Bug 1893188 (CVE-2020-25690)

Summary: CVE-2020-25690 fontforge: SFD_GetFontMetaData() insufficient CVE-2020-5395 backport
Product: [Other] Security Response Reporter: Stefan Cornelius <scorneli>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: eng-i18n-bugs, pnemade, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: fontforge 20200314 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write flaw was found in FontForge while parsing SFD files containing certain LayerCount tokens. This flaw allows an attacker to manipulate the memory allocated on the heap, causing the application to crash or execute arbitrary code. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:27:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1821664    
Bug Blocks: 1883806    

Description Stefan Cornelius 2020-10-30 13:32:12 UTC 
RHSA-2020:1921 fixed CVE-2020-5395 by backporting an upstream patch. However, this backport was later found to introduce another issue causing an incorrect amount of heap memory space to be allocated, which could ultimately result in out of bounds heap memory manipulation when processing a specially crafted font file. This new problem was fixed upstream in a subsequent patch and, to our knowledge, no versioned upstream release was ever affected. Unfortunately, the Red Hat Enterprise Linux 8 fontforge package is affected.

Original first patch:
https://github.com/fontforge/fontforge/commit/048a91e2682c1a8936ae34dbc7bd70291ec05410

Additional patch required:
https://github.com/fontforge/fontforge/commit/b96273acc691ac8a36c6a8dd4de8e6edd7eaae59
Comment 4 Product Security DevOps Team 2020-11-04 02:27:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25690
Comment 5 errata-xmlrpc 2020-11-04 04:19:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4844 https://access.redhat.com/errata/RHSA-2020:4844
Comment 6 RaTasha Tillery-Smith 2021-02-03 18:06:20 UTC 
Statement:

The impact of this flaw is set to Moderate since upstream does not consider a network-facing application that accepts untrusted font files as a reasonable use of fontforge tool/library, making the impact of a possible exploitation of this flaw smaller.