Bug#948231: marked as done (fontforge: CVE-2020-5395 CVE-2020-5496)

To: Anthony Fok <foka@debian.org>
Subject: Bug#948231: marked as done (fontforge: CVE-2020-5395 CVE-2020-5496)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Fri, 20 Nov 2020 23:03:14 +0000
Message-id: <[🔎] handler.948231.D948231.16059132129465.ackdone@bugs.debian.org>
Reply-to: 948231@bugs.debian.org
References: <E1kgFNz-000GWI-8s@fasolo.debian.org> <5fd548f0-9e5b-48d5-82ce-e5854c14095e@debian.org>

Your message dated Fri, 20 Nov 2020 23:00:11 +0000
with message-id <E1kgFNz-000GWI-8s@fasolo.debian.org>
and subject line Bug#948231: fixed in fontforge 1:20201107~dfsg-1
has caused the Debian Bug report #948231,
regarding fontforge: CVE-2020-5395 CVE-2020-5496
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
948231: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948231
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: fontforge: CVE-2020-5395 CVE-2020-5496
From: Markus Koschany <apo@debian.org>
Date: Sun, 5 Jan 2020 18:05:35 +0100
Message-id: <5fd548f0-9e5b-48d5-82ce-e5854c14095e@debian.org>

Package: fontforge
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for fontforge.

CVE-2020-5395[0]:
| FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in
| sfd.c.


CVE-2020-5496[1]:
| FontForge 20190801 has a heap-based buffer overflow in the
| Type2NotDefSplines() function in splinesave.c.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-5395
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5395
[1] https://security-tracker.debian.org/tracker/CVE-2020-5496
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5496

Please adjust the affected versions in the BTS as needed.

Regards,

Markus

Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

To: 948231-close@bugs.debian.org
Subject: Bug#948231: fixed in fontforge 1:20201107~dfsg-1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Fri, 20 Nov 2020 23:00:11 +0000
Message-id: <E1kgFNz-000GWI-8s@fasolo.debian.org>
Reply-to: Anthony Fok <foka@debian.org>

Source: fontforge
Source-Version: 1:20201107~dfsg-1
Done: Anthony Fok <foka@debian.org>

