Your message dated Sat, 23 Mar 2024 10:17:58 +0000 with message-id <E1rnyRq-002ktt-JP@fasolo.debian.org> and subject line Bug#1064967: fixed in fontforge 1:20230101~dfsg-1.1~deb12u1 has caused the Debian Bug report #1064967, regarding fontforge: CVE-2024-25081 CVE-2024-25082 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1064967: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064967 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: fontforge: CVE-2024-25081 CVE-2024-25082
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Wed, 28 Feb 2024 15:43:57 +0100
- Message-id: <Zd9GrUJW9o5qh0Y/@pisco.westfalen.local>
Source: fontforge X-Debbugs-CC: team@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for fontforge. CVE-2024-25081[0]: | Splinefont in FontForge through 20230101 allows command injection | via crafted filenames. CVE-2024-25082[1]: | Splinefont in FontForge through 20230101 allows command injection | via crafted archives or compressed files. Fixed by: https://github.com/fontforge/fontforge/pull/5367 https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25081 https://www.cve.org/CVERecord?id=CVE-2024-25081 [1] https://security-tracker.debian.org/tracker/CVE-2024-25082 https://www.cve.org/CVERecord?id=CVE-2024-25082 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
- To: 1064967-close@bugs.debian.org
- Subject: Bug#1064967: fixed in fontforge 1:20230101~dfsg-1.1~deb12u1
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sat, 23 Mar 2024 10:17:58 +0000
- Message-id: <E1rnyRq-002ktt-JP@fasolo.debian.org>
- Reply-to: Adrian Bunk <bunk@debian.org>
Source: fontforge Source-Version: 1:20230101~dfsg-1.1~deb12u1 Done: Adrian Bunk <bunk@debian.org> We believe that the bug you reported is fixed in the latest version of fontforge, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1064967@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk <bunk@debian.org> (supplier of updated fontforge package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 15 Mar 2024 22:41:07 +0200 Source: fontforge Architecture: source Version: 1:20230101~dfsg-1.1~deb12u1 Distribution: bookworm-security Urgency: high Maintainer: Debian Fonts Task Force <debian-fonts@lists.debian.org> Changed-By: Adrian Bunk <bunk@debian.org> Closes: 1064967 Changes: fontforge (1:20230101~dfsg-1.1~deb12u1) bookworm-security; urgency=medium . * Non-maintainer upload. * Rebuild for bookworm-security. . fontforge (1:20230101~dfsg-1.1) unstable; urgency=high . * Non-maintainer upload. * CVE-2024-25081: Spline Font command injection via crafted filenames * CVE-2024-25082: Spline Font command injection via crafted archives or compressed files * Closes: #1064967 Checksums-Sha1: d9cb8efc7d796ac6411b2da94bb8084f9df35912 2949 fontforge_20230101~dfsg-1.1~deb12u1.dsc 7f5f4150a07609d4f7287ab796419a8a4ea62273 12024816 fontforge_20230101~dfsg.orig.tar.xz b4dd06afb13f22f6e30f244676f4e2be0d0516f3 54256 fontforge_20230101~dfsg-1.1~deb12u1.debian.tar.xz Checksums-Sha256: c564e1674a5072fa85e3b081931fad51e8a1b0e8318aaa16117318cb220fe880 2949 fontforge_20230101~dfsg-1.1~deb12u1.dsc b3bbdbbdd52638ad8dcbca15e80065e82ec6fa16cef7cc4c42954f47aae3c6b7 12024816 fontforge_20230101~dfsg.orig.tar.xz cab31302daf68763d74c2845195ea012e72acd7e706dbc43b23022483af47fa5 54256 fontforge_20230101~dfsg-1.1~deb12u1.debian.tar.xz Files: b15a9d5d00c6ee7a75e01c74be6d3083 2949 fonts optional fontforge_20230101~dfsg-1.1~deb12u1.dsc 4bada2cb3191d3383ffe9ccb6d1b73b6 12024816 fonts optional fontforge_20230101~dfsg.orig.tar.xz d5672e2981f7cc85a2db02465b6fc499 54256 fonts optional fontforge_20230101~dfsg-1.1~deb12u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmX1jV0ACgkQiNJCh6LY mLF5oA//RMMnIptx1/4dQt4bMQf/dw6G0UWSgBaBe/lra3+roWSW1zJ033/CRT/D tnKsvGh7GiyC3qzxzN4F1p0LRBTRLCEo/79giFE/hYvA+azPyY87Lf03N+0zCRbi q7JGJbewb1ggOQogY4e5k6eBuciY1DZx1syZLKFhQ0AALtdELWy70xDGEqQHrtGE uw48qIxV4Lh8qeE2VM0vWXbTWuc/ggOtjqXZfUlNpYI3ONrog8LG/dE6BGrfiENp /r4Krne599apVNgAVZ0hJLhncH1yIWWnMqEKzSCDy94gMtN/0zlDPSwj4LOxpmeS wpAE34HG3q9sIxmD5dqhXgjGkLpcGwfZuVeghnx5A4MT8bqu3Te3C638jR3Sfmaf 0AEOcgv/BN7D/KHTJrm2gmGAE1e4sLSr2lk3/Tv3SN04g9G98yDGdF8PCBRSxm4C yEOODZvBhETcZtNkJnZiHZDZs08IXGvz99u2nax9mz49nAj5VyV7WNA1xOWgdICc 1uY35ZnO1hT5Z0DwqI0Qo4EY4HWmnUh/byjeUMlDJ0/Iyq7f1EuLDN6h+jfnb6lh OOsHcc/a19RA0oOcqKJkwkc20RHTfZ5AhWWzxcxhcAdT6mCnM3ePv048ywkPS+G5 yXpqqdQWWfr06mqaThqr3uSa/Q0bjnCHhPgZjbkFMhd7U4DoCPU= =SXnC -----END PGP SIGNATURE-----Attachment: pgpFM_6GZDi_h.pgp
Description: PGP signature
--- End Message ---