Bug#1124487: fontforge: CVE-2025-15269 CVE-2025-15270 CVE-2025-15271 CVE-2025-15272 CVE-2025-15273 CVE-2025-15274 CVE-2025-15275 CVE-2025-15276 CVE-2025-15277 CVE-2025-15278 CVE-2025-15279 CVE-2025-15280
Source: fontforge
Version: 1:20230101~dfsg-8
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for fontforge.
CVE-2025-15269[0]:
| FontForge SFD File Parsing Use-After-Free Remote Code Execution
| Vulnerability. This vulnerability allows remote attackers to execute
| arbitrary code on affected installations of FontForge. User
| interaction is required to exploit this vulnerability in that the
| target must visit a malicious page or open a malicious file. The
| specific flaw exists within the parsing of SFD files. The issue
| results from the lack of validating the existence of an object prior
| to performing operations on the object. An attacker can leverage
| this vulnerability to execute code in the context of the current
| user. Was ZDI-CAN-28564.
CVE-2025-15270[1]:
| FontForge SFD File Parsing Improper Validation of Array Index Remote
| Code Execution Vulnerability. This vulnerability allows remote
| attackers to execute arbitrary code on affected installations of
| FontForge. User interaction is required to exploit this
| vulnerability in that the target must visit a malicious page or open
| a malicious file. The specific flaw exists within the parsing of
| SFD files. The issue results from the lack of proper validation of
| user-supplied data, which can result in a write past the end of an
| allocated array. An attacker can leverage this vulnerability to
| execute code in the context of the current user. Was ZDI-CAN-28563.
CVE-2025-15271[2]:
| FontForge SFD File Parsing Improper Validation of Array Index Remote
| Code Execution Vulnerability. This vulnerability allows remote
| attackers to execute arbitrary code on affected installations of
| FontForge. User interaction is required to exploit this
| vulnerability in that the target must visit a malicious page or open
| a malicious file. The specific flaw exists within the parsing of
| SFD files. The issue results from the lack of proper validation of
| user-supplied data, which can result in a write past the end of an
| allocated array. An attacker can leverage this vulnerability to
| execute code in the context of the current user. Was ZDI-CAN-28562.
CVE-2025-15272[3]:
| FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code
| Execution Vulnerability. This vulnerability allows remote attackers
| to execute arbitrary code on affected installations of FontForge.
| User interaction is required to exploit this vulnerability in that
| the target must visit a malicious page or open a malicious file.
| The specific flaw exists within the parsing of SFD files. The issue
| results from the lack of proper validation of the length of user-
| supplied data prior to copying it to a heap-based buffer. An
| attacker can leverage this vulnerability to execute code in the
| context of the current user. Was ZDI-CAN-28547.
CVE-2025-15273[4]:
| FontForge PFB File Parsing Stack-based Buffer Overflow Remote Code
| Execution Vulnerability. This vulnerability allows remote attackers
| to execute arbitrary code on affected installations of FontForge.
| User interaction is required to exploit this vulnerability in that
| the target must visit a malicious page or open a malicious file.
| The specific flaw exists within the parsing of PFB files. The issue
| results from the lack of proper validation of the length of user-
| supplied data prior to copying it to a fixed-length stack-based
| buffer. An attacker can leverage this vulnerability to execute code
| in the context of the current user. Was ZDI-CAN-28546.
CVE-2025-15274[5]:
| FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code
| Execution Vulnerability. This vulnerability allows remote attackers
| to execute arbitrary code on affected installations of FontForge.
| User interaction is required to exploit this vulnerability in that
| the target must visit a malicious page or open a malicious file.
| The specific flaw exists within the parsing of SFD files. The issue
| results from the lack of proper validation of the length of user-
| supplied data prior to copying it to a heap-based buffer. An
| attacker can leverage this vulnerability to execute code in the
| context of the current user. Was ZDI-CAN-28544.
CVE-2025-15275[6]:
| FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code
| Execution Vulnerability. This vulnerability allows remote attackers
| to execute arbitrary code on affected installations of FontForge.
| User interaction is required to exploit this vulnerability in that
| the target must visit a malicious page or open a malicious file.
| The specific flaw exists within the parsing of SFD files. The issue
| results from the lack of proper validation of the length of user-
| supplied data prior to copying it to a heap-based buffer. An
| attacker can leverage this vulnerability to execute code in the
| context of the current user. Was ZDI-CAN-28543.