We believe that the bug you reported is fixed in the latest version of
fontforge, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 948231@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anthony Fok <foka@debian.org> (supplier of updated fontforge package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 18 Nov 2020 01:42:18 -0700
Source: fontforge
Binary: fontforge fontforge-common fontforge-dbgsym fontforge-doc fontforge-extras fontforge-extras-dbgsym fontforge-nox fontforge-nox-dbgsym libfontforge4 libfontforge4-dbgsym python3-fontforge python3-fontforge-dbgsym
Architecture: source all amd64
Version: 1:20201107~dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Fonts Task Force <debian-fonts@lists.debian.org>
Changed-By: Anthony Fok <foka@debian.org>
Description:
 fontforge  - font editor
 fontforge-common - font editor (common files)
 fontforge-doc - documentation for fontforge
 fontforge-extras - font editor - extra programs
 fontforge-nox - font editor - non-X version
 libfontforge4 - font editor - runtime library
 python3-fontforge - font editor - Python bindings
Closes: 948231 961640 961841 963194
Changes:
 fontforge (1:20201107~dfsg-1) unstable; urgency=medium
 .
   [ Jonas Smedegaard ]
   * New upstream version 20200314~dfsg (Closes: #963194)
     + Fixes two security vulnerabilities:
       - CVE-2020-5395 (use-after-free in SFD_GetFontMetaData in sfd.c)
       - CVE-2020-5496 (heap-based buffer overflow in the Type2NotDefSplines()
         function in splinesave.c)
       that were found in FontForge 20190801 (Closes: #948231)
   * copyright: update overage
   * use buildsystem cmake+ninja (not autotools);
     build-depend on cmake ninja-build
     (not libltdl-dev autoconf-archive)
   * stop build-depend on chrpath
     (unused since 1:20160404~dfsg-1)
   * update install paths
     (upstream installs appdata in correct path now)
   * drop patches 0003 0004 2002 3000:
     obsoleted by new upstream release
   * update (and reduce) patch 2003
   * add patches cherry-picked upstream to fix a range of issues
     Fixes "FTBFS on 64-bit big endian: test failures" (Closes: #961841)
   * bump library API major version to 4
   * drop libgdraw package:
     upstream no longer provides that as shared library
   * stop ship python simple/* scripts:
     No longer installed upstream
   * Temporarily omit installing scripts for fontforge-extras,
     seemingly not built upstream
   * build sphinx documentation;
     build-depend on dh-sequence-sphinxdoc
   * stop ship extra libraries libgunicode.so libgutils.so:
     upstream no longer provides those as shared library
 .
   [ Hideki Yamane ]
   * specify dh 13
   * fix to add ${DEB_HOST_MULTIARCH} for libfontforge.so path
   * Add python3-sphinx for document build for GUI build
   * Add more build options MAINTAINER_TOOLS and WRITE_PFM
 .
   [ Anthony Fok ]
   * New upstream version 20201107~dfsg (FontForge 20th Anniversary Edition)
     + Display issues on Wayland are now fixed (Closes: #961640)
   * Remove cherry-picked upstream patches as they are included in 20201107
   * debian/rules: Change override_dh_* to execute_before_dh_* where possible
   * Remove libfontforge-dev package.  Upstream has decided to stop installing
     development files since 20200314 due to unstable stable API or ABI etc.
     No Debian package has ever build-depended on libfontforge-dev either.
   * Install README.md instead of the now nonexistent README
   * debian/control: Add ${sphinxdoc:Depends} and ${sphinxdoc:Built-Using}
     for python3-fontforge
   * debian/rules: Remove manual call to sphinx-build
     as it is already called by upstream doc/CMakeLists.txt
   * Restore files that were installed to fontforge-extras and python3-fontforge
     prior to the FontForge 2020 March Release by patching CMakeLists.txt
     files, see debian/patches/0001-add-extra-cmake-install-rules.patch
   * Add debian/libfontforge4.install as we no longer uses d-shlibs
   * Add and fix other debian/*.install, debian/*.manpages and debian/rules
     so that all files are installed properly
   * Add debian/not-installed to remove dh_missing fail-missing errors
   * Remove upstream setting that sets custom RPATH/RUNPATH.
     Fixes Lintian custom-library-search-path errors.
     See debian/patches/0002-remove-custom-library-search-path.patch
   * Fix package description for fontforge-extras
     where most provided programs have been renamed
   * Add debian/clean to remove build/ and doc/sphinx/_extensions/__pycache__/
   * Add myself to the list of Uploaders and to debian/copyright
Checksums-Sha1:
 42bf5879bff94f8b662bc3de9f12bab6b8192be7 3015 fontforge_20201107~dfsg-1.dsc
 70695fabd8cbba0486a8cae603cea14aef9b12a7 11840596 fontforge_20201107~dfsg.orig.tar.xz
 21921d6cb1e01c037e58f3022951c9b2284eb519 48272 fontforge_20201107~dfsg-1.debian.tar.xz
 27d233115008226cf693a619ffef359ba9a90f83 2077996 fontforge-common_20201107~dfsg-1_all.deb
 d548413e9dade174d7a42cd70b0ab553b71bc74b 2802024 fontforge-dbgsym_20201107~dfsg-1_amd64.deb
 12520a9ac33461ea1f5fd5d3775df861ddcb89cd 3601768 fontforge-doc_20201107~dfsg-1_all.deb
 11a18b2a5548a966c704d51a3e8a271d279a7048 372420 fontforge-extras-dbgsym_20201107~dfsg-1_amd64.deb
 cd4f8a38436d23881591fda1dd320648c158ef73 305876 fontforge-extras_20201107~dfsg-1_amd64.deb
 487308ed165068dc8fa2b380378238dd8beddbcb 7776 fontforge-nox-dbgsym_20201107~dfsg-1_amd64.deb
 52aebdd3049867ddc86a7d31d8102890ec218c2f 37744 fontforge-nox_20201107~dfsg-1_amd64.deb
 86cb6e6fbe3fc8a34dbd443592e519bd645ac57d 19550 fontforge_20201107~dfsg-1_amd64.buildinfo
 f51d87a4cfd8e84f1e7e5630c1c10b955bd356b3 1362848 fontforge_20201107~dfsg-1_amd64.deb
 611f282f8e79c2cd1cd4a49c2fbaad9981729bf7 4039620 libfontforge4-dbgsym_20201107~dfsg-1_amd64.deb
 8f160c66cff7df72b7ec4328839292f60c21df68 1918076 libfontforge4_20201107~dfsg-1_amd64.deb
 b37fd780709eb53ba6fd38d875f9769aee1c737c 6908 python3-fontforge-dbgsym_20201107~dfsg-1_amd64.deb
 c03bd90066b100b2f2507db622285f02545326b0 32416 python3-fontforge_20201107~dfsg-1_amd64.deb
Checksums-Sha256:
 20c84ad27682ba8ae0d875aa99c62a1f9d1b9f105174db4948af23f2abf59b74 3015 fontforge_20201107~dfsg-1.dsc
 87672ca0dbfa3df42d768c3856186617059a5471fa99b35e7495d612a533c40b 11840596 fontforge_20201107~dfsg.orig.tar.xz
 809aa18c1bcf240f817725f03b289c7ece370fa769b6fa165ded86de0f5879a5 48272 fontforge_20201107~dfsg-1.debian.tar.xz
 bbf6343f88fdbc2b8c58c88882f58a621bea084b91402647239bf5c46d530bbe 2077996 fontforge-common_20201107~dfsg-1_all.deb
 b38063a64a6923b43f759ac3ee94e998aaebc100225bedfd0cbb9bf23aaa0441 2802024 fontforge-dbgsym_20201107~dfsg-1_amd64.deb
 d08c3e91f12dcdfe91048b12655900f7d801ff66663fc7025a5eb76313f81210 3601768 fontforge-doc_20201107~dfsg-1_all.deb
 cfd76d79f7d71ff6ed152ca45de331e99ae2e630c123046e8dfb1237c5ffbb36 372420 fontforge-extras-dbgsym_20201107~dfsg-1_amd64.deb
 003ec5e19f7a1bba99cfb79b087cee25aaac6363321f0664bdf89213911a6f21 305876 fontforge-extras_20201107~dfsg-1_amd64.deb
 466631000d2343454dc51a3668569ec03d1422f95c3846346a7c0ffcb0fcab79 7776 fontforge-nox-dbgsym_20201107~dfsg-1_amd64.deb
