Bug 1893188 (CVE-2020-25690) - CVE-2020-25690 fontforge: SFD_GetFontMetaData() insufficient CVE-2020-5395 backport
Summary: CVE-2020-25690 fontforge: SFD_GetFontMetaData() insufficient CVE-2020-5395 ba...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25690
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1821664
Blocks: 1883806
TreeView+ depends on / blocked
 
Reported: 2020-10-30 13:32 UTC by Stefan Cornelius
Modified: 2020-11-06 13:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write was discovered in fontforge while parsing SFD files containing certain LayerCount tokens. The flaw allows an attacker to manipulate memory allocated on the heap, thus causing the application to crash or execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2020-11-04 02:27:23 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4844 None None None 2020-11-04 04:19:23 UTC

Description Stefan Cornelius 2020-10-30 13:32:12 UTC
RHSA-2020:1921 fixed CVE-2020-5395 by backporting an upstream patch. However, this backport was later found to introduce another issue causing an incorrect amount of heap memory space to be allocated, which could ultimately result in out of bounds heap memory manipulation when processing a specially crafted font file. This new problem was fixed upstream in a subsequent patch and, to our knowledge, no versioned upstream release was ever affected. Unfortunately, the Red Hat Enterprise Linux 8 fontforge package is affected.

Original first patch:
https://github.com/fontforge/fontforge/commit/048a91e2682c1a8936ae34dbc7bd70291ec05410

Additional patch required:
https://github.com/fontforge/fontforge/commit/b96273acc691ac8a36c6a8dd4de8e6edd7eaae59

Comment 3 Stefan Cornelius 2020-10-30 13:44:25 UTC
Statement:

Impact of the flaw set to Moderate since upstream does not consider a network-facing application that accepts untrusted font files as a reasonable use of fontforge tool/library, making the impact of a possible exploitation of this flaw smaller.

Comment 4 Product Security DevOps Team 2020-11-04 02:27:23 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25690

Comment 5 errata-xmlrpc 2020-11-04 04:19:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4844 https://access.redhat.com/errata/RHSA-2020:4844


Note You need to log in before you can comment on or make changes to this bug.