[SECURITY] [DLA 3754-1] fontforge security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3754-1] fontforge security update
From: Adrian Bunk <bunk@debian.org>
Date: Fri, 8 Mar 2024 01:12:06 +0200
Message-id: <[🔎] ZepJxli90ASSDANy@localhost>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3754-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Adrian Bunk
March 08, 2024                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : fontforge
Version        : 1:20170731~dfsg-1+deb10u1
CVE ID         : CVE-2020-5395 CVE-2020-5496 CVE-2024-25081 CVE-2024-25082
Debian Bug     : 948231 1064967

Multiple vulnerabilities have been fixed in the font editor FontForge.

CVE-2020-5395

    Use-after-free in SFD_GetFontMetaData()

CVE-2020-5496

    Buffer overflow in Type2NotDefSplines()

CVE-2024-25081

    Spline Font command injection via crafted filenames

CVE-2024-25082

    Spline Font command injection via crafted archives or compressed files


For Debian 10 buster, these problems have been fixed in version
1:20170731~dfsg-1+deb10u1.

We recommend that you upgrade your fontforge packages.

For the detailed security status of fontforge please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/fontforge

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmXqScIACgkQiNJCh6LY
mLGnbxAAjqsbQsra6fVc4VcatB/sNeM6/Ox7oK79y3TKKasq0/rcyY3eB47Jf+//
8nz3Uz+aM/NNCBXTdtVcJ8gws78dfvwlBacwZ8NcA0ZhSrw4NyW6neWHGpqoKwbh
0s2+PdI257mg47C/72hJj/L/S+QGwk7oS5Y0tsjIV0r/wKowxJX39qkg29AqzaWX
CIXdNp/QhkKekAkQhksNPr7om4BqoAxrpjq6NrPATsOhFhFScKUenINgBqoI2nT3
5meC1Ctp3zFVZSNJZxfigDyNCxUKadYGpovpXPZrbUEV5FJrOlU9Y3CsDNAM6ojg
tSOIe/ityqxxd20/MklZakRdAGzmOKuGkEgjR0+vm+w64XDblGCkV1UVG9WPnFV+
VcPPUalX0J/2gimT1YmXoNgrJ/5SqXFNks2FcYtH6fUCyx5WIQHZWxevNe2zhmtS
lj3u6cuh3FcZkzewJMcx6CykIh4p9yDEiKTmx2V2ZCJ/BwJ5PVJ5hkUPwFdWUlJh
Al/zZxvJdbeB4Aab6Ai5DosLBtHxiIYmK4HtcVXm7iJ5u34ZIAtZ35uRPmtwpDLi
JxqU12QzPnYtwbBX1WdBhoGCQ/jwLy7N2gIWQlqU5n9rI1R4os+pVQ0/RLp7vlZ8
IzMGfWxKXU3ld/uoAGMQTfZdtJUXz0Xff10V2NK9oEkZqDCnm44=
=eNmN
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3753-1] yard security update
Next by Date: [SECURITY] [DLA 3755-1] tar security update
Previous by thread: [SECURITY] [DLA 3753-1] yard security update
Next by thread: [SECURITY] [DLA 3755-1] tar security update
Index(es):
- Date
- Thread