 7110bf06cc23d6acae9db71c23689474715c800a7a5a14e8105d5f1698914b50 37744 fontforge-nox_20201107~dfsg-1_amd64.deb
 d841f5456b16f1b324aa5c9c7908c27a2ad8fc402f3364aefda4ba459f2af25b 19550 fontforge_20201107~dfsg-1_amd64.buildinfo
 c2f80296cc5022f2e740c8640fe12930d05fdefc50840e09ad2d543e1fa0feca 1362848 fontforge_20201107~dfsg-1_amd64.deb
 c33455126e8bb5de1f9443dbdc49301ba64ab17acf7fd66d28776e67e180b570 4039620 libfontforge4-dbgsym_20201107~dfsg-1_amd64.deb
 0ae6dc5153a7ba33f3b0bee17670b55ebfc1e36e26416e0de965182a519f95e3 1918076 libfontforge4_20201107~dfsg-1_amd64.deb
 abea61c254ef5f92ac1f0ff9668d4ddeefa5c4cbd7ddd8dc25818455b020c556 6908 python3-fontforge-dbgsym_20201107~dfsg-1_amd64.deb
 5affbb1b0bd958e9a1062523f89cb679f8ef436e4e6987a3c40e811579560b81 32416 python3-fontforge_20201107~dfsg-1_amd64.deb
Files:
 b80ff5c911a28d5c6fd6eb8e0f8ad9b1 3015 fonts optional fontforge_20201107~dfsg-1.dsc
 fcb397570d9502ae649f2735d5c09d6f 11840596 fonts optional fontforge_20201107~dfsg.orig.tar.xz
 46baac16d81d97f197e5c276da351396 48272 fonts optional fontforge_20201107~dfsg-1.debian.tar.xz
 013a62f3f0a5a63dbb966c3e188526b9 2077996 fonts optional fontforge-common_20201107~dfsg-1_all.deb
 9339829df81e193aceda715dc7838cce 2802024 debug optional fontforge-dbgsym_20201107~dfsg-1_amd64.deb
 40b3b474fa52245d1dc7d2f84bd98de6 3601768 doc optional fontforge-doc_20201107~dfsg-1_all.deb
 4d7411eaadd1c1743a15a58aea6d7e72 372420 debug optional fontforge-extras-dbgsym_20201107~dfsg-1_amd64.deb
 3ff6d2485eb6c900f2d1e22dcf9f1802 305876 fonts optional fontforge-extras_20201107~dfsg-1_amd64.deb
 5babaa9eabcb6e1f315994d72bea58bb 7776 debug optional fontforge-nox-dbgsym_20201107~dfsg-1_amd64.deb
 09164f7f2387778820fcc57ac4b8bd6a 37744 fonts optional fontforge-nox_20201107~dfsg-1_amd64.deb
 3709f2172e560610a7184c97cd8f9cc3 19550 fonts optional fontforge_20201107~dfsg-1_amd64.buildinfo
 de6f3615df9942797371c51fc0a92f89 1362848 fonts optional fontforge_20201107~dfsg-1_amd64.deb
 5fee85a34be98b6a866e8404843b38a2 4039620 debug optional libfontforge4-dbgsym_20201107~dfsg-1_amd64.deb
 b19c5b45dffbd33e4255ca9b1da53d76 1918076 libs optional libfontforge4_20201107~dfsg-1_amd64.deb
 3ee9284d624d0eef0546194c9d603512 6908 debug optional python3-fontforge-dbgsym_20201107~dfsg-1_amd64.deb
 1f925c7ccaf599a456a41e615b370528 32416 python optional python3-fontforge_20201107~dfsg-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEEFCQhsZrUqVmW+VBy6iUAtBLFms8FAl+070UQHGZva2FAZGVi
aWFuLm9yZwAKCRDqJQC0EsWazx8ED/9hPXsFz1brMIkQ54sCy2qMqoCEViaErB7K
3ON/YF0IdcKla2rups/4OPgABryG4gOffpA8WL79yd1ImO2BfkjQCk6zvb/rHS+v
+iULNKVlBVtnTecJ9VkDb29xyXk77Q+uxwLAGwpD3SwPYO+ikTlYTGypZEYmMkuP
lHktyq1eYXA84SI2F94BbfNm7JZCjihOyy/dOjUgFGOsJAfTZhL22nqwCfRPIVav
8m7Om75eFtVfoEX/iMCbG9X9Qukkvhq629LUxrAee9yxfdF/VtMlaJ1JWWUpj8Km
k3Vpfb7Rn2iLnTyS1tVEbmEbk7reNQsUR6Kdd/cD1ZTlxGi19mibQs8xzY7KmU2x
WWqlm3wgtZe0yTqAZAkd+Gy7OziFM4imgtK+jmLKY0uMfEg+eZOusaq2sQ0/RMBW
YGhZRQy+f2z0xzbKHmlCfGpiPpuUjazjbBk1SnWyai5THpExjZLzxjRr4VfnU6yj
+elX/PNoVguIyR8JQpyqrmao95WllUf6eZVl7eu6YYwSTxJmJrlEgs1WHBJAbiez
erUx8YGchSKOAE5l6tbX1vaNwMwrmvfBNYJ0NIFmkpfL5G6F+NIUKx/kO53wF8A/
R+VKCJOY5tp9VhgE3bpPOkwpFg5QfueKkZkTIp9+VFZkMZUvqO6sx41F6R/qMjfV
BSrjS8gvag==
=+Ijp
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: fonts-jetbrains-mono_2.210-1_multi.changes is NEW
Next by Date: Bug#961640: marked as done (fontforge: Shows no glyphs when running on Wayland)
Previous by thread: fonts-jetbrains-mono_2.210-1_multi.changes is NEW
Next by thread: Bug#961640: marked as done (fontforge: Shows no glyphs when running on Wayland)
Index(es):
- Date
- Thread