Your message dated Sat, 23 Mar 2024 08:42:35 +0000 with message-id <E1rnwxX-002ZX5-00@fasolo.debian.org> and subject line Bug#1064967: fixed in fontforge 1:20201107~dfsg-4+deb11u1 has caused the Debian Bug report #1064967, regarding fontforge: CVE-2024-25081 CVE-2024-25082 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1064967: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064967 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: fontforge: CVE-2024-25081 CVE-2024-25082
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Wed, 28 Feb 2024 15:43:57 +0100
- Message-id: <Zd9GrUJW9o5qh0Y/@pisco.westfalen.local>
Source: fontforge X-Debbugs-CC: team@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for fontforge. CVE-2024-25081[0]: | Splinefont in FontForge through 20230101 allows command injection | via crafted filenames. CVE-2024-25082[1]: | Splinefont in FontForge through 20230101 allows command injection | via crafted archives or compressed files. Fixed by: https://github.com/fontforge/fontforge/pull/5367 https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25081 https://www.cve.org/CVERecord?id=CVE-2024-25081 [1] https://security-tracker.debian.org/tracker/CVE-2024-25082 https://www.cve.org/CVERecord?id=CVE-2024-25082 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
- To: 1064967-close@bugs.debian.org
- Subject: Bug#1064967: fixed in fontforge 1:20201107~dfsg-4+deb11u1
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sat, 23 Mar 2024 08:42:35 +0000
- Message-id: <E1rnwxX-002ZX5-00@fasolo.debian.org>
- Reply-to: Adrian Bunk <bunk@debian.org>
Source: fontforge Source-Version: 1:20201107~dfsg-4+deb11u1 Done: Adrian Bunk <bunk@debian.org> We believe that the bug you reported is fixed in the latest version of fontforge, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1064967@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk <bunk@debian.org> (supplier of updated fontforge package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 15 Mar 2024 22:56:38 +0200 Source: fontforge Architecture: source Version: 1:20201107~dfsg-4+deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Debian Fonts Task Force <debian-fonts@lists.debian.org> Changed-By: Adrian Bunk <bunk@debian.org> Closes: 1064967 Changes: fontforge (1:20201107~dfsg-4+deb11u1) bullseye-security; urgency=medium . * Non-maintainer upload. * CVE-2024-25081: Spline Font command injection via crafted filenames * CVE-2024-25082: Spline Font command injection via crafted archives or compressed files * Closes: #1064967 Checksums-Sha1: 02da1e253546ea8c9327a0c9f33d66afbfb6336e 2999 fontforge_20201107~dfsg-4+deb11u1.dsc 70695fabd8cbba0486a8cae603cea14aef9b12a7 11840596 fontforge_20201107~dfsg.orig.tar.xz 4a7c5e045711484791af318bd07aa1bb81d7c216 66808 fontforge_20201107~dfsg-4+deb11u1.debian.tar.xz Checksums-Sha256: 6217637c8305ca5711c75c681c8a6a5d89381abffe7d81d7967428f6ffe82ac3 2999 fontforge_20201107~dfsg-4+deb11u1.dsc 87672ca0dbfa3df42d768c3856186617059a5471fa99b35e7495d612a533c40b 11840596 fontforge_20201107~dfsg.orig.tar.xz 69722b63483594f0a78c28176c2024e21f51bf6b242b26e4a90132c2d843e6ce 66808 fontforge_20201107~dfsg-4+deb11u1.debian.tar.xz Files: 55a14e12ed5146a953b83a99619a20aa 2999 fonts optional fontforge_20201107~dfsg-4+deb11u1.dsc fcb397570d9502ae649f2735d5c09d6f 11840596 fonts optional fontforge_20201107~dfsg.orig.tar.xz 99be1953b1326b82a9e543a8f6b5bed7 66808 fonts optional fontforge_20201107~dfsg-4+deb11u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmX1jksACgkQiNJCh6LY mLF2Aw//dYdmHQxGqSKRzQJw8Q9vH1IfSBg44A3LC77dqnSI1ScQzUcc7IdaR8oR hY4yuBon0Cg1hbDl9CrHQgmee0u8EbAPblJCAdcI24u7ab9i5jH63yuJQ23sPaSM KvR7gz6T7zGfyXN1jJYG6LmSrl7kQUYdr5F2KM9Ecpr805E10h5D86XzSBmxZgR3 4tmUUaC8N3w9cUquOxbmD/544oaoIoSyaRJz7ZG94qmFgYwS+AFKKuxFXC+n3F3T pDu0A/5DkNOQD2w32sOb5LIoDdHS2d7L57Fc9ImUNiZxbaD+gZM4NA61QwME3FfY bHeB9qFjvSb64bbGJqKLGY27Joli+VGmXCyQ0DJsBmm2adx9NNvrX4qJqSF3g0UH A8QGhiMKHK9DM+bMvfEQtbfV+oNBjgnUPS1OSKSRQwTUZ9tzrEMDPc29oJGD1mPN SiDENL1hWcDgkkPxzlW/wARcVksDh+vf9cm7wCISgVI5KYxhhyYhK8D6jYM0H8yO S5kFmT8xbtIkWiY8r+HSJQveY0kxnhqopDzFTJFK3s9E76I0kYSMr90Ia1Eh6qfa 0Bl5uSkfd6SIropfACGXlEWu7R5hFCohLn7Y/gEzmwAZMX0wpX+uxHS2ZuOj70YS 2BAQbnWsC/yp+gErKyBiPjIOFebvHjVAzaRxCG3AesgoQ5LV/5k= =hRV/ -----END PGP SIGNATURE-----Attachment: pgpcsxD9NshTu.pgp
Description: PGP signature
--- End Message ---