiNJCh6LY mLHU5BAAgkjGPuy+gPdc8dFAk1t1Gc+RBMi660qa4ZcUwHpocQM4FJtBEHu5qTUi a3H6vlMxJA6E9llHKp3fy1QcoeyJTotfHF0fAdQaqD+/kwdOq+MCymdMUm+1C1oD xHWZIXLvm4hALZcGfyX72LI4keQKXZgZ38kN0nI3sow3wTlgiu7v51FaXt0OVp0q er/jC/qVMAq5r08nC/NmsPAwhfbOrhHZE+D6Br+yYZvhtBiwM0YCzq7eQHSgTJfl zEgxviHJbSKNxforqMwB4qJhRvJ9UUaPipnkx76TamKncMYZg+XThRBACJ4XbRMh y4co+Bo1oQEhCwmNPq882k+JEkDppHaHghmsvcEbEy2VRTqHzRdFSHceQjb6t8cn 4HExnEsC8a4kP7WDlad9ayZwQUIjVHfChhJWTjMYNxj2RQKE3w1tSAMv9T1jwqeW x1gIUL3ZikEE8DL06qmQKDT3dMosat9Lhk1txRrHPICGvzScjp6s1nt8iyqlYEoi U2NpKAbYqmUizmP+QQjm76Q6dQG1pXx5yuIGvYrXfE/MmMsJodfpA8PUiKwEpMJY F0wzJBUcVoFiwKYVch2brK5DIejGOlvmdTLDM9g/ZFlvL7Tj5OfnAD238SCkqcJ4 aQoCu5wcARyv6wnQvvs8SVdeNVirYgBs6BOVvF4wsEwXPslVEa4= =/GlA -----END PGP SIGNATURE-----Attachment: pgpzp9z8axir1.pgp
Description: PGP signature
--- End Message ---