CVE-2025-15276[7]:
| FontForge SFD File Parsing Deserialization of Untrusted Data Remote
| Code Execution Vulnerability. This vulnerability allows remote
| attackers to execute arbitrary code on affected installations of
| FontForge. User interaction is required to exploit this
| vulnerability in that the target must visit a malicious page or open
| a malicious file. The specific flaw exists within the parsing of
| SFD files. The issue results from the lack of proper validation of
| user-supplied data, which can result in deserialization of untrusted
| data. An attacker can leverage this vulnerability to execute code in
| the context of the current process. Was ZDI-CAN-28198.
CVE-2025-15277[8]:
| FontForge GUtils SGI File Parsing Heap-based Buffer Overflow Remote
| Code Execution Vulnerability. This vulnerability allows remote
| attackers to execute arbitrary code on affected installations of
| FontForge. User interaction is required to exploit this
| vulnerability in that the target must visit a malicious page or open
| a malicious file. The specific flaw exists within the parsing of
| scanlines within SGI files. The issue results from the lack of
| proper validation of the length of user-supplied data prior to
| copying it to a heap-based buffer. An attacker can leverage this
| vulnerability to execute code in the context of the current process.
| Was ZDI-CAN-27920.
CVE-2025-15278[9]:
| FontForge GUtils XBM File Parsing Integer Overflow Remote Code
| Execution Vulnerability. This vulnerability allows remote attackers
| to execute arbitrary code on affected installations of FontForge.
| User interaction is required to exploit this vulnerability in that
| the target must visit a malicious page or open a malicious file.
| The specific flaw exists within the parsing of pixels within XBM
| files. The issue results from the lack of proper validation of user-
| supplied data, which can result in an integer overflow before
| allocating a buffer. An attacker can leverage this vulnerability to
| execute code in the context of the current process. Was ZDI-
| CAN-27865.
CVE-2025-15279[10]:
| FontForge GUtils BMP File Parsing Heap-based Buffer Overflow Remote
| Code Execution Vulnerability. This vulnerability allows remote
| attackers to execute arbitrary code on affected installations of
| FontForge. User interaction is required to exploit this
| vulnerability in that the target must visit a malicious page or open
| a malicious file. The specific flaw exists within the parsing of
| pixels within BMP files. The issue results from the lack of proper
| validation of the length of user-supplied data prior to copying it
| to a heap-based buffer. An attacker can leverage this vulnerability
| to execute code in the context of the current user. Was ZDI-
| CAN-27517.
CVE-2025-15280[11]:
| FontForge SFD File Parsing Use-After-Free Remote Code Execution
| Vulnerability. This vulnerability allows remote attackers to execute
| arbitrary code on affected installations of FontForge. User
| interaction is required to exploit this vulnerability in that the
| target must visit a malicious page or open a malicious file. The
| specific flaw exists within the parsing of SFD files. The issue
| results from the lack of validating the existence of an object prior
| to performing operations on the object. An attacker can leverage
| this vulnerability to execute code in the context of the current
| user. Was ZDI-CAN-28525.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-15269
https://www.cve.org/CVERecord?id=CVE-2025-15269
[1] https://security-tracker.debian.org/tracker/CVE-2025-15270
https://www.cve.org/CVERecord?id=CVE-2025-15270
[2] https://security-tracker.debian.org/tracker/CVE-2025-15271
https://www.cve.org/CVERecord?id=CVE-2025-15271
[3] https://security-tracker.debian.org/tracker/CVE-2025-15272
https://www.cve.org/CVERecord?id=CVE-2025-15272
[4] https://security-tracker.debian.org/tracker/CVE-2025-15273
https://www.cve.org/CVERecord?id=CVE-2025-15273
[5] https://security-tracker.debian.org/tracker/CVE-2025-15274
https://www.cve.org/CVERecord?id=CVE-2025-15274
[6] https://security-tracker.debian.org/tracker/CVE-2025-15275
https://www.cve.org/CVERecord?id=CVE-2025-15275
[7] https://security-tracker.debian.org/tracker/CVE-2025-15276
https://www.cve.org/CVERecord?id=CVE-2025-15276
[8] https://security-tracker.debian.org/tracker/CVE-2025-15277
https://www.cve.org/CVERecord?id=CVE-2025-15277
[9] https://security-tracker.debian.org/tracker/CVE-2025-15278
https://www.cve.org/CVERecord?id=CVE-2025-15278
[10] https://security-tracker.debian.org/tracker/CVE-2025-15279
https://www.cve.org/CVERecord?id=CVE-2025-15279
[11] https://security-tracker.debian.org/tracker/CVE-2025-15280
https://www.cve.org/CVERecord?id=CVE-2025-15280
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply to: